test(k8s): add no-portfwd coverage

Signed-off-by: Casey Quinn <casey.quinn@agyn.io>

Author: casey-quinn

.github/workflows/test.yml

@@ -383,6 +383,14 @@ jobs:
       run: ./hack/bats/lib/bats-core/bin/bats --timing ./hack/bats/extras/k8s.bats
       env:
         LIMA_BATS_ALL_TESTS_RETRIES: 3
+    - name: Cache image used by templates/k8s-no-portfwd.yaml
+      uses: ./.github/actions/setup_cache_for_template
+      with:
+        template: templates/k8s-no-portfwd.yaml
+    - name: "Run BATS k8s-no-portfwd tests"
+      run: ./hack/bats/lib/bats-core/bin/bats --timing ./hack/bats/extras/k8s-no-portfwd.bats
+      env:
+        LIMA_BATS_ALL_TESTS_RETRIES: 3
 
   colima:
     name: "Colima tests (QEMU, Linux host)"

hack/bats/extras/k8s-no-portfwd.bats

@@ -0,0 +1,73 @@
+# SPDX-FileCopyrightText: Copyright The Lima Authors
+# SPDX-License-Identifier: Apache-2.0
+
+# This test verifies that a Kubernetes cluster created from the k8s-no-portfwd
+# template does not expose NodePort services on the host even though the
+# services are available within the cluster.
+
+load "../helpers/load"
+
+: "${TEMPLATE:=k8s-no-portfwd}"
+
+NAME="k8snpf"
+
+local_setup() {
+    limactl delete --force "${NAME}-0" || :
+    limactl start --tty=false --name "${NAME}-0" "template:${TEMPLATE}" 3>&- 4>&-
+    local nodes=""
+    for _ in $(seq 1 60); do
+        nodes=$(k get node -o name 2>/dev/null || true)
+        if [[ -n "${nodes}" ]]; then
+            break
+        fi
+        sleep 5
+    done
+    if [[ -z "${nodes}" ]]; then
+        echo "failed to list kubernetes nodes" >&2
+        return 1
+    fi
+    for node in ${nodes}; do
+        k wait --timeout=5m --for=condition=ready "${node}"
+    done
+}
+
+local_teardown() {
+    limactl delete --force "${NAME}-0" || :
+}
+
+k() {
+    # The host home directory is not mounted in the case of k8s.
+    limactl shell --workdir=/ "${NAME}-0" -- kubectl "$@"
+}
+
+# bats test_tags=nodes:1
+@test 'NodePorts are not forwarded to the host' {
+    services=(nginx coredns)
+    for svc in "${services[@]}"; do
+        k create deployment "$svc" --image="${TEST_CONTAINER_IMAGES["$svc"]}"
+    done
+    for svc in "${services[@]}"; do
+        k rollout status deployment "$svc" --timeout 60s
+    done
+
+    # TCP NodePort should be unreachable from the host.
+    k create service nodeport nginx --node-port=31080 --tcp=80:80
+    run curl --fail --silent --show-error --connect-timeout 5 --max-time 10 http://localhost:31080
+    assert_failure
+
+    # UDP NodePort should be unreachable from the host.
+    k expose deployment coredns --port=53 --type=NodePort \
+        --overrides='{"spec":{"ports":[{"port":53,"protocol":"UDP","targetPort":53,"nodePort":32053}]}}'
+    run dig @127.0.0.1 -p 32053 lima-vm.io +tries=1 +time=3
+    assert_failure
+
+    # Ensure hostagent never reported setting up host forwarding.
+    instance_dir=$(limactl list "${NAME}-0" --format '{{.Dir}}')
+    run grep -n "Forwarding " "${instance_dir}/ha.stderr"
+    assert_failure
+
+    for svc in "${services[@]}"; do
+        k delete service "$svc"
+        k delete deployment "$svc"
+    done
+}

templates/k8s-no-portfwd.yaml

@@ -0,0 +1,175 @@
+# Deploy kubernetes via kubeadm with host port forwarding disabled.
+# $ limactl start ./k8s-no-portfwd.yaml
+# $ limactl shell k8snpf kubectl
+
+minimumLimaVersion: 2.0.0
+
+base: template:_images/ubuntu-lts
+
+# Mounts are disabled in this template, but can be enabled optionally.
+mounts: []
+
+portForwards:
+- guestIP: "0.0.0.0"
+  guestPortRange: [1, 65535]
+  proto: "any"
+  ignore: true
+
+containerd:
+  system: true
+  user: false
+provision:
+# See <https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/>
+- mode: system
+  script: |
+    #!/bin/bash
+    set -eux -o pipefail
+    command -v kubeadm >/dev/null 2>&1 && exit 0
+    # Install and configure prerequisites
+    cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
+    overlay
+    br_netfilter
+    EOF
+    modprobe overlay
+    modprobe br_netfilter
+    cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf
+    net.bridge.bridge-nf-call-iptables  = 1
+    net.ipv4.ip_forward                 = 1
+    net.bridge.bridge-nf-call-ip6tables = 1
+    EOF
+    sysctl --system
+    # Installing kubeadm, kubelet and kubectl
+    export DEBIAN_FRONTEND=noninteractive
+    apt-get update
+    apt-get install -y apt-transport-https ca-certificates curl
+    VERSION=$(curl -L -s https://dl.k8s.io/release/stable.txt | sed -e 's/v//' | cut -d'.' -f1-2)
+    echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v${VERSION}/deb/ /" | sudo tee /etc/apt/sources.list.d/kubernetes.list
+    curl -fsSL https://pkgs.k8s.io/core:/stable:/v${VERSION}/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
+    apt-get update
+    apt-get install -y kubelet kubeadm kubectl && apt-mark hold kubelet kubeadm kubectl
+    systemctl enable --now kubelet
+# See <https://kubernetes.io/docs/setup/production-environment/container-runtimes/>
+- mode: system
+  script: |
+    #!/bin/bash
+    set -eux -o pipefail
+    [ -e /etc/containerd/conf.d/k8s.toml ] && exit 0
+    mkdir -p /etc/containerd/conf.d
+    # Configuring the systemd cgroup driver
+    # Overriding the sandbox (pause) image
+    cat <<EOF >/etc/containerd/conf.d/k8s.toml
+    version = 2
+    [plugins]
+      [plugins."io.containerd.grpc.v1.cri"]
+        sandbox_image = "$(kubeadm config images list | grep pause | sort -r | head -n1)"
+        [plugins."io.containerd.grpc.v1.cri".containerd]
+          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
+            [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+              runtime_type = "io.containerd.runc.v2"
+              [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+                SystemdCgroup = true
+      [plugins."io.containerd.cri.v1.runtime".cni]
+        bin_dirs = ["/usr/local/libexec/cni","/opt/cni/bin"]
+    EOF
+    systemctl restart containerd
+# See <https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/>
+- mode: system
+  script: |
+    #!/bin/bash
+    set -eux -o pipefail
+    test -e /etc/kubernetes/admin.conf && exit 0
+    export KUBECONFIG=/etc/kubernetes/admin.conf
+    systemctl stop kubelet
+    kubeadm config images list
+    kubeadm config images pull --cri-socket=unix:///run/containerd/containerd.sock
+    systemctl start kubelet
+    # Initializing your control-plane node
+    cat <<EOF >kubeadm-config.yaml
+    kind: InitConfiguration
+    apiVersion: kubeadm.k8s.io/v1beta4
+    nodeRegistration:
+      criSocket: unix:///run/containerd/containerd.sock
+    ---
+    kind: ClusterConfiguration
+    apiVersion: kubeadm.k8s.io/v1beta4
+    apiServer:
+      certSANs: # --apiserver-cert-extra-sans
+      - "127.0.0.1"
+    networking:
+      podSubnet: "10.244.0.0/16" # --pod-network-cidr
+    ---
+    kind: KubeletConfiguration
+    apiVersion: kubelet.config.k8s.io/v1beta1
+    cgroupDriver: systemd
+    EOF
+    kubeadm init --config kubeadm-config.yaml
+    # Installing a Pod network add-on
+    kubectl apply -f https://github.com/flannel-io/flannel/releases/download/v0.27.4/kube-flannel.yml
+    # Control plane node isolation
+    kubectl taint nodes --all node-role.kubernetes.io/control-plane-
+    # Symlink the kubeconfig file to the default location for kubectl
+    mkdir -p /root/.kube && ln -sf $KUBECONFIG /root/.kube/config
+    # Replace the server address with localhost, so that it works from the host.
+    # The original kubeconfig is kept unmodified, so that `kubeadm token create --print-join-command`
+    # can still print the reachable address.
+    sed -e "/server:/ s|https://.*:\([0-9]*\)$|https://127.0.0.1:\1|" $KUBECONFIG >/root/.kube/config.localhost
+- mode: system
+  script: |
+    #!/bin/bash
+    set -eux -o pipefail
+    export KUBECONFIG=/etc/kubernetes/admin.conf
+    mkdir -p {{.Home}}/.kube
+    cp -f $KUBECONFIG {{.Home}}/.kube/config
+    chown -R {{.User}} {{.Home}}/.kube
+probes:
+- description: "kubeadm to be installed"
+  script: |
+    #!/bin/bash
+    set -eux -o pipefail
+    if ! timeout 30s bash -c "until command -v kubeadm >/dev/null 2>&1; do sleep 3; done"; then
+      echo >&2 "kubeadm is not installed yet"
+      exit 1
+    fi
+  hint: |
+    See "/var/log/cloud-init-output.log" in the guest
+- description: "kubernetes images to be pulled"
+  script: |
+    #!/bin/bash
+    set -eux -o pipefail
+    if ! timeout 30s bash -c "images=\"$(kubeadm config images list)\"; until for image in $images; do sudo ctr -n k8s.io image inspect $image >/dev/null; done; do sleep 3; done"; then
+      echo >&2 "k8s images are not pulled yet"
+      exit 1
+    fi
+- description: "kubeadm to be completed"
+  script: |
+    #!/bin/bash
+    set -eux -o pipefail
+    if ! timeout 300s bash -c "until test -f /etc/kubernetes/admin.conf; do sleep 3; done"; then
+      echo >&2 "k8s is not running yet"
+      exit 1
+    fi
+  hint: |
+    The k8s kubeconfig file has not yet been created.
+- description: "kubernetes cluster to be running"
+  script: |
+    #!/bin/bash
+    set -eux -o pipefail
+    if ! timeout 300s bash -c "until kubectl version >/dev/null 2>&1; do sleep 3; done"; then
+      echo >&2 "kubernetes cluster is not up and running yet"
+      exit 1
+    fi
+- description: "coredns deployment to be running"
+  script: |
+    #!/bin/bash
+    set -eux -o pipefail
+    kubectl wait -n kube-system --timeout=180s --for=condition=available deploy coredns
+copyToHost:
+- guest: "/root/.kube/config.localhost"
+  host: "{{.Dir}}/copied-from-guest/kubeconfig.yaml"
+  deleteOnStop: true
+message: |
+  To run `kubectl` on the host (assumes kubectl is installed), run the following commands:
+  ------
+  export KUBECONFIG="{{.Dir}}/copied-from-guest/kubeconfig.yaml"
+  kubectl ...
+  ------