prisma-risk / tsoracle / 26487193240
95%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 89
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 94.966%. Remained the same
26487193240

push

github

web-flow 
test(kube-e2e): probe the chart NetworkPolicy from outside the StatefulSet (#518)

Closes #486.

The chart's NetworkPolicy from PR #452 restricts the peer consensus port to
sibling replicas while leaving the client (`tso`) port open. Until now no
e2e probe verified this — a future chart change widening the policy would
not be caught.

This adds a small Job (`e2e/kube/probe/job-netpol-probe.yaml`) that runs
in a SEPARATE namespace with intentionally non-matching pod labels and
uses busybox `nc -zv -w 8` to:

  1. attempt TCP connect to the peer port → expect time-out (DENIED),
  2. attempt TCP connect to the `tso` port → expect success (ALLOWED).

A wrapper script (`e2e/kube/probe/run-netpol-probe.sh`) renders the
manifest via selective `envsubst '${TARGET_RELEASE} ${TARGET_NAMESPACE}'`
(naming both variables explicitly so the `${...}` shell references inside
the Job's script aren't clobbered) and polls both the `Complete` and
`Failed` Job conditions so a regression surfaces in <30s rather than
timing out at 120s.

The workflow runs the probe twice — once per cell (insecure / TLS) — in
fresh `e2e-netpol-probe-{insecure,tls}` namespaces. The failure-dump step
now also dumps both probe namespaces.

CNI: kindnet's bundled kube-network-policies sidecar enforces
NetworkPolicy as of kind v0.27+. `helm/kind-action@v1.14.0` pins kind
v0.31.0, comfortably above that floor — no CNI swap needed. Confirmed
empirically on a local kind cluster matching the workflow's config: the
probe passes against an applied policy and fails (exit 1, FAIL log)
against a deleted policy.

Signed-off-by: Sebastian Thiebaud <sebastian@prismarisk.com>

13545 of 14263 relevant lines covered (94.97%)

391766.5 hits per line

Jobs
ID Job ID Ran Files Coverage
1 26487193240.1 89
94.97
 GitHub Action Run
Source Files on build 26487193240