-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding test for network policy regex #517
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,6 +6,7 @@ import ( | |
"log" | ||
"os" | ||
"runtime" | ||
"strings" | ||
"testing" | ||
"time" | ||
|
||
|
@@ -1933,6 +1934,169 @@ func TestSuspendScanSettingDoesNotCreateScan(t *testing.T) { | |
} | ||
} | ||
|
||
func TestConfigureNetworkPolicy(t *testing.T) { | ||
f := framework.Global | ||
suiteName := "test-configure-network-policy" | ||
suiteNameNoPass := "test-configure-network-policy-no-pass" | ||
variableName := "ocp4-var-network-policies-namespaces-exempt-regex" | ||
// Create a dummy namespace to test the network policy | ||
ns := &corev1.Namespace{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: "test-configure-network-policy", | ||
}, | ||
} | ||
err := f.Client.Create(context.TODO(), ns, nil) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
defer f.Client.Delete(context.TODO(), ns) | ||
|
||
err = f.AssertVariableExists(variableName, f.OperatorNamespace) | ||
if err != nil { | ||
t.Skip("Content doesn't have variable '%s' required for testing", variableName) | ||
return | ||
} | ||
|
||
nsList := corev1.NamespaceList{} | ||
err = f.Client.List(context.TODO(), &nsList) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
regextValue := "" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: |
||
|
||
for _, ns := range nsList.Items { | ||
if strings.HasPrefix(ns.Name, "openshift-") || strings.HasPrefix(ns.Name, "kube-") { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Note for reviewers: We don't need to add these to the regular expression explicitly since we've baked that into the rule. |
||
continue | ||
} | ||
regextValue = regextValue + ns.Name + "|" | ||
} | ||
|
||
regextValue = regextValue + ns.ObjectMeta.Name | ||
|
||
tp := &compv1alpha1.TailoredProfile{ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: Similar naming comment as above with the suites (could do something like Then on line 2010, something like |
||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: suiteName, | ||
Namespace: f.OperatorNamespace, | ||
}, | ||
Spec: compv1alpha1.TailoredProfileSpec{ | ||
Title: "test-configure-network-policy", | ||
Description: "A test tailored profile to test configure network policy", | ||
EnableRules: []compv1alpha1.RuleReferenceSpec{ | ||
{ | ||
Name: "ocp4-configure-network-policies-namespaces", | ||
Rationale: "To be tested", | ||
}, | ||
{ | ||
Name: "ocp4-version-detect-in-ocp", | ||
Rationale: "To be tested", | ||
}, | ||
}, | ||
SetValues: []compv1alpha1.VariableValueSpec{ | ||
{ | ||
Name: variableName, | ||
Rationale: "Value to be set", | ||
Value: regextValue, | ||
}, | ||
}, | ||
}, | ||
} | ||
createTPErr := f.Client.Create(context.TODO(), tp, nil) | ||
if createTPErr != nil { | ||
t.Fatal(createTPErr) | ||
} | ||
defer f.Client.Delete(context.TODO(), tp) | ||
|
||
tpNoPass := &compv1alpha1.TailoredProfile{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: suiteNameNoPass, | ||
Namespace: f.OperatorNamespace, | ||
}, | ||
Spec: compv1alpha1.TailoredProfileSpec{ | ||
Title: "test-configure-network-policy-no-pass", | ||
Description: "A test tailored profile to test configure network policy", | ||
EnableRules: []compv1alpha1.RuleReferenceSpec{ | ||
{ | ||
Name: "ocp4-configure-network-policies-namespaces", | ||
Rationale: "To be tested", | ||
}, | ||
{ | ||
Name: "ocp4-version-detect-in-ocp", | ||
Rationale: "To be tested", | ||
}, | ||
}, | ||
}, | ||
} | ||
|
||
createTPErr = f.Client.Create(context.TODO(), tpNoPass, nil) | ||
if createTPErr != nil { | ||
t.Fatal(createTPErr) | ||
} | ||
defer f.Client.Delete(context.TODO(), tpNoPass) | ||
|
||
ssb := &compv1alpha1.ScanSettingBinding{ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: Similar naming comment as above. |
||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: suiteName, | ||
Namespace: f.OperatorNamespace, | ||
}, | ||
Profiles: []compv1alpha1.NamedObjectReference{ | ||
{ | ||
APIGroup: "compliance.openshift.io/v1alpha1", | ||
Kind: "TailoredProfile", | ||
Name: suiteName, | ||
}, | ||
}, | ||
SettingsRef: &compv1alpha1.NamedObjectReference{ | ||
APIGroup: "compliance.openshift.io/v1alpha1", | ||
Kind: "ScanSetting", | ||
Name: "default", | ||
}, | ||
} | ||
|
||
err = f.Client.Create(context.TODO(), ssb, nil) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
defer f.Client.Delete(context.TODO(), ssb) | ||
|
||
ssbNoPass := &compv1alpha1.ScanSettingBinding{ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: Similar naming comment as above. |
||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: suiteNameNoPass, | ||
Namespace: f.OperatorNamespace, | ||
}, | ||
Profiles: []compv1alpha1.NamedObjectReference{ | ||
{ | ||
APIGroup: "compliance.openshift.io/v1alpha1", | ||
Kind: "TailoredProfile", | ||
Name: suiteNameNoPass, | ||
}, | ||
}, | ||
SettingsRef: &compv1alpha1.NamedObjectReference{ | ||
APIGroup: "compliance.openshift.io/v1alpha1", | ||
Kind: "ScanSetting", | ||
Name: "default", | ||
}, | ||
} | ||
|
||
err = f.Client.Create(context.TODO(), ssbNoPass, nil) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
defer f.Client.Delete(context.TODO(), ssbNoPass) | ||
|
||
// Ensure that all the scans in the suite have finished and are marked as Done | ||
err = f.WaitForSuiteScansStatus(f.OperatorNamespace, suiteName, compv1alpha1.PhaseDone, compv1alpha1.ResultCompliant) | ||
yuumasato marked this conversation as resolved.
Show resolved
Hide resolved
|
||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
err = f.WaitForSuiteScansStatus(f.OperatorNamespace, suiteNameNoPass, compv1alpha1.PhaseDone, compv1alpha1.ResultNonCompliant) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
} | ||
|
||
//testExecution{ | ||
// Name: "TestNodeSchedulingErrorFailsTheScan", | ||
// IsParallel: false, | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: We could use
suiteNameCompliant
andsuiteNameNonCompliant
to distinguish these and align them closer to their status asserted towards the end of the test.