move namespace labels test to standard-egress-inline-cidr-rules

Author: anthonyrtong

conformance/tests/admin-network-policy-standard-egress-inline-cidr-rules.go

@@ -73,6 +73,34 @@ var CNPAdminTierEgressInlineCIDRPeers = suite.ConformanceTest{
 				serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true)
 			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp",
 				serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true)
+
+			// update namespace label for slytherin to "conformance-house": "denied-namespace-label" to no longer match ingressRule at index0
+			namespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-slytherin", s.TimeoutConfig.GetTimeout)
+			mutateNamespace := namespace.DeepCopy()
+			mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"})
+			kubernetes.PatchNamespace(t, s.Client, namespace, mutateNamespace, s.TimeoutConfig.GetTimeout)
+
+			// ensure traffic is no longer allowed to slytherin since the namespace label no longer matches
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
+				serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false)
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp",
+				serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false)
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp",
+				serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false)
+
+			// update namespace label for slytherin back to "conformance-house": "slytherin" to match ingressRule at index0 again
+			namespace = kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-slytherin", s.TimeoutConfig.GetTimeout)
+			mutateNamespace = namespace.DeepCopy()
+			mutateNamespace.SetLabels(map[string]string{"conformance-house": "slytherin"})
+			kubernetes.PatchNamespace(t, s.Client, namespace, mutateNamespace, s.TimeoutConfig.GetTimeout)
+
+			// ensure traffic is allowed to slytherin again since the namespace label matches again
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
+				serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true)
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp",
+				serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true)
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp",
+				serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true)
 		})
 		// To test allow CIDR rule, insert the following rule at index0
 		//- name: "allow-egress-to-specific-podIPs"

conformance/tests/admin-network-policy-standard-egress-sctp-rules.go

@@ -52,43 +52,6 @@ var CNPAdminTierEgressSCTP = suite.ConformanceTest{
 				serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true)
 		})
 
-		t.Run("Should support a 'deny-egress' policy for SCTP protocol on a namespace selector when namespace labels are changed to no longer match", func(t *testing.T) {
-			// This test uses `egress-sctp` admin CNP
-			// harry-potter-0 is our server pod in gryffindor namespace
-			serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout)
-			// luna-lovegood-0 is our client pod in ravenclaw namespace
-			// ensure egress is ALLOWED to gryffindor from ravenclaw
-			// egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp",
-				serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true)
-			// luna-lovegood-1 is our client pod in ravenclaw namespace
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp",
-				serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true)
-
-			cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-sctp", s.TimeoutConfig.GetTimeout)
-			mutate := cnp.DeepCopy()
-			// update namespace selector in egressRule at index0 to match "conformance-house: gryffindor" label
-			mutate.Spec.Egress[0].To[0].Namespaces.MatchLabels = map[string]string{"conformance-house": "gryffindor"}
-			kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout)
-
-			// ensure egress is ALLOWED to gryffindor from ravenclaw since namespace label still matches
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp",
-				serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true)
-
-			// update namespace label for gryffindor to "conformance-house": "denied-namespace-label" to no longer match egressRule at index0
-			allowedNamespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-gryffindor", s.TimeoutConfig.GetTimeout)
-			mutateNamespace := allowedNamespace.DeepCopy()
-			mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"})
-			kubernetes.PatchNamespace(t, s.Client, allowedNamespace, mutateNamespace, s.TimeoutConfig.GetTimeout)
-
-			// ensure egress is DENIED to gryffindor from ravenclaw since namespace label no longer matches
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp",
-				serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false)
-			// luna-lovegood-1 is our client pod in ravenclaw namespace
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp",
-				serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false)
-		})
-
 		t.Run("Should support an 'allow-egress' policy for SCTP protocol at the specified port", func(t *testing.T) {
 			// This test uses `egress-sctp` admin CNP
 			// cedric-diggory-1 is our server pod in hufflepuff namespace

conformance/tests/admin-network-policy-standard-egress-tcp-rules.go

@@ -51,43 +51,6 @@ var CNPAdminTierEgressTCP = suite.ConformanceTest{
 				serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true)
 		})
 
-		t.Run("Should support a 'deny-egress' policy for TCP protocol on a namespace selector when namespace labels are changed to no longer match", func(t *testing.T) {
-			// This test uses `egress-tcp` admin CNP
-			// harry-potter-0 is our server pod in gryffindor namespace
-			serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout)
-			// luna-lovegood-0 is our client pod in ravenclaw namespace
-			// ensure egress is ALLOWED to gryffindor from ravenclaw
-			// egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp",
-				serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true)
-			// luna-lovegood-1 is our client pod in ravenclaw namespace
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp",
-				serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true)
-
-			cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-tcp", s.TimeoutConfig.GetTimeout)
-			mutate := cnp.DeepCopy()
-			// update namespace selector in egressRule at index0 to match "conformance-house: gryffindor" label
-			mutate.Spec.Egress[0].To[0].Namespaces.MatchLabels = map[string]string{"conformance-house": "gryffindor"}
-			kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout)
-
-			// ensure egress is ALLOWED to gryffindor from ravenclaw since namespace label still matches
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp",
-				serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true)
-
-			// update namespace label for gryffindor to "conformance-house": "denied-namespace-label" to no longer match egressRule at index0
-			allowedNamespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-gryffindor", s.TimeoutConfig.GetTimeout)
-			mutateNamespace := allowedNamespace.DeepCopy()
-			mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"})
-			kubernetes.PatchNamespace(t, s.Client, allowedNamespace, mutateNamespace, s.TimeoutConfig.GetTimeout)
-
-			// ensure egress is DENIED to gryffindor from ravenclaw since namespace label no longer matches
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp",
-				serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false)
-			// luna-lovegood-1 is our client pod in ravenclaw namespace
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp",
-				serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false)
-		})
-
 		t.Run("Should support an 'allow-egress' policy for TCP protocol at the specified port", func(t *testing.T) {
 			// This test uses `egress-tcp` admin CNP
 			// cedric-diggory-1 is our server pod in hufflepuff namespace

conformance/tests/admin-network-policy-standard-egress-udp-rules.go

@@ -52,43 +52,6 @@ var CNPAdminTierEgressUDP = suite.ConformanceTest{
 				serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true)
 		})
 
-		t.Run("Should support a 'deny-egress' policy for UDP protocol on a namespace selector when namespace labels are changed to no longer match", func(t *testing.T) {
-			// This test uses `egress-udp` admin CNP
-			// harry-potter-0 is our server pod in gryffindor namespace
-			serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout)
-			// luna-lovegood-0 is our client pod in ravenclaw namespace
-			// ensure egress is ALLOWED to gryffindor from ravenclaw
-			// egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp",
-				serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true)
-			// luna-lovegood-1 is our client pod in ravenclaw namespace
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp",
-				serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true)
-
-			cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-udp", s.TimeoutConfig.GetTimeout)
-			mutate := cnp.DeepCopy()
-			// update namespace selector in egressRule at index0 to match "conformance-house: gryffindor" label
-			mutate.Spec.Egress[0].To[0].Namespaces.MatchLabels = map[string]string{"conformance-house": "gryffindor"}
-			kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout)
-
-			// ensure egress is ALLOWED to gryffindor from ravenclaw since namespace label still matches
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp",
-				serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true)
-
-			// update namespace label for gryffindor to "conformance-house": "denied-namespace-label" to no longer match egressRule at index0
-			allowedNamespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-gryffindor", s.TimeoutConfig.GetTimeout)
-			mutateNamespace := allowedNamespace.DeepCopy()
-			mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"})
-			kubernetes.PatchNamespace(t, s.Client, allowedNamespace, mutateNamespace, s.TimeoutConfig.GetTimeout)
-
-			// ensure egress is DENIED to gryffindor from ravenclaw since namespace label no longer matches
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp",
-				serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false)
-			// luna-lovegood-1 is our client pod in ravenclaw namespace
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp",
-				serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false)
-		})
-
 		t.Run("Should support an 'allow-egress' policy for UDP protocol at the specified port", func(t *testing.T) {
 			// This test uses `egress-udp` admin CNP
 			// harry-potter-1 is our server pod in gryffindor namespace

conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go

@@ -51,43 +51,6 @@ var CNPAdminTierIngressSCTP = suite.ConformanceTest{
 				serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true)
 		})
 
-		t.Run("Should support a 'deny-ingress' policy for SCTP protocol on a namespace selector when namespace labels are changed to no longer match", func(t *testing.T) {
-			// This test uses `ingress-sctp` admin CNP
-			// harry-potter-0 is our server pod in gryffindor namespace
-			serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout)
-			// luna-lovegood-0 is our client pod in ravenclaw namespace
-			// ensure ingress is ALLOWED from gryffindor to ravenclaw
-			// ingressRule at index0 will take precedence over ingressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp",
-				serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true)
-			// luna-lovegood-1 is our client pod in ravenclaw namespace
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp",
-				serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true)
-
-			cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-sctp", s.TimeoutConfig.GetTimeout)
-			mutate := cnp.DeepCopy()
-			// update namespace selector in ingressRule at index0 to match "conformance-house: gryffindor" label
-			mutate.Spec.Ingress[0].From[0].Namespaces.MatchLabels = map[string]string{"conformance-house": "gryffindor"}
-			kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout)
-
-			// ensure ingress is ALLOWED from gryffindor to ravenclaw since namespace label still matches
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp",
-				serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true)
-
-			// update namespace label for gryffindor to "conformance-house": "denied-namespace-label" to no longer match ingressRule at index0
-			allowedNamespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-gryffindor", s.TimeoutConfig.GetTimeout)
-			mutateNamespace := allowedNamespace.DeepCopy()
-			mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"})
-			kubernetes.PatchNamespace(t, s.Client, allowedNamespace, mutateNamespace, s.TimeoutConfig.GetTimeout)
-
-			// ensure ingress is DENIED from gryffindor to ravenclaw since namespace label no longer matches
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp",
-				serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false)
-			// luna-lovegood-1 is our client pod in ravenclaw namespace
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp",
-				serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false)
-		})
-
 		t.Run("Should support an 'allow-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) {
 			// This test uses `ingress-sctp` admin CNP
 			// luna-lovegood-1 is our server pod in ravenclaw namespace

conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go

@@ -51,43 +51,6 @@ var CNPAdminTierIngressTCP = suite.ConformanceTest{
 				serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true)
 		})
 
-		t.Run("Should support a 'deny-ingress' policy for TCP protocol on a namespace selector when namespace labels are changed to no longer match", func(t *testing.T) {
-			// This test uses `ingress-tcp` admin CNP
-			// harry-potter-0 is our server pod in gryffindor namespace
-			serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout)
-			// luna-lovegood-0 is our client pod in ravenclaw namespace
-			// ensure ingress is ALLOWED from gryffindor to ravenclaw
-			// ingressRule at index0 will take precedence over ingressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp",
-				serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true)
-			// luna-lovegood-1 is our client pod in ravenclaw namespace
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
-				serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true)
-
-			cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-tcp", s.TimeoutConfig.GetTimeout)
-			mutate := cnp.DeepCopy()
-			// update namespace selector in ingressRule at index0 to match "conformance-house: gryffindor" label
-			mutate.Spec.Ingress[0].From[0].Namespaces.MatchLabels = map[string]string{"conformance-house": "gryffindor"}
-			kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout)
-
-			// ensure ingress is ALLOWED from gryffindor to ravenclaw since namespace label still matches
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp",
-				serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true)
-
-			// update namespace label for gryffindor to "conformance-house": "denied-namespace-label" to no longer match ingressRule at index0
-			allowedNamespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-gryffindor", s.TimeoutConfig.GetTimeout)
-			mutateNamespace := allowedNamespace.DeepCopy()
-			mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"})
-			kubernetes.PatchNamespace(t, s.Client, allowedNamespace, mutateNamespace, s.TimeoutConfig.GetTimeout)
-
-			// ensure ingress is DENIED from gryffindor to ravenclaw since namespace label no longer matches
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp",
-				serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false)
-			// luna-lovegood-1 is our client pod in ravenclaw namespace
-			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp",
-				serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false)
-		})
-
 		t.Run("Should support an 'allow-ingress' policy for TCP protocol at the specified port", func(t *testing.T) {
 			// This test uses `ingress-tcp` admin CNP
 			// harry-potter-1 is our server pod in gryffindor namespace