Initialisation depot
This commit is contained in:
Serge NOEL
165
arti-api/test-network-policies.sh
Executable file
165
arti-api/test-network-policies.sh
Executable file
@@ -0,0 +1,165 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Test script for Kubernetes Network Policies
|
||||
# Tests access control for artifactory services
|
||||
|
||||
set -e
|
||||
|
||||
echo "🔒 Testing Kubernetes Network Policies for Artifactory"
|
||||
echo "=================================================="
|
||||
echo ""
|
||||
|
||||
# Colors for output
|
||||
RED='\033[0;31m'
|
||||
GREEN='\033[0;32m'
|
||||
YELLOW='\033[1;33m'
|
||||
NC='\033[0m' # No Color
|
||||
|
||||
# Configuration
|
||||
NAMESPACE="artifactory"
|
||||
INTERNAL_TEST_IP="192.168.100.50" # Adjust to your internal network
|
||||
EXTERNAL_TEST_IP="8.8.8.8" # Simulated external IP
|
||||
|
||||
echo "📋 Configuration:"
|
||||
echo " Namespace: $NAMESPACE"
|
||||
echo " Internal Network: 192.168.100.0/24"
|
||||
echo " Test Internal IP: $INTERNAL_TEST_IP"
|
||||
echo " Test External IP: $EXTERNAL_TEST_IP"
|
||||
echo ""
|
||||
|
||||
# Check if kubectl is available
|
||||
if ! command -v kubectl &> /dev/null; then
|
||||
echo "❌ kubectl not found. Please install kubectl first."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Check if namespace exists
|
||||
if ! kubectl get namespace $NAMESPACE &> /dev/null; then
|
||||
echo "❌ Namespace '$NAMESPACE' not found."
|
||||
echo " Please deploy the services first:"
|
||||
echo " kubectl apply -f kubernetes-with-network-policy.yaml"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "🔍 Checking deployed resources..."
|
||||
|
||||
# Check deployments
|
||||
echo " Deployments:"
|
||||
kubectl get deployments -n $NAMESPACE | grep -E "(NAME|arti-api|chartmuseum|docker-registry)" || echo " No deployments found"
|
||||
|
||||
# Check services
|
||||
echo " Services:"
|
||||
kubectl get services -n $NAMESPACE | grep -E "(NAME|arti-api|chartmuseum|docker-registry)" || echo " No services found"
|
||||
|
||||
# Check network policies
|
||||
echo " Network Policies:"
|
||||
kubectl get networkpolicies -n $NAMESPACE | grep -E "(NAME|artifactory)" || echo " No network policies found"
|
||||
|
||||
echo ""
|
||||
|
||||
# Function to test endpoint access
|
||||
test_endpoint() {
|
||||
local service=$1
|
||||
local port=$2
|
||||
local path=$3
|
||||
local description=$4
|
||||
local expected_result=$5
|
||||
|
||||
echo -n " Testing $description... "
|
||||
|
||||
# Create a test pod to simulate network access
|
||||
kubectl run test-pod-$RANDOM --rm -i --image=curlimages/curl --restart=Never --quiet -- \
|
||||
curl -s -o /dev/null -w "%{http_code}" --connect-timeout 5 \
|
||||
"http://$service.$NAMESPACE.svc.cluster.local:$port$path" 2>/dev/null || echo "000"
|
||||
}
|
||||
|
||||
echo "🧪 Testing Network Access..."
|
||||
echo ""
|
||||
|
||||
# Test internal network access (simulated)
|
||||
echo "🏠 Internal Network Tests (192.168.100.x should have full access):"
|
||||
|
||||
# Note: In a real environment, you would run these tests from pods with the correct source IP
|
||||
echo " ${YELLOW}Note: These tests run from within the cluster${NC}"
|
||||
echo " ${YELLOW}In production, source IP filtering would be handled by Ingress${NC}"
|
||||
|
||||
# Test health endpoints (should always work)
|
||||
echo " Health Endpoints (should be accessible):"
|
||||
kubectl run test-health --rm -i --image=curlimages/curl --restart=Never --quiet -- \
|
||||
curl -s -f "http://arti-api-service.$NAMESPACE.svc.cluster.local:8000/health" && \
|
||||
echo -e " ✅ ${GREEN}Arti-API health endpoint accessible${NC}" || \
|
||||
echo -e " ❌ ${RED}Arti-API health endpoint failed${NC}"
|
||||
|
||||
kubectl run test-cm-health --rm -i --image=curlimages/curl --restart=Never --quiet -- \
|
||||
curl -s -f "http://chartmuseum-service.$NAMESPACE.svc.cluster.local:8080/health" && \
|
||||
echo -e " ✅ ${GREEN}Chart Museum health endpoint accessible${NC}" || \
|
||||
echo -e " ❌ ${RED}Chart Museum health endpoint failed${NC}"
|
||||
|
||||
kubectl run test-reg-health --rm -i --image=curlimages/curl --restart=Never --quiet -- \
|
||||
curl -s -f "http://docker-registry-service.$NAMESPACE.svc.cluster.local:5000/v2/" && \
|
||||
echo -e " ✅ ${GREEN}Docker Registry health endpoint accessible${NC}" || \
|
||||
echo -e " ❌ ${RED}Docker Registry health endpoint failed${NC}"
|
||||
|
||||
echo ""
|
||||
|
||||
# Test management endpoints (should work from internal network)
|
||||
echo " Management Endpoints (should be accessible from internal network):"
|
||||
|
||||
kubectl run test-users --rm -i --image=curlimages/curl --restart=Never --quiet -- \
|
||||
curl -s -f "http://arti-api-service.$NAMESPACE.svc.cluster.local:8000/users" && \
|
||||
echo -e " ✅ ${GREEN}Arti-API users endpoint accessible${NC}" || \
|
||||
echo -e " ❌ ${RED}Arti-API users endpoint failed${NC}"
|
||||
|
||||
echo ""
|
||||
|
||||
echo "🌐 Network Policy Verification:"
|
||||
|
||||
# Check if network policies are applied
|
||||
NP_COUNT=$(kubectl get networkpolicies -n $NAMESPACE --no-headers 2>/dev/null | wc -l)
|
||||
if [ "$NP_COUNT" -gt 0 ]; then
|
||||
echo -e " ✅ ${GREEN}Network policies are deployed ($NP_COUNT policies)${NC}"
|
||||
kubectl get networkpolicies -n $NAMESPACE
|
||||
else
|
||||
echo -e " ❌ ${RED}No network policies found${NC}"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
|
||||
echo "📋 Network Policy Details:"
|
||||
kubectl describe networkpolicy -n $NAMESPACE 2>/dev/null || echo " No network policies to describe"
|
||||
|
||||
echo ""
|
||||
|
||||
echo "🔧 Manual Testing Commands:"
|
||||
echo ""
|
||||
echo " # Test from internal network (run from a pod with source IP 192.168.100.x):"
|
||||
echo " kubectl run internal-test --rm -i --tty --image=curlimages/curl -- sh"
|
||||
echo " # Then inside the pod:"
|
||||
echo " curl http://arti-api-service.$NAMESPACE.svc.cluster.local:8000/users"
|
||||
echo ""
|
||||
echo " # Test external access through Ingress (if configured):"
|
||||
echo " curl http://artifactory.local/health # Should work"
|
||||
echo " curl http://artifactory.local/users # Should be blocked (403)"
|
||||
echo ""
|
||||
echo " # Check pod labels (must match NetworkPolicy selector):"
|
||||
echo " kubectl get pods -n $NAMESPACE --show-labels"
|
||||
echo ""
|
||||
echo " # Verify network policy application:"
|
||||
echo " kubectl get networkpolicies -n $NAMESPACE -o yaml"
|
||||
echo ""
|
||||
|
||||
echo "📚 Next Steps:"
|
||||
echo " 1. Configure Ingress controller with path-based filtering"
|
||||
echo " 2. Test from actual internal network (192.168.100.x)"
|
||||
echo " 3. Verify external access is properly restricted"
|
||||
echo " 4. Monitor network policy logs if available"
|
||||
echo ""
|
||||
|
||||
echo "✅ Network Policy test completed!"
|
||||
echo ""
|
||||
echo "🔒 Security Summary:"
|
||||
echo " - NetworkPolicy restricts traffic at network layer"
|
||||
echo " - Ingress controller provides HTTP path filtering"
|
||||
echo " - Internal network (192.168.100.0/24) has full access"
|
||||
echo " - External access limited to health endpoints"
|
||||
echo " - Inter-pod communication allowed within namespace"
|
||||
Reference in New Issue
Block a user