Skip to content

Commit

Permalink
netpol: add dedicated test of DNS functionality
Browse files Browse the repository at this point in the history
  • Loading branch information
@consideRatio
consideRatio committed May 16, 2020
1 parent ca9d4db commit db19e10
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 2 deletions.
2 changes: 2 additions & 0 deletions images/singleuser-sample/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,9 @@ ARG JUPYTERHUB_VERSION=1.1.*
# NOTE: git is already available in the jupyter/minimal-notebook image.
USER root
RUN apt-get update && apt-get install --yes --no-install-recommends \
dnsutils \
git \
iputils-ping \
&& rm -rf /var/lib/apt/lists/*
USER $NB_USER

Expand Down
22 changes: 20 additions & 2 deletions tests/test_spawn.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,24 @@ def test_singleuser_netpol(api_request, jupyter_user, request_data):
print(server_model)
pod_name = server_model["state"]["pod_name"]

c = subprocess.run([
"kubectl", "exec", pod_name,
"--namespace", os.environ["Z2JH_KUBE_NAMESPACE"],
"--context", os.environ["Z2JH_KUBE_CONTEXT"],
"--",
"nslookup", "hub",
])
assert c.returncode == 0, "DNS issue: failed to resolve 'hub' from a singleuser-server"

c = subprocess.run([
"kubectl", "exec", pod_name,
"--namespace", os.environ["Z2JH_KUBE_NAMESPACE"],
"--context", os.environ["Z2JH_KUBE_CONTEXT"],
"--",
"nslookup", "jupyter.org",
])
assert c.returncode == 0, "DNS issue: failed to resolve 'jupyter.org' from a singleuser-server"

# Must match CIDR in singleuser.networkPolicy.egress.
allowed_url = "http://jupyter.org"
blocked_url = "http://mybinder.org"
Expand All @@ -173,14 +191,14 @@ def test_singleuser_netpol(api_request, jupyter_user, request_data):
"--",
"wget", "--quiet", "--tries=1", "--timeout=3", allowed_url,
])
assert c.returncode == 0, "Unable to get allowed domain (or failed to resolve the domain name)"
assert c.returncode == 0, "Unable to get allowed domain"

c = subprocess.run([
"kubectl", "exec", pod_name,
"--namespace", os.environ["Z2JH_KUBE_NAMESPACE"],
"--context", os.environ["Z2JH_KUBE_CONTEXT"],
"--",
"wget", "--quiet", "--tries=1", "--timeout=3", blocked_url,
"wget", "--quiet", "--server-response", "-O-", "--tries=1", "--timeout=3", blocked_url,
])
assert c.returncode > 0, "Blocked domain was allowed"

Expand Down

0 comments on commit db19e10

Please sign in to comment.