Kubernetes网络策略验证程序。
illuminatio的Python项目详细描述
Illuminato-Kubernetes网络策略验证程序
Illuminato是一个自动测试Kubernetes网络策略的工具。
只需执行illuminatio clean run
Illuminato将扫描Kubernetes集群以获取网络策略,相应地构建测试用例并执行它们
以确定这些政策是否有效。
概念的概述在the concept doc中可视化。
开始
按照这些说明启动和运行照明。
先决条件
- Python3
- PIP 3
安装
使用pip:
pip3 install illuminatio
或者直接从存储库:
git clone https://github.com/inovex/illuminatio cd illuminatio python3 setup.py install cd ..
示例用法
创建要测试的展开:
kubectl create deployment web --image=nginx kubectl expose deployment web --port 80 --target-port 80
为您的部署定义并创建网络策略:
cat <<EOF | kubectl create -f -kind: NetworkPolicyapiVersion: networking.k8s.io/v1metadata: name: web-deny-allspec: podSelector: matchLabels: app: web ingress: []EOF
测试新创建的网络策略:
illuminatio clean run Starting cleaning resources with policies ['on-request', 'always'] Deleting namespacess [] with cleanup policy on-request Deleting namespacess [] with cleanup policy always Deleting DSs in default with cleanup policy on-request Deleting pods in default with cleanup policy on-request Deleting svcs in default with cleanup policy on-request Deleting CfgMaps in default with cleanup policy on-request Deleting CRBs with cleanup policy on-request globally Deleting SAs in default with cleanup policy on-request Deleting DSs in default with cleanup policy always Deleting pods in default with cleanup policy always Deleting svcs in default with cleanup policy always Deleting CfgMaps in default with cleanup policy always Deleting CRBs with cleanup policy always globally Deleting SAs in default with cleanup policy always Finished cleanUp Starting test generation and run. Got cases: [NetworkTestCase(from=ClusterHost(namespace=default, podLabels={'app': 'web'}), to=ClusterHost(namespace=default, podLabels={'app': 'web'}), port=-*)] Generated 1 cases in 0.0701 seconds FROM TO PORT default:app=web default:app=web -* Using existing cluster role Creating cluster role binding TestResults: {'default:app=web': {'default:app=web': {'-*': {'success': True}}}} Finished running 1 tests in 18.7413 seconds FROM TO PORT RESULT default:app=web default:app=web -* success>< . > } }关键字确保“清除”清除所有过去运行时创建的所有潜在资源,以防止潜在问题,但不会影响用户生成的资源。
请注意当前每一次新的跑步都需要清洁,因为跑步者不会一直寻找新的病例。
如果您真的想保留生成的资源,可以省略clean关键字。
如果您完成了测试,您可能希望轻松删除由Illuminato创建的所有资源:
illuminatio clean
要在不运行测试的情况下预览生成的测试用例,请使用illuminatio run的--dry选项:
illuminatio run --dry Starting test generation and run. Got cases: [NetworkTestCase(from=ClusterHost(namespace=default, podLabels={'app': 'web'}), to=ClusterHost(namespace=default, podLabels={'app': 'web'}), port=-*)] Generated 1 cases in 0.0902 seconds FROM TO PORT default:app=web default:app=web -* Skipping test execution as --dry was set
使用--help标记可以在任何级别上找到所有选项和进一步的信息:
illuminatio --help
Usage: illuminatio [OPTIONS] COMMAND1 [ARGS]... [COMMAND2 [ARGS]...]... Options: -v, --verbosity LVL Either CRITICAL, ERROR, WARNING, INFO or DEBUG --incluster --help Show this message and exit. Commands: clean run
参考文献
这个标志是由皮亚布鲁姆创造的。
- 示例网络策略的灵感来自: kubernetes-network-policy-recipes
- 来自ContainerDays 2019,slides的演示文稿
贡献
我们很高兴阅读您的issues并接受您的Pull Requests.
有关开发照明设备的更多信息,请参阅the development docs。
许可证
此项目(不包括徽标)是根据Apache2.0许可的条款授权的。 该徽标根据CC BY-NC-ND 4.0许可的条款获得许可。
欢迎加入QQ群-->: 979659372
