Skip to content

Commit 160fd47

Browse files
rayaisaiahrayaisaiah
committed
added uts where target port matches to protocol and port is 0
1 parent f35989c commit 160fd47

File tree

1 file changed

+219
-2
lines changed

1 file changed

+219
-2
lines changed

tools/azure-npm-to-cilium-validator/azure-npm-to-cilium-validator_test.go

Lines changed: 219 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1694,8 +1694,225 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
16941694
expectedUnsafeRiskServices: []string{"namespace1/service-with-no-selector"},
16951695
expectedUnsafeNoSelectorServices: []string{"namespace1/service-with-no-selector"},
16961696
},
1697-
// add a ut where target port matches to protocol
1698-
// add a ut where the port is 0
1697+
{
1698+
name: "LoadBalancer service with externalTrafficPolicy=Cluster with a selector and an allow all ingress policy with a matching selector and protocol with no ports",
1699+
namespaces: &corev1.NamespaceList{
1700+
Items: []corev1.Namespace{
1701+
{ObjectMeta: metav1.ObjectMeta{Name: "namespace1"}},
1702+
},
1703+
},
1704+
servicesByNamespace: map[string][]*corev1.Service{
1705+
"namespace1": {
1706+
{
1707+
ObjectMeta: metav1.ObjectMeta{Name: "service-with-selector-and-ports"},
1708+
Spec: corev1.ServiceSpec{
1709+
Type: corev1.ServiceTypeLoadBalancer,
1710+
Selector: map[string]string{"app": "test"},
1711+
Ports: []corev1.ServicePort{
1712+
{
1713+
Port: 80,
1714+
Protocol: corev1.ProtocolTCP,
1715+
TargetPort: intstr.FromInt(80),
1716+
},
1717+
},
1718+
ExternalTrafficPolicy: corev1.ServiceExternalTrafficPolicyTypeCluster,
1719+
},
1720+
},
1721+
},
1722+
},
1723+
policiesByNamespace: map[string][]*networkingv1.NetworkPolicy{
1724+
"namespace1": {
1725+
{
1726+
ObjectMeta: metav1.ObjectMeta{Name: "allow-all-ingress-policy-with-selector-and-ports"},
1727+
Spec: networkingv1.NetworkPolicySpec{
1728+
PodSelector: metav1.LabelSelector{
1729+
MatchLabels: map[string]string{"app": "test"},
1730+
},
1731+
PolicyTypes: []networkingv1.PolicyType{"Ingress"},
1732+
Ingress: []networkingv1.NetworkPolicyIngressRule{
1733+
{
1734+
Ports: []networkingv1.NetworkPolicyPort{
1735+
{
1736+
Protocol: func() *corev1.Protocol {
1737+
protocol := corev1.ProtocolTCP
1738+
return &protocol
1739+
}(),
1740+
},
1741+
},
1742+
},
1743+
},
1744+
},
1745+
},
1746+
},
1747+
},
1748+
expectedUnsafeRiskServices: []string{},
1749+
expectedUnsafeNoSelectorServices: []string{},
1750+
},
1751+
{
1752+
name: "LoadBalancer service with externalTrafficPolicy=Cluster with a selector and an allow all ingress policy with a matching selector and port=0",
1753+
namespaces: &corev1.NamespaceList{
1754+
Items: []corev1.Namespace{
1755+
{ObjectMeta: metav1.ObjectMeta{Name: "namespace1"}},
1756+
},
1757+
},
1758+
servicesByNamespace: map[string][]*corev1.Service{
1759+
"namespace1": {
1760+
{
1761+
ObjectMeta: metav1.ObjectMeta{Name: "service-with-selector-and-ports"},
1762+
Spec: corev1.ServiceSpec{
1763+
Type: corev1.ServiceTypeLoadBalancer,
1764+
Selector: map[string]string{"app": "test"},
1765+
Ports: []corev1.ServicePort{
1766+
{
1767+
Port: 80,
1768+
Protocol: corev1.ProtocolTCP,
1769+
TargetPort: intstr.FromInt(80),
1770+
},
1771+
},
1772+
ExternalTrafficPolicy: corev1.ServiceExternalTrafficPolicyTypeCluster,
1773+
},
1774+
},
1775+
},
1776+
},
1777+
policiesByNamespace: map[string][]*networkingv1.NetworkPolicy{
1778+
"namespace1": {
1779+
{
1780+
ObjectMeta: metav1.ObjectMeta{Name: "allow-all-ingress-policy-with-selector-and-ports"},
1781+
Spec: networkingv1.NetworkPolicySpec{
1782+
PodSelector: metav1.LabelSelector{
1783+
MatchLabels: map[string]string{"app": "test"},
1784+
},
1785+
PolicyTypes: []networkingv1.PolicyType{"Ingress"},
1786+
Ingress: []networkingv1.NetworkPolicyIngressRule{
1787+
{
1788+
Ports: []networkingv1.NetworkPolicyPort{
1789+
{
1790+
Port: intstrPtr(intstr.FromInt(0)),
1791+
Protocol: func() *corev1.Protocol {
1792+
protocol := corev1.ProtocolTCP
1793+
return &protocol
1794+
}(),
1795+
},
1796+
},
1797+
},
1798+
},
1799+
},
1800+
},
1801+
},
1802+
},
1803+
expectedUnsafeRiskServices: []string{"namespace1/service-with-selector-and-ports"},
1804+
expectedUnsafeNoSelectorServices: []string{},
1805+
},
1806+
{
1807+
name: "LoadBalancer service with externalTrafficPolicy=Cluster with a selector and targetport=0 and an allow all ingress policy with a matching selector and different ports",
1808+
namespaces: &corev1.NamespaceList{
1809+
Items: []corev1.Namespace{
1810+
{ObjectMeta: metav1.ObjectMeta{Name: "namespace1"}},
1811+
},
1812+
},
1813+
servicesByNamespace: map[string][]*corev1.Service{
1814+
"namespace1": {
1815+
{
1816+
ObjectMeta: metav1.ObjectMeta{Name: "service-with-selector-and-ports"},
1817+
Spec: corev1.ServiceSpec{
1818+
Type: corev1.ServiceTypeLoadBalancer,
1819+
Selector: map[string]string{"app": "test"},
1820+
Ports: []corev1.ServicePort{
1821+
{
1822+
Port: 80,
1823+
Protocol: corev1.ProtocolTCP,
1824+
TargetPort: intstr.FromInt(0),
1825+
},
1826+
},
1827+
ExternalTrafficPolicy: corev1.ServiceExternalTrafficPolicyTypeCluster,
1828+
},
1829+
},
1830+
},
1831+
},
1832+
policiesByNamespace: map[string][]*networkingv1.NetworkPolicy{
1833+
"namespace1": {
1834+
{
1835+
ObjectMeta: metav1.ObjectMeta{Name: "allow-all-ingress-policy-with-selector-and-ports"},
1836+
Spec: networkingv1.NetworkPolicySpec{
1837+
PodSelector: metav1.LabelSelector{
1838+
MatchLabels: map[string]string{"app": "test"},
1839+
},
1840+
PolicyTypes: []networkingv1.PolicyType{"Ingress"},
1841+
Ingress: []networkingv1.NetworkPolicyIngressRule{
1842+
{
1843+
Ports: []networkingv1.NetworkPolicyPort{
1844+
{
1845+
Port: intstrPtr(intstr.FromInt(80)),
1846+
Protocol: func() *corev1.Protocol {
1847+
protocol := corev1.ProtocolTCP
1848+
return &protocol
1849+
}(),
1850+
},
1851+
},
1852+
},
1853+
},
1854+
},
1855+
},
1856+
},
1857+
},
1858+
expectedUnsafeRiskServices: []string{"namespace1/service-with-selector-and-ports"},
1859+
expectedUnsafeNoSelectorServices: []string{},
1860+
},
1861+
{
1862+
name: "LoadBalancer service with externalTrafficPolicy=Cluster with a selector and targetport=0 and an allow all ingress policy with a matching selector and ports=0",
1863+
namespaces: &corev1.NamespaceList{
1864+
Items: []corev1.Namespace{
1865+
{ObjectMeta: metav1.ObjectMeta{Name: "namespace1"}},
1866+
},
1867+
},
1868+
servicesByNamespace: map[string][]*corev1.Service{
1869+
"namespace1": {
1870+
{
1871+
ObjectMeta: metav1.ObjectMeta{Name: "service-with-selector-and-ports"},
1872+
Spec: corev1.ServiceSpec{
1873+
Type: corev1.ServiceTypeLoadBalancer,
1874+
Selector: map[string]string{"app": "test"},
1875+
Ports: []corev1.ServicePort{
1876+
{
1877+
Port: 80,
1878+
Protocol: corev1.ProtocolTCP,
1879+
TargetPort: intstr.FromInt(0),
1880+
},
1881+
},
1882+
ExternalTrafficPolicy: corev1.ServiceExternalTrafficPolicyTypeCluster,
1883+
},
1884+
},
1885+
},
1886+
},
1887+
policiesByNamespace: map[string][]*networkingv1.NetworkPolicy{
1888+
"namespace1": {
1889+
{
1890+
ObjectMeta: metav1.ObjectMeta{Name: "allow-all-ingress-policy-with-selector-and-ports"},
1891+
Spec: networkingv1.NetworkPolicySpec{
1892+
PodSelector: metav1.LabelSelector{
1893+
MatchLabels: map[string]string{"app": "test"},
1894+
},
1895+
PolicyTypes: []networkingv1.PolicyType{"Ingress"},
1896+
Ingress: []networkingv1.NetworkPolicyIngressRule{
1897+
{
1898+
Ports: []networkingv1.NetworkPolicyPort{
1899+
{
1900+
Port: intstrPtr(intstr.FromInt(0)),
1901+
Protocol: func() *corev1.Protocol {
1902+
protocol := corev1.ProtocolTCP
1903+
return &protocol
1904+
}(),
1905+
},
1906+
},
1907+
},
1908+
},
1909+
},
1910+
},
1911+
},
1912+
},
1913+
expectedUnsafeRiskServices: []string{"namespace1/service-with-selector-and-ports"},
1914+
expectedUnsafeNoSelectorServices: []string{},
1915+
},
16991916

17001917
// Scenarios where there are LoadBalancer or NodePort services with externalTrafficPolicy=Cluster and there are multiple policies
17011918

0 commit comments

Comments
 (0)