From d4a027d3ce459ca666e5e4732269b5f8e6345640 Mon Sep 17 00:00:00 2001 From: anthonyrtong Date: Wed, 15 Apr 2026 21:24:43 +0000 Subject: [PATCH 1/2] Add namespace selector changes to conformance tests --- ...twork-policy-standard-egress-sctp-rules.go | 37 +++++++++++++++++++ ...etwork-policy-standard-egress-tcp-rules.go | 37 +++++++++++++++++++ ...etwork-policy-standard-egress-udp-rules.go | 37 +++++++++++++++++++ ...work-policy-standard-ingress-sctp-rules.go | 37 +++++++++++++++++++ ...twork-policy-standard-ingress-tcp-rules.go | 37 +++++++++++++++++++ ...twork-policy-standard-ingress-udp-rules.go | 37 +++++++++++++++++++ conformance/utils/kubernetes/helper.go | 18 +++++++++ 7 files changed, 240 insertions(+) diff --git a/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go b/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go index f8b40c2b..2ef37269 100644 --- a/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go @@ -52,6 +52,43 @@ var CNPAdminTierEgressSCTP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) + t.Run("Should support a 'deny-egress' policy for SCTP protocol on a namespace selector when namespace labels are changed to no longer match", func(t *testing.T) { + // This test uses `egress-sctp` admin CNP + // harry-potter-0 is our server pod in gryffindor namespace + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) + // luna-lovegood-0 is our client pod in ravenclaw namespace + // ensure egress is ALLOWED to gryffindor from ravenclaw + // egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) + // luna-lovegood-1 is our client pod in ravenclaw namespace + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) + + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-sctp", s.TimeoutConfig.GetTimeout) + mutate := cnp.DeepCopy() + // update namespace selector in egressRule at index0 to match "conformance-house: gryffindor" label + mutate.Spec.Egress[0].To[0].Namespaces.MatchLabels = map[string]string{"conformance-house": "gryffindor"} + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) + + // ensure egress is ALLOWED to gryffindor from ravenclaw since namespace label still matches + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) + + // update namespace label for gryffindor to "conformance-house": "denied-namespace-label" to no longer match egressRule at index0 + allowedNamespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-gryffindor", s.TimeoutConfig.GetTimeout) + mutateNamespace := allowedNamespace.DeepCopy() + mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"}) + kubernetes.PatchNamespace(t, s.Client, allowedNamespace, mutateNamespace, s.TimeoutConfig.GetTimeout) + + // ensure egress is DENIED to gryffindor from ravenclaw since namespace label no longer matches + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) + // luna-lovegood-1 is our client pod in ravenclaw namespace + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) + }) + t.Run("Should support an 'allow-egress' policy for SCTP protocol at the specified port", func(t *testing.T) { // This test uses `egress-sctp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace diff --git a/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go b/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go index a5d58e25..a4bbc3b2 100644 --- a/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go @@ -51,6 +51,43 @@ var CNPAdminTierEgressTCP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) + t.Run("Should support a 'deny-egress' policy for TCP protocol on a namespace selector when namespace labels are changed to no longer match", func(t *testing.T) { + // This test uses `egress-tcp` admin CNP + // harry-potter-0 is our server pod in gryffindor namespace + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) + // luna-lovegood-0 is our client pod in ravenclaw namespace + // ensure egress is ALLOWED to gryffindor from ravenclaw + // egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + // luna-lovegood-1 is our client pod in ravenclaw namespace + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) + + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-tcp", s.TimeoutConfig.GetTimeout) + mutate := cnp.DeepCopy() + // update namespace selector in egressRule at index0 to match "conformance-house: gryffindor" label + mutate.Spec.Egress[0].To[0].Namespaces.MatchLabels = map[string]string{"conformance-house": "gryffindor"} + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) + + // ensure egress is ALLOWED to gryffindor from ravenclaw since namespace label still matches + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + + // update namespace label for gryffindor to "conformance-house": "denied-namespace-label" to no longer match egressRule at index0 + allowedNamespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-gryffindor", s.TimeoutConfig.GetTimeout) + mutateNamespace := allowedNamespace.DeepCopy() + mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"}) + kubernetes.PatchNamespace(t, s.Client, allowedNamespace, mutateNamespace, s.TimeoutConfig.GetTimeout) + + // ensure egress is DENIED to gryffindor from ravenclaw since namespace label no longer matches + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) + // luna-lovegood-1 is our client pod in ravenclaw namespace + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) + }) + t.Run("Should support an 'allow-egress' policy for TCP protocol at the specified port", func(t *testing.T) { // This test uses `egress-tcp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace diff --git a/conformance/tests/admin-network-policy-standard-egress-udp-rules.go b/conformance/tests/admin-network-policy-standard-egress-udp-rules.go index 82a4502f..e657b41f 100644 --- a/conformance/tests/admin-network-policy-standard-egress-udp-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-udp-rules.go @@ -52,6 +52,43 @@ var CNPAdminTierEgressUDP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) }) + t.Run("Should support a 'deny-egress' policy for UDP protocol on a namespace selector when namespace labels are changed to no longer match", func(t *testing.T) { + // This test uses `egress-udp` admin CNP + // harry-potter-0 is our server pod in gryffindor namespace + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) + // luna-lovegood-0 is our client pod in ravenclaw namespace + // ensure egress is ALLOWED to gryffindor from ravenclaw + // egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) + // luna-lovegood-1 is our client pod in ravenclaw namespace + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) + + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-udp", s.TimeoutConfig.GetTimeout) + mutate := cnp.DeepCopy() + // update namespace selector in egressRule at index0 to match "conformance-house: gryffindor" label + mutate.Spec.Egress[0].To[0].Namespaces.MatchLabels = map[string]string{"conformance-house": "gryffindor"} + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) + + // ensure egress is ALLOWED to gryffindor from ravenclaw since namespace label still matches + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) + + // update namespace label for gryffindor to "conformance-house": "denied-namespace-label" to no longer match egressRule at index0 + allowedNamespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-gryffindor", s.TimeoutConfig.GetTimeout) + mutateNamespace := allowedNamespace.DeepCopy() + mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"}) + kubernetes.PatchNamespace(t, s.Client, allowedNamespace, mutateNamespace, s.TimeoutConfig.GetTimeout) + + // ensure egress is DENIED to gryffindor from ravenclaw since namespace label no longer matches + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) + // luna-lovegood-1 is our client pod in ravenclaw namespace + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) + }) + t.Run("Should support an 'allow-egress' policy for UDP protocol at the specified port", func(t *testing.T) { // This test uses `egress-udp` admin CNP // harry-potter-1 is our server pod in gryffindor namespace diff --git a/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go b/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go index b912e8fc..f5d65d1e 100644 --- a/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go +++ b/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go @@ -51,6 +51,43 @@ var CNPAdminTierIngressSCTP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) + t.Run("Should support a 'deny-ingress' policy for SCTP protocol on a namespace selector when namespace labels are changed to no longer match", func(t *testing.T) { + // This test uses `ingress-sctp` admin CNP + // harry-potter-0 is our server pod in gryffindor namespace + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) + // luna-lovegood-0 is our client pod in ravenclaw namespace + // ensure ingress is ALLOWED from gryffindor to ravenclaw + // ingressRule at index0 will take precedence over ingressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) + // luna-lovegood-1 is our client pod in ravenclaw namespace + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) + + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-sctp", s.TimeoutConfig.GetTimeout) + mutate := cnp.DeepCopy() + // update namespace selector in ingressRule at index0 to match "conformance-house: gryffindor" label + mutate.Spec.Ingress[0].From[0].Namespaces.MatchLabels = map[string]string{"conformance-house": "gryffindor"} + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) + + // ensure ingress is ALLOWED from gryffindor to ravenclaw since namespace label still matches + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) + + // update namespace label for gryffindor to "conformance-house": "denied-namespace-label" to no longer match ingressRule at index0 + allowedNamespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-gryffindor", s.TimeoutConfig.GetTimeout) + mutateNamespace := allowedNamespace.DeepCopy() + mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"}) + kubernetes.PatchNamespace(t, s.Client, allowedNamespace, mutateNamespace, s.TimeoutConfig.GetTimeout) + + // ensure ingress is DENIED from gryffindor to ravenclaw since namespace label no longer matches + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) + // luna-lovegood-1 is our client pod in ravenclaw namespace + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) + }) + t.Run("Should support an 'allow-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) { // This test uses `ingress-sctp` admin CNP // luna-lovegood-1 is our server pod in ravenclaw namespace diff --git a/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go b/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go index 2d34dcba..4c25b405 100644 --- a/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go +++ b/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go @@ -51,6 +51,43 @@ var CNPAdminTierIngressTCP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) + t.Run("Should support a 'deny-ingress' policy for TCP protocol on a namespace selector when namespace labels are changed to no longer match", func(t *testing.T) { + // This test uses `ingress-tcp` admin CNP + // harry-potter-0 is our server pod in gryffindor namespace + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) + // luna-lovegood-0 is our client pod in ravenclaw namespace + // ensure ingress is ALLOWED from gryffindor to ravenclaw + // ingressRule at index0 will take precedence over ingressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + // luna-lovegood-1 is our client pod in ravenclaw namespace + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) + + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-tcp", s.TimeoutConfig.GetTimeout) + mutate := cnp.DeepCopy() + // update namespace selector in ingressRule at index0 to match "conformance-house: gryffindor" label + mutate.Spec.Ingress[0].From[0].Namespaces.MatchLabels = map[string]string{"conformance-house": "gryffindor"} + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) + + // ensure ingress is ALLOWED from gryffindor to ravenclaw since namespace label still matches + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + + // update namespace label for gryffindor to "conformance-house": "denied-namespace-label" to no longer match ingressRule at index0 + allowedNamespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-gryffindor", s.TimeoutConfig.GetTimeout) + mutateNamespace := allowedNamespace.DeepCopy() + mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"}) + kubernetes.PatchNamespace(t, s.Client, allowedNamespace, mutateNamespace, s.TimeoutConfig.GetTimeout) + + // ensure ingress is DENIED from gryffindor to ravenclaw since namespace label no longer matches + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) + // luna-lovegood-1 is our client pod in ravenclaw namespace + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) + }) + t.Run("Should support an 'allow-ingress' policy for TCP protocol at the specified port", func(t *testing.T) { // This test uses `ingress-tcp` admin CNP // harry-potter-1 is our server pod in gryffindor namespace diff --git a/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go b/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go index e4bcbf66..199c2ec8 100644 --- a/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go +++ b/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go @@ -52,6 +52,43 @@ var CNPAdminTierIngressUDP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) }) + t.Run("Should support a 'deny-ingress' policy for UDP protocol on a namespace selector when namespace labels are changed to no longer match", func(t *testing.T) { + // This test uses `ingress-udp` admin CNP + // cedric-diggory-0 is our server pod in hufflepuff namespace + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-0", s.TimeoutConfig.GetTimeout) + // luna-lovegood-0 is our client pod in ravenclaw namespace + // ensure ingress is ALLOWED from ravenclaw to hufflepuff + // ingressRule at index0 will take precedence over ingressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) + // luna-lovegood-1 is our client pod in ravenclaw namespace + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) + + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-udp", s.TimeoutConfig.GetTimeout) + mutate := cnp.DeepCopy() + // update namespace selector in ingressRule at index0 to match "conformance-house: gryffindor" label + mutate.Spec.Ingress[0].From[0].Namespaces.MatchLabels = map[string]string{"conformance-house": "gryffindor"} + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) + + // ensure ingress is ALLOWED from gryffindor to ravenclaw since namespace label still matches + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) + + // update namespace label for gryffindor to "conformance-house": "denied-namespace-label" to no longer match ingressRule at index0 + allowedNamespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-gryffindor", s.TimeoutConfig.GetTimeout) + mutateNamespace := allowedNamespace.DeepCopy() + mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"}) + kubernetes.PatchNamespace(t, s.Client, allowedNamespace, mutateNamespace, s.TimeoutConfig.GetTimeout) + + // ensure ingress is DENIED from gryffindor to ravenclaw since namespace label no longer matches + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) + // luna-lovegood-1 is our client pod in ravenclaw namespace + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) + }) + t.Run("Should support an 'allow-ingress' policy for UDP protocol at the specified port", func(t *testing.T) { // This test uses `ingress-udp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace diff --git a/conformance/utils/kubernetes/helper.go b/conformance/utils/kubernetes/helper.go index 0ad57408..634bd613 100644 --- a/conformance/utils/kubernetes/helper.go +++ b/conformance/utils/kubernetes/helper.go @@ -156,6 +156,24 @@ func GetPod(t *testing.T, c client.Client, namespace string, name string, timeou return pod } +func GetNamespace(t *testing.T, c client.Client, name string, timeout time.Duration) *v1.Namespace { + namespace := &v1.Namespace{} + ctx, cancel := context.WithTimeout(context.Background(), timeout) + defer cancel() + err := c.Get(ctx, client.ObjectKey{ + Name: name, + }, namespace) + require.NoErrorf(t, err, "unable to fetch namespace %s", name) + return namespace +} + +func PatchNamespace(t *testing.T, c client.Client, from *v1.Namespace, to *v1.Namespace, timeout time.Duration) { + ctx, cancel := context.WithTimeout(context.Background(), timeout) + defer cancel() + err := c.Patch(ctx, to, client.MergeFrom(from)) + require.NoErrorf(t, err, "unable to patch namespace %s", from.Name) +} + func GetClusterNetworkPolicy(t *testing.T, c client.Client, name string, timeout time.Duration) *api.ClusterNetworkPolicy { cnp := &api.ClusterNetworkPolicy{} ctx, cancel := context.WithTimeout(context.Background(), timeout) From 371fc24aa04927f2afc5f04ae5ba0c231ef5de7f Mon Sep 17 00:00:00 2001 From: anthonyrtong Date: Tue, 12 May 2026 22:48:25 +0000 Subject: [PATCH 2/2] move namespace labels test to standard-egress-inline-cidr-rules --- ...olicy-standard-egress-inline-cidr-rules.go | 28 ++++++++++++++ ...twork-policy-standard-egress-sctp-rules.go | 37 ------------------- ...etwork-policy-standard-egress-tcp-rules.go | 37 ------------------- ...etwork-policy-standard-egress-udp-rules.go | 37 ------------------- ...work-policy-standard-ingress-sctp-rules.go | 37 ------------------- ...twork-policy-standard-ingress-tcp-rules.go | 37 ------------------- ...twork-policy-standard-ingress-udp-rules.go | 37 ------------------- ...olicy-standard-egress-inline-cidr-rules.go | 28 ++++++++++++++ 8 files changed, 56 insertions(+), 222 deletions(-) diff --git a/conformance/tests/admin-network-policy-standard-egress-inline-cidr-rules.go b/conformance/tests/admin-network-policy-standard-egress-inline-cidr-rules.go index 79aa1830..ec20be5c 100644 --- a/conformance/tests/admin-network-policy-standard-egress-inline-cidr-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-inline-cidr-rules.go @@ -73,6 +73,34 @@ var CNPAdminTierEgressInlineCIDRPeers = suite.ConformanceTest{ serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) + + // update namespace label for slytherin to "conformance-house": "denied-namespace-label" to no longer match ingressRule at index0 + namespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-slytherin", s.TimeoutConfig.GetTimeout) + mutateNamespace := namespace.DeepCopy() + mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"}) + kubernetes.PatchNamespace(t, s.Client, namespace, mutateNamespace, s.TimeoutConfig.GetTimeout) + + // ensure traffic is no longer allowed to slytherin since the namespace label no longer matches + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) + + // update namespace label for slytherin back to "conformance-house": "slytherin" to match ingressRule at index0 again + namespace = kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-slytherin", s.TimeoutConfig.GetTimeout) + mutateNamespace = namespace.DeepCopy() + mutateNamespace.SetLabels(map[string]string{"conformance-house": "slytherin"}) + kubernetes.PatchNamespace(t, s.Client, namespace, mutateNamespace, s.TimeoutConfig.GetTimeout) + + // ensure traffic is allowed to slytherin again since the namespace label matches again + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) }) // To test allow CIDR rule, insert the following rule at index0 //- name: "allow-egress-to-specific-podIPs" diff --git a/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go b/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go index 2ef37269..f8b40c2b 100644 --- a/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go @@ -52,43 +52,6 @@ var CNPAdminTierEgressSCTP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) - t.Run("Should support a 'deny-egress' policy for SCTP protocol on a namespace selector when namespace labels are changed to no longer match", func(t *testing.T) { - // This test uses `egress-sctp` admin CNP - // harry-potter-0 is our server pod in gryffindor namespace - serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) - // luna-lovegood-0 is our client pod in ravenclaw namespace - // ensure egress is ALLOWED to gryffindor from ravenclaw - // egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) - // luna-lovegood-1 is our client pod in ravenclaw namespace - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) - - cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-sctp", s.TimeoutConfig.GetTimeout) - mutate := cnp.DeepCopy() - // update namespace selector in egressRule at index0 to match "conformance-house: gryffindor" label - mutate.Spec.Egress[0].To[0].Namespaces.MatchLabels = map[string]string{"conformance-house": "gryffindor"} - kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) - - // ensure egress is ALLOWED to gryffindor from ravenclaw since namespace label still matches - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) - - // update namespace label for gryffindor to "conformance-house": "denied-namespace-label" to no longer match egressRule at index0 - allowedNamespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-gryffindor", s.TimeoutConfig.GetTimeout) - mutateNamespace := allowedNamespace.DeepCopy() - mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"}) - kubernetes.PatchNamespace(t, s.Client, allowedNamespace, mutateNamespace, s.TimeoutConfig.GetTimeout) - - // ensure egress is DENIED to gryffindor from ravenclaw since namespace label no longer matches - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) - // luna-lovegood-1 is our client pod in ravenclaw namespace - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) - }) - t.Run("Should support an 'allow-egress' policy for SCTP protocol at the specified port", func(t *testing.T) { // This test uses `egress-sctp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace diff --git a/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go b/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go index a4bbc3b2..a5d58e25 100644 --- a/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go @@ -51,43 +51,6 @@ var CNPAdminTierEgressTCP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) - t.Run("Should support a 'deny-egress' policy for TCP protocol on a namespace selector when namespace labels are changed to no longer match", func(t *testing.T) { - // This test uses `egress-tcp` admin CNP - // harry-potter-0 is our server pod in gryffindor namespace - serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) - // luna-lovegood-0 is our client pod in ravenclaw namespace - // ensure egress is ALLOWED to gryffindor from ravenclaw - // egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) - // luna-lovegood-1 is our client pod in ravenclaw namespace - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) - - cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-tcp", s.TimeoutConfig.GetTimeout) - mutate := cnp.DeepCopy() - // update namespace selector in egressRule at index0 to match "conformance-house: gryffindor" label - mutate.Spec.Egress[0].To[0].Namespaces.MatchLabels = map[string]string{"conformance-house": "gryffindor"} - kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) - - // ensure egress is ALLOWED to gryffindor from ravenclaw since namespace label still matches - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) - - // update namespace label for gryffindor to "conformance-house": "denied-namespace-label" to no longer match egressRule at index0 - allowedNamespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-gryffindor", s.TimeoutConfig.GetTimeout) - mutateNamespace := allowedNamespace.DeepCopy() - mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"}) - kubernetes.PatchNamespace(t, s.Client, allowedNamespace, mutateNamespace, s.TimeoutConfig.GetTimeout) - - // ensure egress is DENIED to gryffindor from ravenclaw since namespace label no longer matches - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) - // luna-lovegood-1 is our client pod in ravenclaw namespace - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) - }) - t.Run("Should support an 'allow-egress' policy for TCP protocol at the specified port", func(t *testing.T) { // This test uses `egress-tcp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace diff --git a/conformance/tests/admin-network-policy-standard-egress-udp-rules.go b/conformance/tests/admin-network-policy-standard-egress-udp-rules.go index e657b41f..82a4502f 100644 --- a/conformance/tests/admin-network-policy-standard-egress-udp-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-udp-rules.go @@ -52,43 +52,6 @@ var CNPAdminTierEgressUDP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) }) - t.Run("Should support a 'deny-egress' policy for UDP protocol on a namespace selector when namespace labels are changed to no longer match", func(t *testing.T) { - // This test uses `egress-udp` admin CNP - // harry-potter-0 is our server pod in gryffindor namespace - serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) - // luna-lovegood-0 is our client pod in ravenclaw namespace - // ensure egress is ALLOWED to gryffindor from ravenclaw - // egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) - // luna-lovegood-1 is our client pod in ravenclaw namespace - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) - - cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-udp", s.TimeoutConfig.GetTimeout) - mutate := cnp.DeepCopy() - // update namespace selector in egressRule at index0 to match "conformance-house: gryffindor" label - mutate.Spec.Egress[0].To[0].Namespaces.MatchLabels = map[string]string{"conformance-house": "gryffindor"} - kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) - - // ensure egress is ALLOWED to gryffindor from ravenclaw since namespace label still matches - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) - - // update namespace label for gryffindor to "conformance-house": "denied-namespace-label" to no longer match egressRule at index0 - allowedNamespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-gryffindor", s.TimeoutConfig.GetTimeout) - mutateNamespace := allowedNamespace.DeepCopy() - mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"}) - kubernetes.PatchNamespace(t, s.Client, allowedNamespace, mutateNamespace, s.TimeoutConfig.GetTimeout) - - // ensure egress is DENIED to gryffindor from ravenclaw since namespace label no longer matches - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) - // luna-lovegood-1 is our client pod in ravenclaw namespace - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) - }) - t.Run("Should support an 'allow-egress' policy for UDP protocol at the specified port", func(t *testing.T) { // This test uses `egress-udp` admin CNP // harry-potter-1 is our server pod in gryffindor namespace diff --git a/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go b/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go index f5d65d1e..b912e8fc 100644 --- a/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go +++ b/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go @@ -51,43 +51,6 @@ var CNPAdminTierIngressSCTP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) - t.Run("Should support a 'deny-ingress' policy for SCTP protocol on a namespace selector when namespace labels are changed to no longer match", func(t *testing.T) { - // This test uses `ingress-sctp` admin CNP - // harry-potter-0 is our server pod in gryffindor namespace - serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) - // luna-lovegood-0 is our client pod in ravenclaw namespace - // ensure ingress is ALLOWED from gryffindor to ravenclaw - // ingressRule at index0 will take precedence over ingressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) - // luna-lovegood-1 is our client pod in ravenclaw namespace - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) - - cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-sctp", s.TimeoutConfig.GetTimeout) - mutate := cnp.DeepCopy() - // update namespace selector in ingressRule at index0 to match "conformance-house: gryffindor" label - mutate.Spec.Ingress[0].From[0].Namespaces.MatchLabels = map[string]string{"conformance-house": "gryffindor"} - kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) - - // ensure ingress is ALLOWED from gryffindor to ravenclaw since namespace label still matches - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) - - // update namespace label for gryffindor to "conformance-house": "denied-namespace-label" to no longer match ingressRule at index0 - allowedNamespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-gryffindor", s.TimeoutConfig.GetTimeout) - mutateNamespace := allowedNamespace.DeepCopy() - mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"}) - kubernetes.PatchNamespace(t, s.Client, allowedNamespace, mutateNamespace, s.TimeoutConfig.GetTimeout) - - // ensure ingress is DENIED from gryffindor to ravenclaw since namespace label no longer matches - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) - // luna-lovegood-1 is our client pod in ravenclaw namespace - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) - }) - t.Run("Should support an 'allow-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) { // This test uses `ingress-sctp` admin CNP // luna-lovegood-1 is our server pod in ravenclaw namespace diff --git a/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go b/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go index 4c25b405..2d34dcba 100644 --- a/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go +++ b/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go @@ -51,43 +51,6 @@ var CNPAdminTierIngressTCP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) - t.Run("Should support a 'deny-ingress' policy for TCP protocol on a namespace selector when namespace labels are changed to no longer match", func(t *testing.T) { - // This test uses `ingress-tcp` admin CNP - // harry-potter-0 is our server pod in gryffindor namespace - serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) - // luna-lovegood-0 is our client pod in ravenclaw namespace - // ensure ingress is ALLOWED from gryffindor to ravenclaw - // ingressRule at index0 will take precedence over ingressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) - // luna-lovegood-1 is our client pod in ravenclaw namespace - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) - - cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-tcp", s.TimeoutConfig.GetTimeout) - mutate := cnp.DeepCopy() - // update namespace selector in ingressRule at index0 to match "conformance-house: gryffindor" label - mutate.Spec.Ingress[0].From[0].Namespaces.MatchLabels = map[string]string{"conformance-house": "gryffindor"} - kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) - - // ensure ingress is ALLOWED from gryffindor to ravenclaw since namespace label still matches - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) - - // update namespace label for gryffindor to "conformance-house": "denied-namespace-label" to no longer match ingressRule at index0 - allowedNamespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-gryffindor", s.TimeoutConfig.GetTimeout) - mutateNamespace := allowedNamespace.DeepCopy() - mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"}) - kubernetes.PatchNamespace(t, s.Client, allowedNamespace, mutateNamespace, s.TimeoutConfig.GetTimeout) - - // ensure ingress is DENIED from gryffindor to ravenclaw since namespace label no longer matches - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) - // luna-lovegood-1 is our client pod in ravenclaw namespace - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) - }) - t.Run("Should support an 'allow-ingress' policy for TCP protocol at the specified port", func(t *testing.T) { // This test uses `ingress-tcp` admin CNP // harry-potter-1 is our server pod in gryffindor namespace diff --git a/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go b/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go index 199c2ec8..e4bcbf66 100644 --- a/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go +++ b/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go @@ -52,43 +52,6 @@ var CNPAdminTierIngressUDP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) }) - t.Run("Should support a 'deny-ingress' policy for UDP protocol on a namespace selector when namespace labels are changed to no longer match", func(t *testing.T) { - // This test uses `ingress-udp` admin CNP - // cedric-diggory-0 is our server pod in hufflepuff namespace - serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-0", s.TimeoutConfig.GetTimeout) - // luna-lovegood-0 is our client pod in ravenclaw namespace - // ensure ingress is ALLOWED from ravenclaw to hufflepuff - // ingressRule at index0 will take precedence over ingressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) - // luna-lovegood-1 is our client pod in ravenclaw namespace - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) - - cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-udp", s.TimeoutConfig.GetTimeout) - mutate := cnp.DeepCopy() - // update namespace selector in ingressRule at index0 to match "conformance-house: gryffindor" label - mutate.Spec.Ingress[0].From[0].Namespaces.MatchLabels = map[string]string{"conformance-house": "gryffindor"} - kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) - - // ensure ingress is ALLOWED from gryffindor to ravenclaw since namespace label still matches - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) - - // update namespace label for gryffindor to "conformance-house": "denied-namespace-label" to no longer match ingressRule at index0 - allowedNamespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-gryffindor", s.TimeoutConfig.GetTimeout) - mutateNamespace := allowedNamespace.DeepCopy() - mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"}) - kubernetes.PatchNamespace(t, s.Client, allowedNamespace, mutateNamespace, s.TimeoutConfig.GetTimeout) - - // ensure ingress is DENIED from gryffindor to ravenclaw since namespace label no longer matches - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) - // luna-lovegood-1 is our client pod in ravenclaw namespace - kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) - }) - t.Run("Should support an 'allow-ingress' policy for UDP protocol at the specified port", func(t *testing.T) { // This test uses `ingress-udp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace diff --git a/conformance/tests/baseline-admin-network-policy-standard-egress-inline-cidr-rules.go b/conformance/tests/baseline-admin-network-policy-standard-egress-inline-cidr-rules.go index 935b65a1..98fc91f4 100644 --- a/conformance/tests/baseline-admin-network-policy-standard-egress-inline-cidr-rules.go +++ b/conformance/tests/baseline-admin-network-policy-standard-egress-inline-cidr-rules.go @@ -72,6 +72,34 @@ var CNPBaselineTierEgressInlineCIDRPeers = suite.ConformanceTest{ serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) + + // update namespace label for slytherin to "conformance-house": "denied-namespace-label" to no longer match ingressRule at index0 + namespace := kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-slytherin", s.TimeoutConfig.GetTimeout) + mutateNamespace := namespace.DeepCopy() + mutateNamespace.SetLabels(map[string]string{"conformance-house": "denied-namespace-label"}) + kubernetes.PatchNamespace(t, s.Client, namespace, mutateNamespace, s.TimeoutConfig.GetTimeout) + + // ensure traffic is no longer allowed to slytherin since the namespace label no longer matches + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) + + // update namespace label for slytherin back to "conformance-house": "slytherin" to match ingressRule at index0 again + namespace = kubernetes.GetNamespace(t, s.Client, "network-policy-conformance-slytherin", s.TimeoutConfig.GetTimeout) + mutateNamespace = namespace.DeepCopy() + mutateNamespace.SetLabels(map[string]string{"conformance-house": "slytherin"}) + kubernetes.PatchNamespace(t, s.Client, namespace, mutateNamespace, s.TimeoutConfig.GetTimeout) + + // ensure traffic is allowed to slytherin again since the namespace label matches again + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) }) // To test allow CIDR rule, insert the following rule at index0 //- name: "allow-egress-to-specific-podIPs"