Add keystone ingress netpol

Change-Id: I75874b475039c1f7469f11e02e2231254cc9d8ca Signed-off-by: Huang, Sophie (sh879n) <sh879n@att.com>
2019-09-12 17:06:05 -05:00 · 2019-09-12 17:06:05 -05:00 · 313fe0ca3e
commit 313fe0ca3e
parent d2abe39d49
3 changed files with 77 additions and 68 deletions
--- a/keystone/values_overrides/netpol.yaml
+++ b/keystone/values_overrides/netpol.yaml
@ -1,73 +1,68 @@
 manifests:
  network_policy: true
-#NOTE(gagehugo): Test the below whitelist after netpol gate works
+network_policy:
-#network_policy:
+  keystone:
-#  keystone:
+    ingress:
-#    ingress:
+      - from:
-#      - from:
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: ceph
-#              application: ceph
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: ingress
-#              application: ingress
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: keystone
-#              application: keystone
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: heat
-#              application: heat
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: glance
-#              application: glance
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: cinder
-#              application: cinder
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: congress
-#              application: congress
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: barbican
-#              application: barbican
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: ceilometer
-#              application: ceilometer
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: horizon
-#              application: horizon
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: ironic
-#              application: ironic
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: magnum
-#              application: magnum
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: mistral
-#              application: mistral
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: nova
-#              application: nova
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: neutron
-#              application: neutron
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: senlin
-#              application: senlin
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: placement
-#              application: placement
+        - podSelector:
-#        - podSelector:
+            matchLabels:
-#            matchLabels:
+              application: prometheus-openstack-exporter
-#              application: prometheus-openstack-exporter
+        ports:
-#        ports:
+        - protocol: TCP
-#        - protocol: TCP
+          port: 5000
-#          port: 80
+        - protocol: TCP
-#        - protocol: TCP
+          port: 35357
 #          port: 443
 #        - protocol: TCP
 #          port: 5000
 #        - protocol: TCP
 #          port: 35357
 #    egress:
 #      - to:
 #        - namespaceSelector:
--- a/tools/deployment/common/test-networkpolicy.sh
+++ b/tools/deployment/common/test-networkpolicy.sh
@ -43,15 +43,22 @@ function test_netpol {
 #test_netpol openstack mariadb server rabbitmq.openstack.svc.cluster.local:5672 fail
 #test_netpol openstack rabbitmq-rabbitmq server memcached.openstack.svc.cluster.local:11211 fail
 #test_netpol openstack memcached server mariadb.openstack.svc.cluster.local:3306 fail
 test_netpol openstack mariadb server keystone-api.openstack.svc.cluster.local:5000 fail
 test_netpol openstack mariadb ingress keystone-api.openstack.svc.cluster.local:5000 fail
 test_netpol openstack memcached server keystone-api.openstack.svc.cluster.local:5000 fail
 test_netpol openstack rabbitmq server keystone-api.openstack.svc.cluster.local:5000 fail
 # Doing positive tests
 test_netpol openstack keystone api mariadb.openstack.svc.cluster.local:3306 success
 test_netpol openstack keystone api rabbitmq.openstack.svc.cluster.local:5672 success
 test_netpol openstack ingress server keystone-api.openstack.svc.cluster.local:5000 success
 test_netpol openstack prometheus-openstack-exporter exporter keystone-api.openstack.svc.cluster.local:5000 success
 if kubectl -n openstack get pod -l application=cinder | grep Running ; then
 # Negative Cinder Tests
  #test_netpol openstack keystone api cinder-api.openstack.svc.cluster.local fail
 # Positive Cinder Tests
  test_netpol openstack cinder api rabbitmq.openstack.svc.cluster.local:5672 success
  test_netpol openstack cinder api keystone-api.openstack.svc.cluster.local:5000 success
 else
 # Negative Compute-Kit Tests
  #test_netpol openstack keystone api heat-api.openstack.svc.cluster.local fail
@ -59,6 +66,12 @@ else
 # Positive Compute-Kit Tests
  test_netpol openstack heat api mariadb.openstack.svc.cluster.local:3306 success
  test_netpol openstack glance api mariadb.openstack.svc.cluster.local:3306 success
  test_netpol openstack heat api keystone-api.openstack.svc.cluster.local:5000 success
  test_netpol openstack glance api keystone-api.openstack.svc.cluster.local:5000 success
  test_netpol openstack horizon server keystone-api.openstack.svc.cluster.local:5000 success
  test_netpol openstack nova os-api keystone-api.openstack.svc.cluster.local:5000 success
  test_netpol openstack nova compute keystone-api.openstack.svc.cluster.local:5000 success
  test_netpol openstack neutron l3-agent keystone-api.openstack.svc.cluster.local:5000 success
 fi
 echo Test Success
--- a/zuul.d/jobs-openstack-helm.yaml
+++ b/zuul.d/jobs-openstack-helm.yaml
@ -289,6 +289,7 @@
        - ./tools/deployment/component/nfs-provisioner/nfs-provisioner.sh
        - ./tools/deployment/component/keystone/keystone.sh
        - ./tools/deployment/component/heat/heat.sh
        - ./tools/deployment/component/horizon/horizon.sh
        - ./tools/deployment/component/glance/glance.sh
        - ./tools/deployment/component/compute-kit/openvswitch.sh
        - ./tools/deployment/component/compute-kit/libvirt.sh