Skip to content

Commit d30b60b

Browse files
rfredetterfredette
committed
Address review comments
1 parent 333c04b commit d30b60b

File tree

7 files changed

+80
-7
lines changed

7 files changed

+80
-7
lines changed

manifests/0000_70_dns-operator_00-cluster-role.yaml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -145,5 +145,9 @@ rules:
145145
resources:
146146
- networkpolicies
147147
verbs:
148-
- "*"
149-
148+
- get
149+
- list
150+
- create
151+
- update
152+
- watch
153+
- delete

manifests/0000_70_dns-operator_01-network-policy.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,13 @@ spec:
3838
port: 53
3939
- protocol: UDP
4040
port: 53
41+
- to:
42+
- namespaceSelector:
43+
matchLabels:
44+
kubernetes.io/metadata.name: openshift-apiserver
45+
- podSelector:
46+
matchLabels:
47+
apiserver: "true"
4148
ingress:
4249
- from:
4350
- namespaceSelector:

manifests/0000_70_dns-operator_01-role.yaml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,4 +33,9 @@ rules:
3333
resources:
3434
- networkpolicies
3535
verbs:
36-
- "*"
36+
- get
37+
- list
38+
- create
39+
- update
40+
- watch
41+
- delete

pkg/manifests/assets/dns/networkpolicy-allow.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,8 +32,8 @@ spec:
3232
from:
3333
- namespaceSelector:
3434
matchLabels:
35-
kubernetes.io/metadata.name: openshift-dns-operatorXXX
36-
kubernetes.io/metadata.name: openshift-dnsXXX
35+
kubernetes.io/metadata.name: openshift-dns-operator
36+
kubernetes.io/metadata.name: openshift-dns
3737
egress:
3838
- to:
3939
- ipBlock:

pkg/operator/controller/status/controller.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -136,11 +136,18 @@ func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
136136
Resource: "dnses",
137137
Name: "default",
138138
},
139+
{
140+
Resource: "networkpolicies",
141+
Namespace: r.Config.OperatorNamespace,
142+
},
139143
}
140144
if state.haveNamespace {
141145
related = append(related, configv1.ObjectReference{
142146
Resource: "namespaces",
143147
Name: state.namespace.Name,
148+
}, configv1.ObjectReference{
149+
Resource: "networkpolicies",
150+
Namespace: state.namespace.Name,
144151
})
145152
}
146153
co.Status.RelatedObjects = related

test/e2e/operator_test.go

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -533,6 +533,17 @@ func TestDNSForwarding(t *testing.T) {
533533
t.Fatalf("version %s not found for clusteroperator %s", statuscontroller.CoreDNSVersionName, opName)
534534
}
535535

536+
// Create the test pod network policy.
537+
testPodNetworkPolicy := buildTestPodNetworkPolicy(types.NamespacedName{Name: "test-upstream-allow", Namespace: upstreamPodNs})
538+
if err := cl.Create(context.TODO(), testPodNetworkPolicy); err != nil {
539+
t.Fatalf("failed to create network policy %s/%s: %v", testPodNetworkPolicy.Namespace, testPodNetworkPolicy.Name, err)
540+
}
541+
defer func() {
542+
if err := cl.Delete(context.TODO(), testPodNetworkPolicy); err != nil {
543+
t.Fatalf("failed to delete network policy %s/%s: %v", testPodNetworkPolicy.Namespace, testPodNetworkPolicy.Name, err)
544+
}
545+
}()
546+
536547
// Create the upstream resolver Pod.
537548
upstreamResolver := upstreamPod(upstreamPodName, upstreamPodNs, coreImage, upstreamPodName)
538549
if err := cl.Create(context.TODO(), upstreamResolver); err != nil {
@@ -804,6 +815,17 @@ func TestDNSOverTLSForwarding(t *testing.T) {
804815
t.Fatalf("version %s not found for clusteroperator %s", statuscontroller.OpenshiftCLIVersionName, opName)
805816
}
806817

818+
// Create the test pod network policy.
819+
testPodNetworkPolicy := buildTestPodNetworkPolicy(types.NamespacedName{Name: "test-upstream-tls-allow", Namespace: upstreamPodNs})
820+
if err := cl.Create(context.TODO(), testPodNetworkPolicy); err != nil {
821+
t.Fatalf("failed to create network policy %s/%s: %v", testPodNetworkPolicy.Namespace, testPodNetworkPolicy.Name, err)
822+
}
823+
defer func() {
824+
if err := cl.Delete(context.TODO(), testPodNetworkPolicy); err != nil {
825+
t.Fatalf("failed to delete network policy %s/%s: %v", testPodNetworkPolicy.Namespace, testPodNetworkPolicy.Name, err)
826+
}
827+
}()
828+
807829
// Create the upstream resolver Pods and the client pod
808830
upstreamResolver := upstreamTLSPod(tlsUpstreamName, tlsUpstreamNamespace.Name, coreImage, upstreamTLSConfigMap)
809831
if err := cl.Create(context.TODO(), upstreamResolver); err != nil {

test/e2e/utils.go

Lines changed: 30 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ import (
2828

2929
appsv1 "k8s.io/api/apps/v1"
3030
corev1 "k8s.io/api/core/v1"
31+
networkingv1 "k8s.io/api/networking/v1"
3132
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
3233
"sigs.k8s.io/controller-runtime/pkg/client"
3334

@@ -236,7 +237,10 @@ func upstreamPod(name, ns, image, cfgMap string) *corev1.Pod {
236237
ObjectMeta: metav1.ObjectMeta{
237238
Name: name,
238239
Namespace: ns,
239-
Labels: map[string]string{"test": "upstream"},
240+
Labels: map[string]string{
241+
"test": "upstream",
242+
"type": "test-pod",
243+
},
240244
},
241245
Spec: corev1.PodSpec{
242246
Volumes: []corev1.Volume{cfgVol},
@@ -297,6 +301,7 @@ func buildPod(name, ns, image string, cmd []string) *corev1.Pod {
297301
ObjectMeta: metav1.ObjectMeta{
298302
Name: name,
299303
Namespace: ns,
304+
Labels: map[string]string{"type": "test-pod"},
300305
},
301306
Spec: corev1.PodSpec{
302307
Containers: []corev1.Container{container},
@@ -433,7 +438,10 @@ func upstreamTLSPod(name, ns, image string, configMap *corev1.ConfigMap) *corev1
433438
ObjectMeta: metav1.ObjectMeta{
434439
Name: name,
435440
Namespace: ns,
436-
Labels: map[string]string{"test": "upstream-tls"},
441+
Labels: map[string]string{
442+
"test": "upstream-tls",
443+
"type": "test-pod",
444+
},
437445
},
438446
Spec: corev1.PodSpec{
439447
Volumes: []corev1.Volume{volume},
@@ -585,3 +593,23 @@ func lookForSubStringsInPodLogOneShot(ns, pod, container string, expectedStrings
585593
slicedResultToString := strings.Join(slicedResult, " ")
586594
return checkSubStrings(slicedResultToString, expectedStrings)
587595
}
596+
597+
func buildTestPodNetworkPolicy(name types.NamespacedName) *networkingv1.NetworkPolicy {
598+
return &networkingv1.NetworkPolicy{
599+
ObjectMeta: metav1.ObjectMeta{
600+
Namespace: name.Namespace,
601+
Name: name.Name,
602+
},
603+
Spec: networkingv1.NetworkPolicySpec{
604+
PodSelector: metav1.LabelSelector{
605+
MatchLabels: map[string]string{"type": "test-pod"},
606+
},
607+
Ingress: []networkingv1.NetworkPolicyIngressRule{{
608+
From: []networkingv1.NetworkPolicyPeer{{IPBlock: &networkingv1.IPBlock{CIDR: "0.0.0.0/0"}}},
609+
}},
610+
Egress: []networkingv1.NetworkPolicyEgressRule{{
611+
To: []networkingv1.NetworkPolicyPeer{{IPBlock: &networkingv1.IPBlock{CIDR: "0.0.0.0/0"}}},
612+
}},
613+
},
614+
}
615+
}

0 commit comments

Comments
 (0)