Merge pull request kubernetes#2234 from dlapcevic/netpol-enforcement-…

…latency-test Add network policy enforcement latency measurement
tomkukral · Jun 9, 2023 · 9025300 · 9025300
2 parents bfb2608 + c4cb115
commit 9025300
Show file tree

Hide file tree

Showing 10 changed files with 775 additions and 0 deletions.
diff --git a/clusterloader2/cmd/clusterloader.go b/clusterloader2/cmd/clusterloader.go
@@ -48,6 +48,7 @@ import (
 	_ "k8s.io/perf-tests/clusterloader2/pkg/measurement/common/bundle"
 	_ "k8s.io/perf-tests/clusterloader2/pkg/measurement/common/dns"
 	_ "k8s.io/perf-tests/clusterloader2/pkg/measurement/common/network"
+	_ "k8s.io/perf-tests/clusterloader2/pkg/measurement/common/network-policy"
 	_ "k8s.io/perf-tests/clusterloader2/pkg/measurement/common/probes"
 	_ "k8s.io/perf-tests/clusterloader2/pkg/measurement/common/slos"
 )

diff --git a/clusterloader2/pkg/measurement/common/network-policy/manifests/clusterrole.yaml b/clusterloader2/pkg/measurement/common/network-policy/manifests/clusterrole.yaml
@@ -0,0 +1,11 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{.Name}}
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["networkpolicies"]
+  verbs: ["get"]
diff --git a/clusterloader2/pkg/measurement/common/network-policy/manifests/clusterrolebinding.yaml b/clusterloader2/pkg/measurement/common/network-policy/manifests/clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{.Name}}
+subjects:
+- kind: ServiceAccount
+  name: {{.Name}}
+  namespace: {{.Namespace}}
+roleRef:
+  kind: ClusterRole
+  name: {{.Name}}
+  apiGroup: rbac.authorization.k8s.io
diff --git a/...loader2/pkg/measurement/common/network-policy/manifests/dep-test-client-pod-creation.yaml b/...loader2/pkg/measurement/common/network-policy/manifests/dep-test-client-pod-creation.yaml
@@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.Name}}
+  namespace: {{.Namespace}}
+  labels:
+    test: {{.TestClientLabel}}
+    type: {{.TypeLabelValue}}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: {{.Name}}
+  template:
+    metadata:
+      labels:
+        name: {{.Name}}
+        test: {{.TestClientLabel}}
+        type: {{.TypeLabelValue}}
+    spec:
+      # Use separate nodes to avoid consuming CPU/Memory resources on default
+      # nodes where all deployments of the performance test run.
+      nodeSelector:
+        {{.TestClientNodeSelectorKey}}: {{.TestClientNodeSelectorValue}}
+      tolerations:
+      - key: {{.TestClientNodeSelectorKey}}
+        operator: Equal
+        value: {{.TestClientNodeSelectorValue}}
+        effect: NoSchedule
+      containers:
+      - name: net-policy-latency-client
+        ports:
+        - containerPort: {{.MetricsPort}}
+          name: npdelaymetrics
+          protocol: TCP
+        imagePullPolicy: Always
+        image: gcr.io/k8s-staging-perf-tests/network-policy-enforcement-latency/pod-creation-reachability-latency:v0.0.1
+        command:
+        - sh
+        - -c
+        - ./pod-creation-reachability-latency
+          -HostNamespace="{{.Namespace}}"
+          -TargetLabelSelector="{{.TargetLabelSelector}}"
+          -TargetNamespace="{{.TargetNamespace}}"
+          -TargetPort={{.TargetPort}}
+          -MaxTargets={{.MaxTargets}}
+          -MetricsPort={{.MetricsPort}}
+        resources:
+          requests:
+            cpu: 200m
+            memory: 100Mi
+      serviceAccountName: {{.ServiceAccountName}}
diff --git a/...der2/pkg/measurement/common/network-policy/manifests/dep-test-client-policy-creation.yaml b/...der2/pkg/measurement/common/network-policy/manifests/dep-test-client-policy-creation.yaml
@@ -0,0 +1,53 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.Name}}
+  namespace: {{.Namespace}}
+  labels:
+    test: {{.TestClientLabel}}
+    type: {{.TypeLabelValue}}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: {{.Name}}
+  template:
+    metadata:
+      labels:
+        name: {{.Name}}
+        test: {{.TestClientLabel}}
+        type: {{.TypeLabelValue}}
+    spec:
+      # Use separate nodes to avoid consuming CPU/Memory resources on default
+      # nodes where all deployments of the performance test run.
+      nodeSelector:
+        {{.TestClientNodeSelectorKey}}: {{.TestClientNodeSelectorValue}}
+      tolerations:
+      - key: {{.TestClientNodeSelectorKey}}
+        operator: Equal
+        value: {{.TestClientNodeSelectorValue}}
+        effect: NoSchedule
+      containers:
+      - name: net-policy-latency-client
+        ports:
+        - containerPort: {{.MetricsPort}}
+          name: npdelaymetrics
+          protocol: TCP
+        imagePullPolicy: Always
+        image: gcr.io/k8s-staging-perf-tests/network-policy-enforcement-latency/policy-creation-enforcement-latency:v0.0.1
+        command:
+        - sh
+        - -c
+        - ./policy-creation-enforcement-latency
+          -HostNamespace="{{.Namespace}}"
+          -TargetLabelSelector="{{.TargetLabelSelector}}"
+          -TargetNamespace="{{.TargetNamespace}}"
+          -TargetPort={{.TargetPort}}
+          -MaxTargets={{.MaxTargets}}
+          -MetricsPort={{.MetricsPort}}
+          -AllowPolicyName={{.AllowPolicyName}}
+        resources:
+          requests:
+            cpu: 200m
+            memory: 100Mi
+      serviceAccountName: {{.ServiceAccountName}}
diff --git a/...oader2/pkg/measurement/common/network-policy/manifests/policy-egress-allow-apiserver.yaml b/...oader2/pkg/measurement/common/network-policy/manifests/policy-egress-allow-apiserver.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{.Name}}
+  namespace: {{.Namespace}}
+  labels:
+    test: {{.TestClientLabel}}
+spec:
+  podSelector:
+    matchLabels:
+      test: {{.TestClientLabel}}
+  policyTypes:
+  - Egress
+  egress:
+  - ports:
+    - port: 443
+      protocol: TCP
+    - port: 80
+      protocol: TCP
+    to:
+    - ipBlock:
+        cidr: {{.kubeAPIServerIP}}/32
diff --git a/...der2/pkg/measurement/common/network-policy/manifests/policy-egress-allow-target-pods.yaml b/...der2/pkg/measurement/common/network-policy/manifests/policy-egress-allow-target-pods.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{.Name}}
+  namespace: {{.Namespace}}
+  labels:
+    type: {{.TypeLabelValue}}
+spec:
+  podSelector:
+    matchLabels:
+      type: {{.TypeLabelValue}}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          {{.TargetLabelKey}}: {{.TargetLabelValue}}
+{{if .OnlyTargetNamespace}}
+      namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: {{.TargetNamespace}}
+{{else}}
+      namespaceSelector: {}
+{{end}}
diff --git a/clusterloader2/pkg/measurement/common/network-policy/manifests/policy-load.yaml b/clusterloader2/pkg/measurement/common/network-policy/manifests/policy-load.yaml
@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{.Name}}
+  namespace: {{.Namespace}}
+  labels:
+    group: load
+spec:
+  podSelector:
+    matchLabels:
+      {{.PodSelectorLabelKey}}: {{.PodSelectorLabelValue}}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: {{.CIDR}}
+    ports:
+    # Use two ports to double the number of load network policy rules.
+    - protocol: TCP
+      port: 8080
+    - protocol: TCP
+      port: 6355
diff --git a/clusterloader2/pkg/measurement/common/network-policy/manifests/serviceaccount.yaml b/clusterloader2/pkg/measurement/common/network-policy/manifests/serviceaccount.yaml
@@ -0,0 +1,5 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{.Name}}
+  namespace: {{.Namespace}}