Skip to content

Commit 66e8615

Browse files
rfredetterfredette
committed
Address review comments
1 parent 333c04b commit 66e8615

File tree

7 files changed

+88
-7
lines changed

7 files changed

+88
-7
lines changed

manifests/0000_70_dns-operator_00-cluster-role.yaml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -145,5 +145,9 @@ rules:
145145
resources:
146146
- networkpolicies
147147
verbs:
148-
- "*"
149-
148+
- get
149+
- list
150+
- create
151+
- update
152+
- watch
153+
- delete

manifests/0000_70_dns-operator_01-network-policy.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,13 @@ spec:
3838
port: 53
3939
- protocol: UDP
4040
port: 53
41+
- to:
42+
- namespaceSelector:
43+
matchLabels:
44+
kubernetes.io/metadata.name: openshift-apiserver
45+
- podSelector:
46+
matchLabels:
47+
apiserver: "true"
4148
ingress:
4249
- from:
4350
- namespaceSelector:

manifests/0000_70_dns-operator_01-role.yaml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,4 +33,9 @@ rules:
3333
resources:
3434
- networkpolicies
3535
verbs:
36-
- "*"
36+
- get
37+
- list
38+
- create
39+
- update
40+
- watch
41+
- delete

pkg/manifests/assets/dns/networkpolicy-allow.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,8 +32,8 @@ spec:
3232
from:
3333
- namespaceSelector:
3434
matchLabels:
35-
kubernetes.io/metadata.name: openshift-dns-operatorXXX
36-
kubernetes.io/metadata.name: openshift-dnsXXX
35+
kubernetes.io/metadata.name: openshift-dns-operator
36+
kubernetes.io/metadata.name: openshift-dns
3737
egress:
3838
- to:
3939
- ipBlock:

pkg/operator/controller/status/controller.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -136,11 +136,18 @@ func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
136136
Resource: "dnses",
137137
Name: "default",
138138
},
139+
{
140+
Resource: "networkpolicies",
141+
Namespace: r.Config.OperatorNamespace,
142+
},
139143
}
140144
if state.haveNamespace {
141145
related = append(related, configv1.ObjectReference{
142146
Resource: "namespaces",
143147
Name: state.namespace.Name,
148+
}, configv1.ObjectReference{
149+
Resource: "networkpolicies",
150+
Namespace: state.namespace.Name,
144151
})
145152
}
146153
co.Status.RelatedObjects = related

test/e2e/operator_test.go

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -123,10 +123,18 @@ func TestClusterOperatorStatusRelatedObjects(t *testing.T) {
123123
Resource: "dnses",
124124
Name: "default",
125125
},
126+
{
127+
Resource: "networkpolicies",
128+
Namespace: "openshift-dns-operator",
129+
},
126130
{
127131
Resource: "namespaces",
128132
Name: "openshift-dns",
129133
},
134+
{
135+
Resource: "networkpolicies",
136+
Namespace: "openshift-dns",
137+
},
130138
}
131139
err = wait.PollImmediate(1*time.Second, 5*time.Minute, func() (bool, error) {
132140
co := &configv1.ClusterOperator{}
@@ -533,6 +541,17 @@ func TestDNSForwarding(t *testing.T) {
533541
t.Fatalf("version %s not found for clusteroperator %s", statuscontroller.CoreDNSVersionName, opName)
534542
}
535543

544+
// Create the test pod network policy.
545+
testPodNetworkPolicy := buildTestPodNetworkPolicy(types.NamespacedName{Name: "test-upstream-allow", Namespace: upstreamPodNs})
546+
if err := cl.Create(context.TODO(), testPodNetworkPolicy); err != nil {
547+
t.Fatalf("failed to create network policy %s/%s: %v", testPodNetworkPolicy.Namespace, testPodNetworkPolicy.Name, err)
548+
}
549+
defer func() {
550+
if err := cl.Delete(context.TODO(), testPodNetworkPolicy); err != nil {
551+
t.Fatalf("failed to delete network policy %s/%s: %v", testPodNetworkPolicy.Namespace, testPodNetworkPolicy.Name, err)
552+
}
553+
}()
554+
536555
// Create the upstream resolver Pod.
537556
upstreamResolver := upstreamPod(upstreamPodName, upstreamPodNs, coreImage, upstreamPodName)
538557
if err := cl.Create(context.TODO(), upstreamResolver); err != nil {
@@ -804,6 +823,17 @@ func TestDNSOverTLSForwarding(t *testing.T) {
804823
t.Fatalf("version %s not found for clusteroperator %s", statuscontroller.OpenshiftCLIVersionName, opName)
805824
}
806825

826+
// Create the test pod network policy.
827+
testPodNetworkPolicy := buildTestPodNetworkPolicy(types.NamespacedName{Name: "test-upstream-tls-allow", Namespace: upstreamPodNs})
828+
if err := cl.Create(context.TODO(), testPodNetworkPolicy); err != nil {
829+
t.Fatalf("failed to create network policy %s/%s: %v", testPodNetworkPolicy.Namespace, testPodNetworkPolicy.Name, err)
830+
}
831+
defer func() {
832+
if err := cl.Delete(context.TODO(), testPodNetworkPolicy); err != nil {
833+
t.Fatalf("failed to delete network policy %s/%s: %v", testPodNetworkPolicy.Namespace, testPodNetworkPolicy.Name, err)
834+
}
835+
}()
836+
807837
// Create the upstream resolver Pods and the client pod
808838
upstreamResolver := upstreamTLSPod(tlsUpstreamName, tlsUpstreamNamespace.Name, coreImage, upstreamTLSConfigMap)
809839
if err := cl.Create(context.TODO(), upstreamResolver); err != nil {

test/e2e/utils.go

Lines changed: 30 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ import (
2828

2929
appsv1 "k8s.io/api/apps/v1"
3030
corev1 "k8s.io/api/core/v1"
31+
networkingv1 "k8s.io/api/networking/v1"
3132
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
3233
"sigs.k8s.io/controller-runtime/pkg/client"
3334

@@ -236,7 +237,10 @@ func upstreamPod(name, ns, image, cfgMap string) *corev1.Pod {
236237
ObjectMeta: metav1.ObjectMeta{
237238
Name: name,
238239
Namespace: ns,
239-
Labels: map[string]string{"test": "upstream"},
240+
Labels: map[string]string{
241+
"test": "upstream",
242+
"type": "test-pod",
243+
},
240244
},
241245
Spec: corev1.PodSpec{
242246
Volumes: []corev1.Volume{cfgVol},
@@ -297,6 +301,7 @@ func buildPod(name, ns, image string, cmd []string) *corev1.Pod {
297301
ObjectMeta: metav1.ObjectMeta{
298302
Name: name,
299303
Namespace: ns,
304+
Labels: map[string]string{"type": "test-pod"},
300305
},
301306
Spec: corev1.PodSpec{
302307
Containers: []corev1.Container{container},
@@ -433,7 +438,10 @@ func upstreamTLSPod(name, ns, image string, configMap *corev1.ConfigMap) *corev1
433438
ObjectMeta: metav1.ObjectMeta{
434439
Name: name,
435440
Namespace: ns,
436-
Labels: map[string]string{"test": "upstream-tls"},
441+
Labels: map[string]string{
442+
"test": "upstream-tls",
443+
"type": "test-pod",
444+
},
437445
},
438446
Spec: corev1.PodSpec{
439447
Volumes: []corev1.Volume{volume},
@@ -585,3 +593,23 @@ func lookForSubStringsInPodLogOneShot(ns, pod, container string, expectedStrings
585593
slicedResultToString := strings.Join(slicedResult, " ")
586594
return checkSubStrings(slicedResultToString, expectedStrings)
587595
}
596+
597+
func buildTestPodNetworkPolicy(name types.NamespacedName) *networkingv1.NetworkPolicy {
598+
return &networkingv1.NetworkPolicy{
599+
ObjectMeta: metav1.ObjectMeta{
600+
Namespace: name.Namespace,
601+
Name: name.Name,
602+
},
603+
Spec: networkingv1.NetworkPolicySpec{
604+
PodSelector: metav1.LabelSelector{
605+
MatchLabels: map[string]string{"type": "test-pod"},
606+
},
607+
Ingress: []networkingv1.NetworkPolicyIngressRule{{
608+
From: []networkingv1.NetworkPolicyPeer{{IPBlock: &networkingv1.IPBlock{CIDR: "0.0.0.0/0"}}},
609+
}},
610+
Egress: []networkingv1.NetworkPolicyEgressRule{{
611+
To: []networkingv1.NetworkPolicyPeer{{IPBlock: &networkingv1.IPBlock{CIDR: "0.0.0.0/0"}}},
612+
}},
613+
},
614+
}
615+
}

0 commit comments

Comments
 (0)