Add authz-tcp user guide test. (#7176)

Force merge because of netlify flake
This commit is contained in:
Justin Pettit 2020-05-11 07:25:00 -07:00 committed by GitHub
parent affe99f97a
commit e77f3e8e2d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 361 additions and 11 deletions

View File

@ -5,6 +5,7 @@ weight: 20
keywords: [security,access-control,rbac,tcp,authorization] keywords: [security,access-control,rbac,tcp,authorization]
aliases: aliases:
- /docs/tasks/security/authz-tcp/ - /docs/tasks/security/authz-tcp/
test: true
--- ---
This task shows you how to set up Istio authorization for TCP traffic in an Istio mesh. This task shows you how to set up Istio authorization for TCP traffic in an Istio mesh.
@ -35,13 +36,13 @@ Deploy the example namespace and workloads using the following command:
using the following command: using the following command:
{{< text bash >}} {{< text bash >}}
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
hello port 9000 hello port 9000
connection succeeded connection succeeded
{{< /text >}} {{< /text >}}
{{< text bash >}} {{< text bash >}}
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
hello port 9001 hello port 9001
connection succeeded connection succeeded
{{< /text >}} {{< /text >}}
@ -52,8 +53,8 @@ defined in the Kubernetes service object of `tcp-echo`.
Get the pod IP address and send the request with the following command: Get the pod IP address and send the request with the following command:
{{< text bash >}} {{< text bash >}}
$ TCP_ECHO_IP=$(kubectl get pod $(kubectl get pod -l app=tcp-echo -n foo -o jsonpath={.items..metadata.name}) -n foo -o jsonpath={.status.podIP}) $ TCP_ECHO_IP=$(kubectl get pod "$(kubectl get pod -l app=tcp-echo -n foo -o jsonpath={.items..metadata.name})" -n foo -o jsonpath="{.status.podIP}")
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
hello port 9002 hello port 9002
connection succeeded connection succeeded
{{< /text >}} {{< /text >}}
@ -89,7 +90,7 @@ Run the following command to apply the policy to allow requests to port 9000 and
1. Verify that requests to port 9000 are allowed using the following command: 1. Verify that requests to port 9000 are allowed using the following command:
{{< text bash >}} {{< text bash >}}
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
hello port 9000 hello port 9000
connection succeeded connection succeeded
{{< /text >}} {{< /text >}}
@ -97,7 +98,7 @@ Run the following command to apply the policy to allow requests to port 9000 and
1. Verify that requests to port 9001 are allowed using the following command: 1. Verify that requests to port 9001 are allowed using the following command:
{{< text bash >}} {{< text bash >}}
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
hello port 9001 hello port 9001
connection succeeded connection succeeded
{{< /text >}} {{< /text >}}
@ -107,7 +108,7 @@ policy which also applies to the pass through filter chain, even if the port is
explicitly in the `tcp-echo` Kubernetes service object. Run the following command and verify the output: explicitly in the `tcp-echo` Kubernetes service object. Run the following command and verify the output:
{{< text bash >}} {{< text bash >}}
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
connection rejected connection rejected
{{< /text >}} {{< /text >}}
@ -139,7 +140,7 @@ The final result is that the request is rejected, because it does not match any
Run the following command and verify the output: Run the following command and verify the output:
{{< text bash >}} {{< text bash >}}
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
connection rejected connection rejected
{{< /text >}} {{< /text >}}
@ -147,7 +148,7 @@ Run the following command and verify the output:
ALLOW rules. Run the following command and verify the output: ALLOW rules. Run the following command and verify the output:
{{< text bash >}} {{< text bash >}}
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
connection rejected connection rejected
{{< /text >}} {{< /text >}}
@ -179,7 +180,7 @@ which causes Istio to ignore the entire rule. The final result is that only the
field is used by Istio and the requests are denied because they match with the `ports`: field is used by Istio and the requests are denied because they match with the `ports`:
{{< text bash >}} {{< text bash >}}
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
connection rejected connection rejected
{{< /text >}} {{< /text >}}
@ -187,7 +188,7 @@ field is used by Istio and the requests are denied because they match with the `
the `ports` in the DENY policy: the `ports` in the DENY policy:
{{< text bash >}} {{< text bash >}}
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected' $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
hello port 9001 hello port 9001
connection succeeded connection succeeded
{{< /text >}} {{< /text >}}

View File

@ -0,0 +1,177 @@
#!/bin/bash
# shellcheck disable=SC2034,SC2153,SC2155
# Copyright Istio Authors. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
####################################################################################################
# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
# docs/tasks/security/authorization/authz-tcp/index.md
####################################################################################################
snip_before_you_begin_1() {
kubectl create ns foo
kubectl apply -f <(istioctl kube-inject -f samples/tcp-echo/tcp-echo.yaml) -n foo
kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml) -n foo
}
snip_before_you_begin_2() {
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
}
! read -r -d '' snip_before_you_begin_2_out <<\ENDSNIP
hello port 9000
connection succeeded
ENDSNIP
snip_before_you_begin_3() {
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
}
! read -r -d '' snip_before_you_begin_3_out <<\ENDSNIP
hello port 9001
connection succeeded
ENDSNIP
snip_before_you_begin_4() {
TCP_ECHO_IP=$(kubectl get pod "$(kubectl get pod -l app=tcp-echo -n foo -o jsonpath={.items..metadata.name})" -n foo -o jsonpath="{.status.podIP}")
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
}
! read -r -d '' snip_before_you_begin_4_out <<\ENDSNIP
hello port 9002
connection succeeded
ENDSNIP
snip_configure_access_control_for_a_tcp_workload_1() {
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: tcp-policy
namespace: foo
spec:
selector:
matchLabels:
app: tcp-echo
action: ALLOW
rules:
- to:
- operation:
ports: ["9000", "9001"]
EOF
}
snip_configure_access_control_for_a_tcp_workload_2() {
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
}
! read -r -d '' snip_configure_access_control_for_a_tcp_workload_2_out <<\ENDSNIP
hello port 9000
connection succeeded
ENDSNIP
snip_configure_access_control_for_a_tcp_workload_3() {
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
}
! read -r -d '' snip_configure_access_control_for_a_tcp_workload_3_out <<\ENDSNIP
hello port 9001
connection succeeded
ENDSNIP
snip_configure_access_control_for_a_tcp_workload_4() {
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
}
! read -r -d '' snip_configure_access_control_for_a_tcp_workload_4_out <<\ENDSNIP
connection rejected
ENDSNIP
snip_configure_access_control_for_a_tcp_workload_5() {
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: tcp-policy
namespace: foo
spec:
selector:
matchLabels:
app: tcp-echo
action: ALLOW
rules:
- to:
- operation:
methods: ["GET"]
ports: ["9000"]
EOF
}
snip_configure_access_control_for_a_tcp_workload_6() {
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
}
! read -r -d '' snip_configure_access_control_for_a_tcp_workload_6_out <<\ENDSNIP
connection rejected
ENDSNIP
snip_configure_access_control_for_a_tcp_workload_7() {
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
}
! read -r -d '' snip_configure_access_control_for_a_tcp_workload_7_out <<\ENDSNIP
connection rejected
ENDSNIP
snip_configure_access_control_for_a_tcp_workload_8() {
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: tcp-policy
namespace: foo
spec:
selector:
matchLabels:
app: tcp-echo
action: DENY
rules:
- to:
- operation:
methods: ["GET"]
ports: ["9000"]
EOF
}
snip_configure_access_control_for_a_tcp_workload_9() {
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
}
! read -r -d '' snip_configure_access_control_for_a_tcp_workload_9_out <<\ENDSNIP
connection rejected
ENDSNIP
snip_configure_access_control_for_a_tcp_workload_10() {
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
}
! read -r -d '' snip_configure_access_control_for_a_tcp_workload_10_out <<\ENDSNIP
hello port 9001
connection succeeded
ENDSNIP
snip_clean_up_1() {
kubectl delete namespace foo
}

17
go.sum
View File

@ -1098,6 +1098,23 @@ istio.io/gogo-genproto v0.0.0-20200326154102-997c228eecef h1:jVlVwrFW1LIm9XyPnvt
istio.io/gogo-genproto v0.0.0-20200326154102-997c228eecef/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= istio.io/gogo-genproto v0.0.0-20200326154102-997c228eecef/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs=
istio.io/istio v0.0.0-20200426091446-f7c106d20f70 h1:vrX1MRemIyXXowr7I9ljgKQfYVUwr9/HZMZkODDwElo= istio.io/istio v0.0.0-20200426091446-f7c106d20f70 h1:vrX1MRemIyXXowr7I9ljgKQfYVUwr9/HZMZkODDwElo=
istio.io/istio v0.0.0-20200426091446-f7c106d20f70/go.mod h1:6lzLEVtt9HdwJ2I65BXidYfVFnCy+nUdPn7EFVss94g= istio.io/istio v0.0.0-20200426091446-f7c106d20f70/go.mod h1:6lzLEVtt9HdwJ2I65BXidYfVFnCy+nUdPn7EFVss94g=
istio.io/istio v0.0.0-20200211190130-fb23733979fe h1:GwjDnzgsOBM6y8fKuuoGYKyOhYOtwTA7ZbXloScPaKA=
istio.io/istio v0.0.0-20200211190130-fb23733979fe/go.mod h1:wKE9Xss4ktHDdf3U+IzDRoQjhJJyhnObuCxTyNxm1Xk=
istio.io/istio v0.0.0-20200219230945-34ee61d95048 h1:3tv6JUn3gVcF/XdRb0tKCL84mGTxou6NxhvH7BQ83KA=
istio.io/istio v0.0.0-20200219230945-34ee61d95048/go.mod h1:+l6TTXlWyn+jycoK5K1T3YO379mEZgd9307u0R8N+Nc=
istio.io/istio v0.0.0-20200304151407-a11761a19432 h1:uCuVbV8QSt50YugqJWhat82Bx6jUXUQEme1Xy+QfVDw=
istio.io/istio v0.0.0-20200304151407-a11761a19432/go.mod h1:x0U/KPVWuw52Yo91asmKduaZwAP6jJ8xQkyxBKnsVcM=
istio.io/istio v0.0.0-20200314140522-cbeb7a9d4e9f h1:S2hGCPQXyazSxhr++JJhjcs35E46wRnojIPVmJI/89U=
istio.io/istio v0.0.0-20200314140522-cbeb7a9d4e9f/go.mod h1:x/D9l78LqWTJZoXdroQ2bHAHKtBvJJkTVXUJfGdl2Xw=
istio.io/istio v0.0.0-20200328131501-9875a1e76d32 h1:GTLGb3lRaHxBHeH6DRBmDbhb+jjzsqb/RmdUW6wxenw=
istio.io/istio v0.0.0-20200328131501-9875a1e76d32/go.mod h1:fbwgWDgaH9l/skqVwZGDF3lKVdgPtGK94AJvieGErMI=
istio.io/istio v0.0.0-20200414023437-1d3b136325a5 h1:HmvGD1G71F97wwvzZGkcjk8C13IqddC91Et7mcoy36s=
istio.io/istio v0.0.0-20200414023437-1d3b136325a5/go.mod h1:d+q9YJfgZ+rooB9fE+ETY8GdRmNf6OaY5VP7J22MpYc=
istio.io/istio v0.0.0-20200427205204-768f5033f84f h1:fD3LKAsUKN6z0P2s6mq2MEqnkU63/MSbhmRAsdTMPmk=
istio.io/pkg v0.0.0-20200131182711-9ba13e0e34bb h1:ZEOEfPpz4ooW3lhX5qi+XA6dTO1Mb72EFaRniUb6Mvc=
istio.io/pkg v0.0.0-20200131182711-9ba13e0e34bb/go.mod h1:pwGaxLUDLobzL/WvWV94z72LvBbB1dr2UUUyPuasfIU=
istio.io/pkg v0.0.0-20200227125209-63966175aa01 h1:aiO57C3tGvBUWKMu1WrM5lUn3cC7ZIgR8YOUXaVPeoQ=
istio.io/pkg v0.0.0-20200227125209-63966175aa01/go.mod h1:pwGaxLUDLobzL/WvWV94z72LvBbB1dr2UUUyPuasfIU=
istio.io/pkg v0.0.0-20200327214633-ce134a9bd104 h1:8xwo9P7aXQrQnzE0km5A8iYElUY067ZUlwJZMnsRtCI= istio.io/pkg v0.0.0-20200327214633-ce134a9bd104 h1:8xwo9P7aXQrQnzE0km5A8iYElUY067ZUlwJZMnsRtCI=
istio.io/pkg v0.0.0-20200327214633-ce134a9bd104/go.mod h1:pwGaxLUDLobzL/WvWV94z72LvBbB1dr2UUUyPuasfIU= istio.io/pkg v0.0.0-20200327214633-ce134a9bd104/go.mod h1:pwGaxLUDLobzL/WvWV94z72LvBbB1dr2UUUyPuasfIU=
k8s.io/api v0.0.0-20190918155943-95b840bb6a1f/go.mod h1:uWuOHnjmNrtQomJrvEBg0c0HRNyQ+8KTEERVsK0PW48= k8s.io/api v0.0.0-20190918155943-95b840bb6a1f/go.mod h1:uWuOHnjmNrtQomJrvEBg0c0HRNyQ+8KTEERVsK0PW48=

View File

@ -0,0 +1,54 @@
// Copyright Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package authztcp
import (
"testing"
"istio.io/istio/pkg/test/framework"
"istio.io/istio.io/pkg/test/istioio"
)
//https://istio.io/docs/tasks/security/authorization/authz-tcp/
//https://github.com/istio/istio.io/blob/release-1.5/content/en/docs/tasks/security/authorization/authz-tcp/index.md
func TestAuthzTCP(t *testing.T) {
framework.
NewTest(t).
Run(istioio.NewBuilder("tasks__security___authz_tcp").
Add(istioio.Script{
Input: istioio.Inline{
FileName: "create_ns_foo_with_tcpecho_sleep.sh",
Value: `
source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh
snip_before_you_begin_1`,
},
}).
Add(istioio.MultiPodWait("foo")).
Add(istioio.Script{
Input: istioio.Path("scripts/authz_tcp.txt"),
}).
// Cleanup.
Defer(istioio.Script{
Input: istioio.Inline{
FileName: "cleanup.sh",
Value: `
source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh
snip_clean_up_1`,
},
}).
Build())
}

View File

@ -0,0 +1,34 @@
// Copyright Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package authztcp
import (
"testing"
"istio.io/istio/pkg/test/framework"
"istio.io/istio/pkg/test/framework/components/istio"
"istio.io/istio/pkg/test/framework/resource/environment"
)
var (
ist istio.Instance
)
func TestMain(m *testing.M) {
framework.NewSuite("authz_tcp", m).
SetupOnEnv(environment.Kube, istio.Setup(&ist, nil)).
RequireEnvironment(environment.Kube).
Run()
}

View File

@ -0,0 +1,67 @@
#!/usr/bin/env bash
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh
export TCP_ECHO_IP=$(kubectl get pod $(kubectl get pod -l app=tcp-echo -n foo -o jsonpath={.items..metadata.name}) -n foo -o jsonpath={.status.podIP})
# When strict-mode mTLS is enabled, only ports defined as a service are
# protected by mTLS. As part of this test, we connect to port 9002, which was
# not configured as a service, so the connection fails and breaks the test.
#
# To make this test reliable, we remove any peer authentication that may have
# stuck around from a previous test.
kubectl delete peerauthentication --all-namespaces --all
out=$(snip_before_you_begin_2 2>&1)
_verify_same "$out" "$snip_before_you_begin_2_out" "snip_before_you_begin_2"
out=$(snip_before_you_begin_3 2>&1)
_verify_same "$out" "$snip_before_you_begin_3_out" "snip_before_you_begin_3"
out=$(snip_before_you_begin_4 2>&1)
_verify_same "$out" "$snip_before_you_begin_4_out" "snip_before_you_begin_4"
snip_configure_access_control_for_a_tcp_workload_1
out=$(snip_configure_access_control_for_a_tcp_workload_2 2>&1)
_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_2_out" "snip_configure_access_control_for_a_tcp_workload_2"
out=$(snip_configure_access_control_for_a_tcp_workload_3 2>&1)
_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_3_out" "snip_configure_access_control_for_a_tcp_workload_3"
out=$(snip_configure_access_control_for_a_tcp_workload_4 2>&1)
_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_4_out" "snip_configure_access_control_for_a_tcp_workload_4"
snip_configure_access_control_for_a_tcp_workload_5
out=$(snip_configure_access_control_for_a_tcp_workload_6 2>&1)
_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_6_out" "snip_configure_access_control_for_a_tcp_workload_6"
out=$(snip_configure_access_control_for_a_tcp_workload_7 2>&1)
_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_7_out" "snip_configure_access_control_for_a_tcp_workload_7"
snip_configure_access_control_for_a_tcp_workload_8
out=$(snip_configure_access_control_for_a_tcp_workload_9 2>&1)
_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_9_out" "snip_configure_access_control_for_a_tcp_workload_9"
out=$(snip_configure_access_control_for_a_tcp_workload_10 2>&1)
_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_10_out" "snip_configure_access_control_for_a_tcp_workload_10"