Run test pods

Signed-off-by: Daichi Sakaue <[email protected]>

.github/workflows/ci.yaml

@@ -30,8 +30,8 @@ jobs:
       - name: Run lint
         run: make lint
       - name: Run environment
-        run: make start
-        working-directory: e2e
-      - name: Install
-        run: make install
         working-directory: e2e
+        run: |
+          make start
+          make install-test-pod
+          make install-policy-viewer

e2e/Makefile

@@ -9,6 +9,7 @@ HELM := $(TOOLS_DIR)/helm --repository-cache $(CACHE_DIR)/helm/repository --repo
 KIND := $(TOOLS_DIR)/kind
 KUBECTL := $(TOOLS_DIR)/kubectl
 KUSTOMIZE := $(TOOLS_DIR)/kustomize
+YQ := $(TOOLS_DIR)/yq
 
 ##@ Basic
 
@@ -18,6 +19,11 @@ help: ## Display this help
 
 ##@ Test
 
+.PHONY: wait-for-workloads
+wait-for-workloads:
+	$(KUBECTL) wait --for=condition=Available --all deployments --all-namespaces --timeout=1h
+	$(KUBECTL) wait --for=condition=Ready --all pods --all-namespaces --timeout=1h
+
 .PHONY: start
 start:
 	docker pull quay.io/cilium/cilium:v$(CILIUM_VERSION)
@@ -28,11 +34,28 @@ start:
 		--set image.pullPolicy=IfNotPresent \
 		--set ipam.mode=kubernetes
 	$(KUSTOMIZE) build testdata | $(KUBECTL) apply -f -
-	$(KUBECTL) wait --for=condition=Available --all deployments --all-namespaces --timeout=1h
-	$(KUBECTL) wait --for=condition=Ready --all pods --all-namespaces --timeout=1h
+	$(MAKE) --no-print-directory wait-for-workloads
+
+run-test-pod-%:
+	cat testdata/template/ubuntu.yaml | \
+		$(YQ) '.metadata.name = "$*"' | \
+		$(YQ) '.spec.selector.matchLabels = {"test": "$*"}' | \
+		$(YQ) '.spec.template.metadata.labels = {"test": "$*"}' | \
+		$(KUBECTL) apply -f -
+
+.PHONY: install-test-pod
+install-test-pod:
+	$(MAKE) --no-print-directory run-test-pod-self
+	$(MAKE) --no-print-directory run-test-pod-l3-ingress-explicit-allow
+	$(MAKE) --no-print-directory run-test-pod-l3-ingress-no-rule
+	$(MAKE) --no-print-directory run-test-pod-l3-ingress-explicit-deny
+	$(MAKE) --no-print-directory run-test-pod-l3-egress-implicit-deny
+	$(MAKE) --no-print-directory run-test-pod-l3-egress-explicit-deny
+	$(MAKE) --no-print-directory wait-for-workloads
+	$(KUBECTL) apply -f testdata/policy/l3.yaml
 
-.PHONY: install
-install:
+.PHONY: install-policy-viewer
+install-policy-viewer:
 	$(MAKE) -C ../ build
 	PODNAME=$$($(KUBECTL) get po -l app=ubuntu -o name | cut -d'/' -f2); \
 	$(KUBECTL) cp $(CILIUM_POLICY) $${PODNAME}:/tmp/; \

e2e/testdata/policy/l3.yaml

@@ -0,0 +1,48 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: l3-egress
+spec:
+  endpointSelector:
+    matchLabels:
+      k8s:test: self
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            k8s:test: l3-ingress-explicit-allow
+    - toEndpoints:
+        - matchLabels:
+            k8s:test: l3-ingress-implicit-deny
+    - toEndpoints:
+        - matchLabels:
+            k8s:test: l3-ingress-explicit-deny
+  egressDeny:
+    - toEndpoints:
+        - matchLabels:
+            k8s:test: l3-egress-explicit-deny
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: l3-ingress-explicit-allow
+spec:
+  endpointSelector:
+    matchLabels:
+      k8s:test: l3-ingress-explicit-allow
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            k8s:test: self
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: l3-ingress-explicit-deny
+spec:
+  endpointSelector:
+    matchLabels:
+      k8s:test: l3-ingress-explicit-deny
+  ingressDeny:
+    - fromEndpoints:
+        - matchLabels:
+            k8s:test: self

e2e/testdata/template/ubuntu.yaml

@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: default
+  name: ubuntu
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ubuntu
+  template:
+    metadata:
+      labels:
+        app: ubuntu
+    spec:
+      serviceAccountName: ubuntu
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+      containers:
+        - name: ubuntu
+          args:
+            - pause
+          image: ghcr.io/cybozu/ubuntu-debug:22.04