e2e

package
v0.0.0-alpha.0....-c0614ca Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 7, 2026 License: Apache-2.0 Imports: 39 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	CronJobKindName        = "CronJob"
	OpenShiftEtcdNamespace = "openshift-etcd"
	HostPathBasePath       = "/etc/kubernetes/cluster-backup/"

	// ShellImage allows us to have basic shell tooling, taken from origin:
	// https://github.com/openshift/origin/blob/6ee9dc56a612a4c886d094571832ed47efa2e831/test/extended/util/image/image.go#L129-L141C2
	ShellImage = "image-registry.openshift-image-registry.svc:5000/openshift/tools:latest"
)
View Source 
const (
	// DefaultAgnhostImage is the default agnhost image used for test pods.
	DefaultAgnhostImage = "registry.k8s.io/e2e-test-images/agnhost:2.45"
)

Variables

This section is empty.

Functions

func AllowEgressPolicy 

func AllowEgressPolicy(name, namespace string, podLabels, toLabels map[string]string, port int32) *networkingv1.NetworkPolicy

AllowEgressPolicy returns a NetworkPolicy that allows egress from pods with podLabels to pods with toLabels on the specified port.

func AllowIngressPolicy 

func AllowIngressPolicy(name, namespace string, podLabels, fromLabels map[string]string, port int32) *networkingv1.NetworkPolicy

AllowIngressPolicy returns a NetworkPolicy that allows ingress to pods with podLabels from pods with fromLabels on the specified port.

func BoolToAllowDeny 

func BoolToAllowDeny(allow bool) string

BoolToAllowDeny returns "allow" if allow is true, "deny" otherwise.

func CreateServerPod 

func CreateServerPod(ctx context.Context, t testing.TB, kubeClient kubernetes.Interface, namespace, name string, labels map[string]string, port int32) ([]string, func())

CreateServerPod creates an agnhost netexec server pod in the given namespace, waits for it to be Ready, and returns all its PodIPs along with a cleanup function.

func CreateServerPodWithImage 

func CreateServerPodWithImage(ctx context.Context, t testing.TB, kubeClient kubernetes.Interface, namespace, name string, labels map[string]string, port int32, image string) ([]string, func())

CreateServerPodWithImage is like CreateServerPod but allows specifying a custom agnhost image.

func DefaultDenyPolicy 

func DefaultDenyPolicy(name, namespace string) *networkingv1.NetworkPolicy

DefaultDenyPolicy returns a NetworkPolicy that blocks all ingress and egress for every pod in the given namespace.

func EgressAllowsNamespace 

func EgressAllowsNamespace(policy *networkingv1.NetworkPolicy, namespace string, port int32) bool

EgressAllowsNamespace returns true if the given NetworkPolicy's egress rules allow traffic to the specified namespace on the specified port.

func ExpectConnectivity 

func ExpectConnectivity(ctx context.Context, t testing.TB, kubeClient kubernetes.Interface, namespace string, clientLabels map[string]string, serverIPs []string, port int32, shouldSucceed bool)

ExpectConnectivity checks connectivity from a pod in the given namespace (with clientLabels) to each serverIP on the specified port. The check is retried for up to 2 minutes per IP. If the result does not match shouldSucceed the test is failed via t.Fatalf.

func FormatIPPort 

func FormatIPPort(ip string, port int32) string

FormatIPPort formats an IP:port pair, using brackets for IPv6 addresses (e.g. "[::1]:8443").

func FormatPeers 

func FormatPeers(peers []networkingv1.NetworkPolicyPeer) string

FormatPeers returns a human-readable string of a peer list.

func FormatPorts 

func FormatPorts(ports []networkingv1.NetworkPolicyPort) string

FormatPorts returns a human-readable string of a port list.

func FormatSelector 

func FormatSelector(sel *metav1.LabelSelector) string

FormatSelector returns a human-readable string of a label selector.

func GetNetworkPolicy 

func GetNetworkPolicy(t testing.TB, ctx context.Context, client kubernetes.Interface, namespace, name string) *networkingv1.NetworkPolicy

GetNetworkPolicy fetches a NetworkPolicy by namespace and name, failing the test if it does not exist.

func HasAnyTCPPort 

func HasAnyTCPPort(ports []networkingv1.NetworkPolicyPort) bool

HasAnyTCPPort returns true if the ports list is empty (all ports) or contains at least one TCP port.

func HasDefaultDeny 

func HasDefaultDeny(policies []networkingv1.NetworkPolicy) bool

HasDefaultDeny returns true if any policy in the list is a default-deny-all (empty podSelector with both Ingress and Egress policyTypes).

func HasEgressAllowAllTCP 

func HasEgressAllowAllTCP(rules []networkingv1.NetworkPolicyEgressRule) bool

HasEgressAllowAllTCP returns true if any egress rule allows all TCP traffic (no destination restriction).

func HasEgressPortInNamespace 

func HasEgressPortInNamespace(policies []networkingv1.NetworkPolicy, protocol corev1.Protocol, port int32) bool

HasEgressPortInNamespace returns true if any policy in the list has an egress rule with the specified protocol/port.

func HasIngressAllowAll 

func HasIngressAllowAll(rules []networkingv1.NetworkPolicyIngressRule, port int32) bool

HasIngressAllowAll returns true if any ingress rule allows traffic from all sources on the specified port.

func HasIngressFromNamespace 

func HasIngressFromNamespace(rules []networkingv1.NetworkPolicyIngressRule, port int32, namespace string) bool

HasIngressFromNamespace returns true if any ingress rule allows traffic from the specified namespace on the given port (TCP).

func HasIngressFromPolicyGroup 

func HasIngressFromPolicyGroup(rules []networkingv1.NetworkPolicyIngressRule, port int32, policyGroupLabelKey string) bool

HasIngressFromPolicyGroup returns true if any ingress rule allows traffic from namespaces with the given policy-group label key on the specified port.

func HasPolicyTypes 

func HasPolicyTypes(policyTypes []networkingv1.PolicyType, expected ...networkingv1.PolicyType) bool

HasPolicyTypes returns true if the given policyTypes list contains all of the expected types.

func HasPort 

func HasPort(ports []networkingv1.NetworkPolicyPort, protocol corev1.Protocol, port int32) bool

HasPort returns true if the given list of NetworkPolicy ports includes a port matching the specified protocol and port number. A nil port field means "all ports" and is treated as a match.

func HasPortInEgress 

func HasPortInEgress(rules []networkingv1.NetworkPolicyEgressRule, protocol corev1.Protocol, port int32) bool

HasPortInEgress returns true if any egress rule contains the specified protocol/port.

func HasPortInIngress 

func HasPortInIngress(rules []networkingv1.NetworkPolicyIngressRule, protocol corev1.Protocol, port int32) bool

HasPortInIngress returns true if any ingress rule contains the specified protocol/port.

func HasUnrestrictedEgressInNamespace 

func HasUnrestrictedEgressInNamespace(policies []networkingv1.NetworkPolicy) bool

HasUnrestrictedEgressInNamespace returns true if any policy in the list has an egress rule with no port and no destination restrictions (i.e. allows all egress).

func IngressAllowsFromNamespace 

func IngressAllowsFromNamespace(policy *networkingv1.NetworkPolicy, namespace string, labels map[string]string, port int32) bool

IngressAllowsFromNamespace returns true if the given NetworkPolicy's ingress rules allow traffic from the specified namespace with the given pod labels on the specified port.

func IsIPv6 

func IsIPv6(ip string) bool

IsIPv6 returns true if the given IP string is an IPv6 address.

func IsPodReady 

func IsPodReady(pod *corev1.Pod) bool

IsPodReady returns true if the pod has a Ready condition set to True.

func LogConnectivityBestEffort 

func LogConnectivityBestEffort(ctx context.Context, t testing.TB, kubeClient kubernetes.Interface, namespace string, clientLabels map[string]string, serverIPs []string, port int32, shouldSucceed bool)

LogConnectivityBestEffort is like ExpectConnectivity but uses a shorter timeout (30s) and only logs failures instead of failing the test. This is useful when external factors (e.g. other namespaces' egress policies, mTLS) can interfere with the check.

func LogEgressAllowAllTCP 

func LogEgressAllowAllTCP(t testing.TB, policy *networkingv1.NetworkPolicy)

LogEgressAllowAllTCP logs whether the policy has an egress allow-all TCP rule.

func LogIngressFromNamespaceOptional 

func LogIngressFromNamespaceOptional(t testing.TB, policy *networkingv1.NetworkPolicy, port int32, namespace string)

LogIngressFromNamespaceOptional logs whether ingress from the specified namespace is present on the given port (informational, does not fail).

func LogIngressHostNetworkOrAllowAll 

func LogIngressHostNetworkOrAllowAll(t testing.TB, policy *networkingv1.NetworkPolicy, port int32)

LogIngressHostNetworkOrAllowAll logs whether the policy has an allow-all ingress rule or a host-network policy-group rule on the given port.

func LogNetworkPolicyDetails 

func LogNetworkPolicyDetails(t testing.TB, label string, policy *networkingv1.NetworkPolicy)

LogNetworkPolicyDetails logs detailed ingress and egress rules.

func LogNetworkPolicyEvents 

func LogNetworkPolicyEvents(t testing.TB, ctx context.Context, client kubernetes.Interface, namespaces []string, policyName string)

LogNetworkPolicyEvents searches for NetworkPolicy-related events in the given namespaces (best-effort, does not fail).

Events emitted by the resourceapply package in library-go use the operator Deployment as the InvolvedObject (not the NetworkPolicy itself). The event Reason is prefixed with "NetworkPolicy" (e.g. NetworkPolicyCreated, NetworkPolicyUpdated, NetworkPolicyDeleted) and the event Message contains the full resource reference including the policy name. Therefore this function matches events by:

  • Reason starting with "NetworkPolicy", OR
  • Message containing the policyName, OR
  • InvolvedObject.Kind == "NetworkPolicy" (for any recorder that does reference the policy directly).

Callers should include the **operator** namespace in the namespaces list because that is where resourceapply records the events.

func LogNetworkPolicySummary 

func LogNetworkPolicySummary(t testing.TB, label string, policy *networkingv1.NetworkPolicy)

LogNetworkPolicySummary logs a one-line summary of a NetworkPolicy.

func LogPolicyNames 

func LogPolicyNames(t testing.TB, namespace string, policies []networkingv1.NetworkPolicy)

LogPolicyNames logs the names of all NetworkPolicies in the given list.

func MutateAndRestoreNetworkPolicy 

func MutateAndRestoreNetworkPolicy(t testing.TB, ctx context.Context, client kubernetes.Interface, namespace, name string, timeout time.Duration)

MutateAndRestoreNetworkPolicy patches the policy's podSelector with a spurious label, then waits for the operator to reconcile it back to the original spec. The timeout controls how long to wait for reconciliation.

func NamespaceSelectorMatchesNamespace 

func NamespaceSelectorMatchesNamespace(selector *metav1.LabelSelector, namespace string) bool

NamespaceSelectorMatchesNamespace returns true if the given label selector matches the namespace by checking the "kubernetes.io/metadata.name" label in both MatchLabels and MatchExpressions. Returns false when the selector is nil (meaning no namespace selector was specified on the peer).

func NetexecPod 

func NetexecPod(name, namespace string, labels map[string]string, port int32) *corev1.Pod

NetexecPod returns a Pod object running agnhost netexec on the given port.

func NetexecPodWithImage 

func NetexecPodWithImage(name, namespace string, labels map[string]string, port int32, image string) *corev1.Pod

NetexecPodWithImage returns a Pod object running agnhost netexec with a custom image.

func PodIPs 

func PodIPs(pod *corev1.Pod) []string

PodIPs returns all IP addresses assigned to a pod (dual-stack aware).

func PodMatch 

func PodMatch(selector *metav1.LabelSelector, labels map[string]string) bool

PodMatch returns true if the given label selector matches the provided labels. Both MatchLabels and MatchExpressions are evaluated.

func RequireDefaultDenyAll 

func RequireDefaultDenyAll(t testing.TB, policy *networkingv1.NetworkPolicy)

RequireDefaultDenyAll asserts that the policy is a default-deny-all: empty podSelector with both Ingress and Egress policyTypes.

func RequireEgressPort 

func RequireEgressPort(t testing.TB, policy *networkingv1.NetworkPolicy, protocol corev1.Protocol, port int32)

RequireEgressPort asserts that the policy has an egress rule with the specified protocol and port.

func RequireEmptyPodSelector 

func RequireEmptyPodSelector(t testing.TB, policy *networkingv1.NetworkPolicy)

RequireEmptyPodSelector asserts that the policy's podSelector is empty (selects all pods in the namespace).

func RequireIngressAllowAll 

func RequireIngressAllowAll(t testing.TB, policy *networkingv1.NetworkPolicy, port int32)

RequireIngressAllowAll asserts that the policy allows ingress from any source on the specified port.

func RequireIngressFromNamespace 

func RequireIngressFromNamespace(t testing.TB, policy *networkingv1.NetworkPolicy, port int32, namespace string)

RequireIngressFromNamespace asserts that the policy allows ingress from the specified namespace on the given port.

func RequireIngressFromNamespaceOrPolicyGroup 

func RequireIngressFromNamespaceOrPolicyGroup(t testing.TB, policy *networkingv1.NetworkPolicy, port int32, namespace, policyGroupLabelKey string)

RequireIngressFromNamespaceOrPolicyGroup asserts that the policy allows ingress either from the specified namespace or from namespaces with the given policy-group label on the specified port.

func RequireIngressPort 

func RequireIngressPort(t testing.TB, policy *networkingv1.NetworkPolicy, protocol corev1.Protocol, port int32)

RequireIngressPort asserts that the policy has an ingress rule with the specified protocol and port.

func RequirePodSelectorLabel 

func RequirePodSelectorLabel(t testing.TB, policy *networkingv1.NetworkPolicy, key, value string)

RequirePodSelectorLabel asserts that the policy's podSelector contains the given key=value label.

func RequireUnrestrictedEgress 

func RequireUnrestrictedEgress(t testing.TB, policy *networkingv1.NetworkPolicy)

RequireUnrestrictedEgress asserts that the policy has at least one egress rule with no port and no destination restrictions (allows all egress).

func RestoreNetworkPolicy 

func RestoreNetworkPolicy(t testing.TB, ctx context.Context, client kubernetes.Interface, expected *networkingv1.NetworkPolicy, timeout time.Duration)

RestoreNetworkPolicy deletes the given network policy and waits for the operator to recreate it with the expected spec. The timeout controls how long to wait for restoration.

func RuleAllowsPort 

func RuleAllowsPort(ports []networkingv1.NetworkPolicyPort, port int32) bool

RuleAllowsPort returns true if the given list of policy ports includes the specified port (or is empty, meaning all ports are allowed).

func RunConnectivityCheck 

func RunConnectivityCheck(ctx context.Context, kubeClient kubernetes.Interface, namespace string, labels map[string]string, serverIP string, port int32) (bool, error)

RunConnectivityCheck creates an ephemeral agnhost connect pod in the given namespace with the specified labels, attempts a TCP connection to serverIP:port, and returns whether the connection succeeded.

func RunConnectivityCheckWithImage 

func RunConnectivityCheckWithImage(ctx context.Context, kubeClient kubernetes.Interface, namespace string, labels map[string]string, serverIP string, port int32, image string) (bool, error)

RunConnectivityCheckWithImage is like RunConnectivityCheck but allows specifying a custom agnhost image.

func ServiceClusterIPs 

func ServiceClusterIPs(svc *corev1.Service) []string

ServiceClusterIPs returns all ClusterIPs for a service (dual-stack aware).

func TestBackupFailureOnMissingPVC 

func TestBackupFailureOnMissingPVC(t testing.TB)

func TestBackupHappyPath 

func TestBackupHappyPath(t testing.TB)

func TestBackupScript 

func TestBackupScript(t testing.TB)

func TestEtcdDBScaling 

func TestEtcdDBScaling(t testing.TB)

func TestEtcdQuorumGuard 

func TestEtcdQuorumGuard(t testing.TB)

TestEtcdQuorumGuard tests the etcd Quorum Guard. It assumes there are exactly three master pods (as does the etcd Quorum Guard at present). The test first makes one node unschedulable and evicts the EQG pod from it, ensuring that eviction succeeds. The test next makes a second node unschedulable and then attempts to evict the EQG pod from it. It checks that the pod is *not* evicted. It then makes all nodes schedulable and checks that the EQG pod is present/restarted on all masters. It then makes one node unschedulable again and checks that the EQG pod is evicted.

func TestEtcdctlCommands 

func TestEtcdctlCommands(t testing.TB)

TestEtcdctlCommands executes all known etcdctl commands inside of the etcdctl container. The test is not intended to be a functional test yet a sanity test that the container ENV is populated correctly and that etcdctl consumes that ENV properly.

func TestMultipleBackupsAreSkipped 

func TestMultipleBackupsAreSkipped(t testing.TB)

func TestPeriodicBackupHappyPath 

func TestPeriodicBackupHappyPath(t testing.TB)

func TestRetentionBySize 

func TestRetentionBySize(t testing.TB)

func TestWrongScheduleDegradesOperator 

func TestWrongScheduleDegradesOperator(t testing.TB)

func WaitForPodCompletion 

func WaitForPodCompletion(ctx context.Context, kubeClient kubernetes.Interface, namespace, name string) error

WaitForPodCompletion waits up to 2 minutes for a pod to reach Succeeded or Failed phase.

func WaitForPodReady 

func WaitForPodReady(ctx context.Context, kubeClient kubernetes.Interface, namespace, name string) error

WaitForPodReady waits up to 2 minutes for a pod to reach the Running phase with a Ready condition.

func WaitForPodsReadyByLabel 

func WaitForPodsReadyByLabel(t testing.TB, ctx context.Context, client kubernetes.Interface, namespace, labelSelector string)

WaitForPodsReadyByLabel waits up to 5 minutes for all pods matching the label selector in the namespace to be ready.

Types

This section is empty.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.