fix(tests/charts): unblock helm test hooks under chart NetworkPolicy

neilime · neilime · commit 2368780a6fe4 · 2026-05-18T20:48:27.000+02:00
kind v0.31+/kindest/node v1.35+ enforces NetworkPolicy via kindnetd. The

chart NetworkPolicy's podSelector matched the helm test hook pod (which

inherited the app selectorLabels), denying its egress and causing wget

to time out reaching the app Service.

- Give the hook pod distinct labels (app.kubernetes.io/name:

  &lt;chart&gt;-test-connection) so the chart NetworkPolicy no longer selects it.

- Emit a dedicated NetworkPolicy for the hook pod allowing DNS + egress

  to the app pod on the service port. This also satisfies Checkov

  CKV2_K8S_6 (comments are stripped by Helm and cannot be used to skip).
diff --git a/tests/charts/application/templates/tests/test-connection.yaml b/tests/charts/application/templates/tests/test-connection.yaml
@@ -14,7 +14,13 @@ spec:
   template:
     metadata:
       labels:
-        {{- include "test-application.labels" . | nindent 8 }}
+        # Distinct labels so the chart's NetworkPolicy podSelector does not
+        # match this hook pod (a dedicated NetworkPolicy is defined below).
+        app.kubernetes.io/name: {{ include "test-application.name" . }}-test-connection
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/component: test
+        app.kubernetes.io/managed-by: {{ .Release.Service }}
+        helm.sh/chart: {{ include "test-application.chart" . }}
     spec:
       automountServiceAccountToken: false
       securityContext:
@@ -54,4 +60,38 @@ spec:
                 - NET_RAW
                 - ALL
       restartPolicy: Never
+{{- if .Values.networkPolicy.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: "{{ include "test-application.fullname" . }}-test-connection"
+  namespace: {{ .Values.namespace | default "app-system" }}
+  labels:
+    {{- include "test-application.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "test-application.name" . }}-test-connection
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: test
+  policyTypes:
+    - Egress
+  egress:
+    - to: []
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+    - to:
+        - podSelector:
+            matchLabels:
+              {{- include "test-application.selectorLabels" . | nindent 14 }}
+      ports:
+        - protocol: TCP
+          port: {{ .Values.service.port }}
+{{- end }}
 # jscpd:ignore-end
diff --git a/tests/charts/umbrella-application/charts/app/templates/tests/test-connection.yaml b/tests/charts/umbrella-application/charts/app/templates/tests/test-connection.yaml
@@ -13,7 +13,13 @@ spec:
   template:
     metadata:
       labels:
-        {{- include "app.labels" . | nindent 8 }}
+        # Distinct labels so the chart's NetworkPolicy podSelector does not
+        # match this hook pod (a dedicated NetworkPolicy is defined below).
+        app.kubernetes.io/name: {{ include "app.name" . }}-test-connection
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/component: test
+        app.kubernetes.io/managed-by: {{ .Release.Service }}
+        helm.sh/chart: {{ include "app.chart" . }}
     spec:
       automountServiceAccountToken: false
       securityContext:
@@ -53,3 +59,37 @@ spec:
                 - NET_RAW
                 - ALL
       restartPolicy: Never
+{{- if .Values.networkPolicy.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: "{{ include "app.fullname" . }}-test-connection"
+  namespace: {{ .Values.namespace | default "app-system" }}
+  labels:
+    {{- include "app.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "app.name" . }}-test-connection
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: test
+  policyTypes:
+    - Egress
+  egress:
+    - to: []
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+    - to:
+        - podSelector:
+            matchLabels:
+              {{- include "app.selectorLabels" . | nindent 14 }}
+      ports:
+        - protocol: TCP
+          port: {{ .Values.service.port }}
+{{- end }}
