easylinux/Maison
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
281e6611aef5356a1e37ddc7739d137041b4e277
Maison/arti-api/test-network-policies.sh
Serge NOEL c3176e8d79 Initialisation depot
2026-02-10 12:12:11 +01:00

165 lines
6.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Test script for Kubernetes Network Policies
# Tests access control for artifactory services
set -e
echo "🔒 Testing Kubernetes Network Policies for Artifactory"
echo "=================================================="
echo ""
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Configuration
NAMESPACE="artifactory"
INTERNAL_TEST_IP="192.168.100.50" # Adjust to your internal network
EXTERNAL_TEST_IP="8.8.8.8" # Simulated external IP
echo "📋 Configuration:"
echo " Namespace: $NAMESPACE"
echo " Internal Network: 192.168.100.0/24"
echo " Test Internal IP: $INTERNAL_TEST_IP"
echo " Test External IP: $EXTERNAL_TEST_IP"
echo ""
# Check if kubectl is available
if ! command -v kubectl &> /dev/null; then
echo "❌ kubectl not found. Please install kubectl first."
exit 1
fi
# Check if namespace exists
if ! kubectl get namespace $NAMESPACE &> /dev/null; then
echo "❌ Namespace '$NAMESPACE' not found."
echo " Please deploy the services first:"
echo " kubectl apply -f kubernetes-with-network-policy.yaml"
exit 1
fi
echo "🔍 Checking deployed resources..."
# Check deployments
echo " Deployments:"
kubectl get deployments -n $NAMESPACE | grep -E "(NAME|arti-api|chartmuseum|docker-registry)" || echo " No deployments found"
# Check services
echo " Services:"
kubectl get services -n $NAMESPACE | grep -E "(NAME|arti-api|chartmuseum|docker-registry)" || echo " No services found"
# Check network policies
echo " Network Policies:"
kubectl get networkpolicies -n $NAMESPACE | grep -E "(NAME|artifactory)" || echo " No network policies found"
echo ""
# Function to test endpoint access
test_endpoint() {
local service=$1
local port=$2
local path=$3
local description=$4
local expected_result=$5
echo -n " Testing $description... "
# Create a test pod to simulate network access
kubectl run test-pod-$RANDOM --rm -i --image=curlimages/curl --restart=Never --quiet -- \
curl -s -o /dev/null -w "%{http_code}" --connect-timeout 5 \
"http://$service.$NAMESPACE.svc.cluster.local:$port$path" 2>/dev/null || echo "000"
}
echo "🧪 Testing Network Access..."
echo ""
# Test internal network access (simulated)
echo "🏠 Internal Network Tests (192.168.100.x should have full access):"
# Note: In a real environment, you would run these tests from pods with the correct source IP
echo " ${YELLOW}Note: These tests run from within the cluster${NC}"
echo " ${YELLOW}In production, source IP filtering would be handled by Ingress${NC}"
# Test health endpoints (should always work)
echo " Health Endpoints (should be accessible):"
kubectl run test-health --rm -i --image=curlimages/curl --restart=Never --quiet -- \
curl -s -f "http://arti-api-service.$NAMESPACE.svc.cluster.local:8000/health" && \
echo -e "${GREEN}Arti-API health endpoint accessible${NC}" || \
echo -e "${RED}Arti-API health endpoint failed${NC}"
kubectl run test-cm-health --rm -i --image=curlimages/curl --restart=Never --quiet -- \
curl -s -f "http://chartmuseum-service.$NAMESPACE.svc.cluster.local:8080/health" && \
echo -e "${GREEN}Chart Museum health endpoint accessible${NC}" || \
echo -e "${RED}Chart Museum health endpoint failed${NC}"
kubectl run test-reg-health --rm -i --image=curlimages/curl --restart=Never --quiet -- \
curl -s -f "http://docker-registry-service.$NAMESPACE.svc.cluster.local:5000/v2/" && \
echo -e "${GREEN}Docker Registry health endpoint accessible${NC}" || \
echo -e "${RED}Docker Registry health endpoint failed${NC}"
echo ""
# Test management endpoints (should work from internal network)
echo " Management Endpoints (should be accessible from internal network):"
kubectl run test-users --rm -i --image=curlimages/curl --restart=Never --quiet -- \
curl -s -f "http://arti-api-service.$NAMESPACE.svc.cluster.local:8000/users" && \
echo -e "${GREEN}Arti-API users endpoint accessible${NC}" || \
echo -e "${RED}Arti-API users endpoint failed${NC}"
echo ""
echo "🌐 Network Policy Verification:"
# Check if network policies are applied
NP_COUNT=$(kubectl get networkpolicies -n $NAMESPACE --no-headers 2>/dev/null | wc -l)
if [ "$NP_COUNT" -gt 0 ]; then
echo -e "${GREEN}Network policies are deployed ($NP_COUNT policies)${NC}"
kubectl get networkpolicies -n $NAMESPACE
else
echo -e "${RED}No network policies found${NC}"
fi
echo ""
echo "📋 Network Policy Details:"
kubectl describe networkpolicy -n $NAMESPACE 2>/dev/null || echo " No network policies to describe"
echo ""
echo "🔧 Manual Testing Commands:"
echo ""
echo " # Test from internal network (run from a pod with source IP 192.168.100.x):"
echo " kubectl run internal-test --rm -i --tty --image=curlimages/curl -- sh"
echo " # Then inside the pod:"
echo " curl http://arti-api-service.$NAMESPACE.svc.cluster.local:8000/users"
echo ""
echo " # Test external access through Ingress (if configured):"
echo " curl http://artifactory.local/health # Should work"
echo " curl http://artifactory.local/users # Should be blocked (403)"
echo ""
echo " # Check pod labels (must match NetworkPolicy selector):"
echo " kubectl get pods -n $NAMESPACE --show-labels"
echo ""
echo " # Verify network policy application:"
echo " kubectl get networkpolicies -n $NAMESPACE -o yaml"
echo ""
echo "📚 Next Steps:"
echo " 1. Configure Ingress controller with path-based filtering"
echo " 2. Test from actual internal network (192.168.100.x)"
echo " 3. Verify external access is properly restricted"
echo " 4. Monitor network policy logs if available"
echo ""
echo "✅ Network Policy test completed!"
echo ""
echo "🔒 Security Summary:"
echo " - NetworkPolicy restricts traffic at network layer"
echo " - Ingress controller provides HTTP path filtering"
echo " - Internal network (192.168.100.0/24) has full access"
echo " - External access limited to health endpoints"
echo " - Inter-pod communication allowed within namespace"
Reference in New Issue View Git Blame Copy Permalink