#!/bin/bash # Test script for Kubernetes Network Policies # Tests access control for artifactory services set -e echo "๐Ÿ”’ Testing Kubernetes Network Policies for Artifactory" echo "==================================================" echo "" # Colors for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' # No Color # Configuration NAMESPACE="artifactory" INTERNAL_TEST_IP="192.168.100.50" # Adjust to your internal network EXTERNAL_TEST_IP="8.8.8.8" # Simulated external IP echo "๐Ÿ“‹ Configuration:" echo " Namespace: $NAMESPACE" echo " Internal Network: 192.168.100.0/24" echo " Test Internal IP: $INTERNAL_TEST_IP" echo " Test External IP: $EXTERNAL_TEST_IP" echo "" # Check if kubectl is available if ! command -v kubectl &> /dev/null; then echo "โŒ kubectl not found. Please install kubectl first." exit 1 fi # Check if namespace exists if ! kubectl get namespace $NAMESPACE &> /dev/null; then echo "โŒ Namespace '$NAMESPACE' not found." echo " Please deploy the services first:" echo " kubectl apply -f kubernetes-with-network-policy.yaml" exit 1 fi echo "๐Ÿ” Checking deployed resources..." # Check deployments echo " Deployments:" kubectl get deployments -n $NAMESPACE | grep -E "(NAME|arti-api|chartmuseum|docker-registry)" || echo " No deployments found" # Check services echo " Services:" kubectl get services -n $NAMESPACE | grep -E "(NAME|arti-api|chartmuseum|docker-registry)" || echo " No services found" # Check network policies echo " Network Policies:" kubectl get networkpolicies -n $NAMESPACE | grep -E "(NAME|artifactory)" || echo " No network policies found" echo "" # Function to test endpoint access test_endpoint() { local service=$1 local port=$2 local path=$3 local description=$4 local expected_result=$5 echo -n " Testing $description... " # Create a test pod to simulate network access kubectl run test-pod-$RANDOM --rm -i --image=curlimages/curl --restart=Never --quiet -- \ curl -s -o /dev/null -w "%{http_code}" --connect-timeout 5 \ "http://$service.$NAMESPACE.svc.cluster.local:$port$path" 2>/dev/null || echo "000" } echo "๐Ÿงช Testing Network Access..." echo "" # Test internal network access (simulated) echo "๐Ÿ  Internal Network Tests (192.168.100.x should have full access):" # Note: In a real environment, you would run these tests from pods with the correct source IP echo " ${YELLOW}Note: These tests run from within the cluster${NC}" echo " ${YELLOW}In production, source IP filtering would be handled by Ingress${NC}" # Test health endpoints (should always work) echo " Health Endpoints (should be accessible):" kubectl run test-health --rm -i --image=curlimages/curl --restart=Never --quiet -- \ curl -s -f "http://arti-api-service.$NAMESPACE.svc.cluster.local:8000/health" && \ echo -e " โœ… ${GREEN}Arti-API health endpoint accessible${NC}" || \ echo -e " โŒ ${RED}Arti-API health endpoint failed${NC}" kubectl run test-cm-health --rm -i --image=curlimages/curl --restart=Never --quiet -- \ curl -s -f "http://chartmuseum-service.$NAMESPACE.svc.cluster.local:8080/health" && \ echo -e " โœ… ${GREEN}Chart Museum health endpoint accessible${NC}" || \ echo -e " โŒ ${RED}Chart Museum health endpoint failed${NC}" kubectl run test-reg-health --rm -i --image=curlimages/curl --restart=Never --quiet -- \ curl -s -f "http://docker-registry-service.$NAMESPACE.svc.cluster.local:5000/v2/" && \ echo -e " โœ… ${GREEN}Docker Registry health endpoint accessible${NC}" || \ echo -e " โŒ ${RED}Docker Registry health endpoint failed${NC}" echo "" # Test management endpoints (should work from internal network) echo " Management Endpoints (should be accessible from internal network):" kubectl run test-users --rm -i --image=curlimages/curl --restart=Never --quiet -- \ curl -s -f "http://arti-api-service.$NAMESPACE.svc.cluster.local:8000/users" && \ echo -e " โœ… ${GREEN}Arti-API users endpoint accessible${NC}" || \ echo -e " โŒ ${RED}Arti-API users endpoint failed${NC}" echo "" echo "๐ŸŒ Network Policy Verification:" # Check if network policies are applied NP_COUNT=$(kubectl get networkpolicies -n $NAMESPACE --no-headers 2>/dev/null | wc -l) if [ "$NP_COUNT" -gt 0 ]; then echo -e " โœ… ${GREEN}Network policies are deployed ($NP_COUNT policies)${NC}" kubectl get networkpolicies -n $NAMESPACE else echo -e " โŒ ${RED}No network policies found${NC}" fi echo "" echo "๐Ÿ“‹ Network Policy Details:" kubectl describe networkpolicy -n $NAMESPACE 2>/dev/null || echo " No network policies to describe" echo "" echo "๐Ÿ”ง Manual Testing Commands:" echo "" echo " # Test from internal network (run from a pod with source IP 192.168.100.x):" echo " kubectl run internal-test --rm -i --tty --image=curlimages/curl -- sh" echo " # Then inside the pod:" echo " curl http://arti-api-service.$NAMESPACE.svc.cluster.local:8000/users" echo "" echo " # Test external access through Ingress (if configured):" echo " curl http://artifactory.local/health # Should work" echo " curl http://artifactory.local/users # Should be blocked (403)" echo "" echo " # Check pod labels (must match NetworkPolicy selector):" echo " kubectl get pods -n $NAMESPACE --show-labels" echo "" echo " # Verify network policy application:" echo " kubectl get networkpolicies -n $NAMESPACE -o yaml" echo "" echo "๐Ÿ“š Next Steps:" echo " 1. Configure Ingress controller with path-based filtering" echo " 2. Test from actual internal network (192.168.100.x)" echo " 3. Verify external access is properly restricted" echo " 4. Monitor network policy logs if available" echo "" echo "โœ… Network Policy test completed!" echo "" echo "๐Ÿ”’ Security Summary:" echo " - NetworkPolicy restricts traffic at network layer" echo " - Ingress controller provides HTTP path filtering" echo " - Internal network (192.168.100.0/24) has full access" echo " - External access limited to health endpoints" echo " - Inter-pod communication allowed within namespace"