Merge pull request #375 from anthonyrtong/main

k8s-ci-robot · web-flow · commit a52c92ec9c19 · 2026-05-19T21:33:48.000+05:30
Add namespace selector changes to conformance tests
diff --git a/conformance/tests/admin-network-policy-standard-egress-inline-cidr-rules.go b/conformance/tests/admin-network-policy-standard-egress-inline-cidr-rules.go
@@ -73,6 +73,34 @@ var CNPAdminTierEgressInlineCIDRPeers = suite.ConformanceTest{
 				serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true)
 			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp",
 				serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true)
+
+			// update namespace label for slytherin to "conformance-house": "denied-namespace-label" to no longer match ingressRule at index0
+			namespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-slytherin", s.TimeoutConfig.GetTimeout)
+			mutateNamespace := namespace.DeepCopy()
+			mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"})
+			kubernetes.PatchNamespace(t, s.Client, namespace, mutateNamespace, s.TimeoutConfig.GetTimeout)
+
+			// ensure traffic is no longer allowed to slytherin since the namespace label no longer matches
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
+				serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false)
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp",
+				serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false)
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp",
+				serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false)
+
+			// update namespace label for slytherin back to "conformance-house": "slytherin" to match ingressRule at index0 again
+			namespace = kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-slytherin", s.TimeoutConfig.GetTimeout)
+			mutateNamespace = namespace.DeepCopy()
+			mutateNamespace.SetLabels(map[string]string{"conformance-house": "slytherin"})
+			kubernetes.PatchNamespace(t, s.Client, namespace, mutateNamespace, s.TimeoutConfig.GetTimeout)
+
+			// ensure traffic is allowed to slytherin again since the namespace label matches again
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
+				serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true)
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp",
+				serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true)
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp",
+				serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true)
 		})
 		// To test allow CIDR rule, insert the following rule at index0
 		//- name: "allow-egress-to-specific-podIPs"
diff --git a/conformance/tests/baseline-admin-network-policy-standard-egress-inline-cidr-rules.go b/conformance/tests/baseline-admin-network-policy-standard-egress-inline-cidr-rules.go
@@ -72,6 +72,34 @@ var CNPBaselineTierEgressInlineCIDRPeers = suite.ConformanceTest{
 				serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true)
 			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp",
 				serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true)
+
+			// update namespace label for slytherin to "conformance-house": "denied-namespace-label" to no longer match ingressRule at index0
+			namespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-slytherin", s.TimeoutConfig.GetTimeout)
+			mutateNamespace := namespace.DeepCopy()
+			mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"})
+			kubernetes.PatchNamespace(t, s.Client, namespace, mutateNamespace, s.TimeoutConfig.GetTimeout)
+
+			// ensure traffic is no longer allowed to slytherin since the namespace label no longer matches
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
+				serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false)
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp",
+				serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false)
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp",
+				serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false)
+
+			// update namespace label for slytherin back to "conformance-house": "slytherin" to match ingressRule at index0 again
+			namespace = kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-slytherin", s.TimeoutConfig.GetTimeout)
+			mutateNamespace = namespace.DeepCopy()
+			mutateNamespace.SetLabels(map[string]string{"conformance-house": "slytherin"})
+			kubernetes.PatchNamespace(t, s.Client, namespace, mutateNamespace, s.TimeoutConfig.GetTimeout)
+
+			// ensure traffic is allowed to slytherin again since the namespace label matches again
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
+				serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true)
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp",
+				serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true)
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp",
+				serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true)
 		})
 		// To test allow CIDR rule, insert the following rule at index0
 		//- name: "allow-egress-to-specific-podIPs"
diff --git a/conformance/utils/kubernetes/helper.go b/conformance/utils/kubernetes/helper.go
@@ -156,6 +156,24 @@ func GetPod(t *testing.T, c client.Client, namespace string, name string, timeou
 	return pod
 }
 
+func GetNamespace(t *testing.T, c client.Client, name string, timeout time.Duration) *v1.Namespace {
+	namespace := &v1.Namespace{}
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+	err := c.Get(ctx, client.ObjectKey{
+		Name: name,
+	}, namespace)
+	require.NoErrorf(t, err, "unable to fetch namespace %s", name)
+	return namespace
+}
+
+func PatchNamespace(t *testing.T, c client.Client, from *v1.Namespace, to *v1.Namespace, timeout time.Duration) {
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+	err := c.Patch(ctx, to, client.MergeFrom(from))
+	require.NoErrorf(t, err, "unable to patch namespace %s", from.Name)
+}
+
 func GetClusterNetworkPolicy(t *testing.T, c client.Client, name string, timeout time.Duration) *api.ClusterNetworkPolicy {
 	cnp := &api.ClusterNetworkPolicy{}
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
