Skip to content

Commit

Permalink
update log level and add integration test to verify deleteENI permission
Browse files Browse the repository at this point in the history
  • Loading branch information
sushrk committed Apr 3, 2024
1 parent c70a2ae commit 6588ad1
Show file tree
Hide file tree
Showing 4 changed files with 143 additions and 1 deletion.
2 changes: 1 addition & 1 deletion pkg/aws/ec2/api/cleanup/eni_cleanup.go
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,7 @@ func (e *ENICleaner) DeleteLeakedResources() error {
} else {
// Seeing the ENI for the first time, add it to the new list of available network interfaces
availableENIs[*nwInterface.NetworkInterfaceId] = struct{}{}
e.Log.V(1).Info("adding eni to to the map of available ENIs, will be removed if present in "+
e.Log.Info("adding eni to to the map of available ENIs, will be removed if present in "+
"next run too", "id", *nwInterface.NetworkInterfaceId)
}
}
Expand Down
48 changes: 48 additions & 0 deletions test/framework/resource/aws/ec2/manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (

"github.com/aws/amazon-vpc-resource-controller-k8s/test/framework/utils"

"github.com/aws/amazon-vpc-resource-controller-k8s/pkg/aws/vpc"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/service/ec2"
Expand Down Expand Up @@ -240,3 +241,50 @@ func (d *Manager) GetPrivateIPv4AddressAndPrefix(instanceID string) ([]string, [

return secondaryIPAddresses, ipV4Prefixes, err
}

func (d *Manager) CreateAndAttachNetworkInterface(instanceID string) (string, error) {
describeInstanceOp, err := d.ec2Client.DescribeInstances(&ec2.DescribeInstancesInput{
InstanceIds: []*string{&instanceID},
})
if err != nil {
return "", err
}
subnetID := describeInstanceOp.Reservations[0].Instances[0].SubnetId
instanceType := describeInstanceOp.Reservations[0].Instances[0].InstanceType
createENIOp, err := d.ec2Client.CreateNetworkInterface(&ec2.CreateNetworkInterfaceInput{
SubnetId: aws.String(*subnetID),
Description: aws.String("VPC-Resource-Controller integration test ENI"),
})
if err != nil {
return "", err
}
nwInterfaceID := *createENIOp.NetworkInterface.NetworkInterfaceId
// for test just use the max index - 2 (as trunk maybe attached to max index)
indexID := vpc.Limits[*instanceType].NetworkCards[0].MaximumNetworkInterfaces - 2
_, err = d.ec2Client.AttachNetworkInterface(&ec2.AttachNetworkInterfaceInput{
InstanceId: aws.String(instanceID),
NetworkInterfaceId: aws.String(nwInterfaceID),
DeviceIndex: aws.Int64(indexID),
})
return nwInterfaceID, err
}

func (d *Manager) TerminateInstances(instanceID string) error {
_, err := d.ec2Client.TerminateInstances(&ec2.TerminateInstancesInput{
InstanceIds: []*string{&instanceID},
})
return err
}

func (d *Manager) DescribeNetworkInterface(nwInterfaceID string) error {
_, err := d.ec2Client.DescribeNetworkInterfaces(&ec2.DescribeNetworkInterfacesInput{
NetworkInterfaceIds: []*string{&nwInterfaceID},
})
return err
}
func (d *Manager) DeleteNetworkInterface(nwInterfaceID string) error {
_, err := d.ec2Client.DeleteNetworkInterface(&ec2.DeleteNetworkInterfaceInput{
NetworkInterfaceId: aws.String(nwInterfaceID),
})
return err
}
46 changes: 46 additions & 0 deletions test/integration/ec2api/ec2api_suite_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License"). You may
// not use this file except in compliance with the License. A copy of the
// License is located at
//
// http://aws.amazon.com/apache2.0/
//
// or in the "license" file accompanying this file. This file is distributed
// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
// express or implied. See the License for the specific language governing
// permissions and limitations under the License.
package ec2api_test

import (
"testing"

"github.com/aws/amazon-vpc-resource-controller-k8s/pkg/config"
"github.com/aws/amazon-vpc-resource-controller-k8s/test/framework"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
)

func TestEc2api(t *testing.T) {
RegisterFailHandler(Fail)
RunSpecs(t, "EC2API Suite")
}

var frameWork *framework.Framework
var nodeListLen int
var _ = BeforeSuite(func() {
By("creating a framework")
frameWork = framework.New(framework.GlobalOptions)
By("verify node count before test")
nodeList, err := frameWork.NodeManager.GetNodesWithOS(config.OSLinux)
Expect(err).ToNot(HaveOccurred())
nodeListLen = len(nodeList.Items)
Expect(nodeListLen).To(BeNumerically(">", 1))
})

var _ = AfterSuite(func() {
nodeList, err := frameWork.NodeManager.GetNodesWithOS(config.OSLinux)
Expect(err).ToNot(HaveOccurred())
By("verifying node count after test is unchanged")
Expect(len(nodeList.Items)).To(Equal(nodeListLen))
})
48 changes: 48 additions & 0 deletions test/integration/ec2api/ec2api_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License"). You may
// not use this file except in compliance with the License. A copy of the
// License is located at
//
// http://aws.amazon.com/apache2.0/
//
// or in the "license" file accompanying this file. This file is distributed
// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
// express or implied. See the License for the specific language governing
// permissions and limitations under the License.
package ec2api_test

import (
"time"

"github.com/aws/amazon-vpc-resource-controller-k8s/pkg/config"
"github.com/aws/amazon-vpc-resource-controller-k8s/test/framework/utils"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
)

var _ = FDescribe("Test IAM permissions for EC2 API calls", func() {
Describe("[LOCAL]Test DeleteNetworkInterface permission", func() {
Context("when instance is terminated", func() {
It("it should only delete ENIs provisioned by the controller or vpc-cni", func() {
nodeList, err := frameWork.NodeManager.GetNodesWithOS(config.OSLinux)
Expect(err).ToNot(HaveOccurred())
Expect(nodeList.Items).ToNot(BeEmpty())
instanceID := frameWork.NodeManager.GetInstanceID(&nodeList.Items[0])
By("creating test ENI without eks:eni:owner tag and attach to EC2 instance")
nwInterfaceID, err := frameWork.EC2Manager.CreateAndAttachNetworkInterface(instanceID)
Expect(err).ToNot(HaveOccurred())
By("terminating the instance and sleeping")
err = frameWork.EC2Manager.TerminateInstances(instanceID)
Expect(err).ToNot(HaveOccurred())
// allow time for instance to be deleted and ENI to be available, new node to be ready
time.Sleep(utils.ResourceCreationTimeout)
By("verifying ENI exists and delete test ENI")
err = frameWork.EC2Manager.DescribeNetworkInterface(nwInterfaceID)
Expect(err).ToNot(HaveOccurred())
err = frameWork.EC2Manager.DeleteNetworkInterface(nwInterfaceID)
Expect(err).ToNot(HaveOccurred())
})
})
})
})

0 comments on commit 6588ad1

Please sign in to comment.