added more service uts for nodeport and organized scenarios

rayaisaiah · rayaisaiah · commit f79188b02cf0 · 2025-02-07T00:54:56.000Z
diff --git a/tools/azure-npm-to-cilium-validator/azure-npm-to-cilium-validator.go b/tools/azure-npm-to-cilium-validator/azure-npm-to-cilium-validator.go
@@ -282,18 +282,22 @@ func checkServiceTargetPortMatchPolicyPorts(servicePorts *[]corev1.ServicePort,
 		}
 
 		// Check if all the services target ports are in the policies ingress ports
-		serviceTargetPortPolicyPort := false
+		matchedserviceTargetPortToPolicyPort := false
 		for _, policyPort := range *policyPorts {
 			// Check if the policys port exists
 			if policyPort.Port == nil {
 				return false
 			}
+			// If the port is a string then it is a named port and service is at risk
+			if policyPort.Port.Type == intstr.String {
+				return false
+			}
 			if servicePort.TargetPort.IntValue() == int(policyPort.Port.IntVal) && string(servicePort.Protocol) == string(*policyPort.Protocol) {
-				serviceTargetPortPolicyPort = true
+				matchedserviceTargetPortToPolicyPort = true
 				break
 			}
 		}
-		if !serviceTargetPortPolicyPort {
+		if !matchedserviceTargetPortToPolicyPort {
 			return false
 		}
 	}
diff --git a/tools/azure-npm-to-cilium-validator/azure-npm-to-cilium-validator_test.go b/tools/azure-npm-to-cilium-validator/azure-npm-to-cilium-validator_test.go
@@ -803,6 +803,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
 		expectedUnsafeServicesAtRisk     []string
 		expectedUnsafeNoSelectorServices []string
 	}{
+		// Scenarios where there are no LoadBalancer or NodePort services
 		{
 			name: "No namespaces",
 			namespaces: &corev1.NamespaceList{
@@ -829,8 +830,9 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
 			expectedUnsafeServicesAtRisk:     []string{},
 			expectedUnsafeNoSelectorServices: []string{},
 		},
+		// Scenarios where there are LoadBalancer or NodePort services but externalTrafficPolicy is not Cluster
 		{
-			name: "LoadBalancer service with externalTrafficPolicy=Cluster with no selector and no policies",
+			name: "LoadBalancer service with externalTrafficPolicy=Local with no selector and a deny all ingress policy with no selector",
 			namespaces: &corev1.NamespaceList{
 				Items: []corev1.Namespace{
 					{ObjectMeta: metav1.ObjectMeta{Name: "namespace1"}},
@@ -842,19 +844,27 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{Name: "service-with-no-selector"},
 						Spec: corev1.ServiceSpec{
 							Type:                  corev1.ServiceTypeLoadBalancer,
-							ExternalTrafficPolicy: corev1.ServiceExternalTrafficPolicyTypeCluster,
+							ExternalTrafficPolicy: corev1.ServiceExternalTrafficPolicyTypeLocal,
 						},
 					},
 				},
 			},
 			policiesByNamespace: map[string][]*networkingv1.NetworkPolicy{
-				"namespace1": {},
+				"namespace1": {
+					{
+						ObjectMeta: metav1.ObjectMeta{Name: "deny-all-ingress-policy-with-no-selector"},
+						Spec: networkingv1.NetworkPolicySpec{
+							PodSelector: metav1.LabelSelector{},
+							PolicyTypes: []networkingv1.PolicyType{"Ingress"},
+						},
+					},
+				},
 			},
 			expectedUnsafeServicesAtRisk:     []string{},
 			expectedUnsafeNoSelectorServices: []string{},
 		},
 		{
-			name: "LoadBalancer service with externalTrafficPolicy=Local with no selector and a deny all ingress policy with no selector",
+			name: "NodePort service with externalTrafficPolicy=Local with no selector and a deny all ingress policy with no selector",
 			namespaces: &corev1.NamespaceList{
 				Items: []corev1.Namespace{
 					{ObjectMeta: metav1.ObjectMeta{Name: "namespace1"}},
@@ -865,7 +875,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
 					{
 						ObjectMeta: metav1.ObjectMeta{Name: "service-with-no-selector"},
 						Spec: corev1.ServiceSpec{
-							Type:                  corev1.ServiceTypeLoadBalancer,
+							Type:                  corev1.ServiceTypeNodePort,
 							ExternalTrafficPolicy: corev1.ServiceExternalTrafficPolicyTypeLocal,
 						},
 					},
@@ -885,6 +895,56 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
 			expectedUnsafeServicesAtRisk:     []string{},
 			expectedUnsafeNoSelectorServices: []string{},
 		},
+		// Scenarios where there are LoadBalancer or NodePort services with externalTrafficPolicy=Cluster but no policies
+		{
+			name: "LoadBalancer service with externalTrafficPolicy=Cluster with no selector and no policies",
+			namespaces: &corev1.NamespaceList{
+				Items: []corev1.Namespace{
+					{ObjectMeta: metav1.ObjectMeta{Name: "namespace1"}},
+				},
+			},
+			servicesByNamespace: map[string][]*corev1.Service{
+				"namespace1": {
+					{
+						ObjectMeta: metav1.ObjectMeta{Name: "service-with-no-selector"},
+						Spec: corev1.ServiceSpec{
+							Type:                  corev1.ServiceTypeLoadBalancer,
+							ExternalTrafficPolicy: corev1.ServiceExternalTrafficPolicyTypeCluster,
+						},
+					},
+				},
+			},
+			policiesByNamespace: map[string][]*networkingv1.NetworkPolicy{
+				"namespace1": {},
+			},
+			expectedUnsafeServicesAtRisk:     []string{},
+			expectedUnsafeNoSelectorServices: []string{},
+		},
+		{
+			name: "NodePort service with externalTrafficPolicy=Cluster with no selector and no policies",
+			namespaces: &corev1.NamespaceList{
+				Items: []corev1.Namespace{
+					{ObjectMeta: metav1.ObjectMeta{Name: "namespace1"}},
+				},
+			},
+			servicesByNamespace: map[string][]*corev1.Service{
+				"namespace1": {
+					{
+						ObjectMeta: metav1.ObjectMeta{Name: "service-with-no-selector"},
+						Spec: corev1.ServiceSpec{
+							Type:                  corev1.ServiceTypeNodePort,
+							ExternalTrafficPolicy: corev1.ServiceExternalTrafficPolicyTypeCluster,
+						},
+					},
+				},
+			},
+			policiesByNamespace: map[string][]*networkingv1.NetworkPolicy{
+				"namespace1": {},
+			},
+			expectedUnsafeServicesAtRisk:     []string{},
+			expectedUnsafeNoSelectorServices: []string{},
+		},
+		// Scenarios where there are LoadBalancer or NodePort services with externalTrafficPolicy=Cluster and policies allow traffic
 		{
 			name: "LoadBalancer service with externalTrafficPolicy=Cluster with no selector and an allow all ingress policy with no selector",
 			namespaces: &corev1.NamespaceList{
@@ -1141,6 +1201,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
 			expectedUnsafeServicesAtRisk:     []string{},
 			expectedUnsafeNoSelectorServices: []string{},
 		},
+		// Scenarios where there are LoadBalancer or NodePort services with externalTrafficPolicy=Cluster and policies deny traffic
 		{
 			name: "LoadBalancer service with externalTrafficPolicy=Cluster with no selector and a deny all ingress policy with no selector",
 			namespaces: &corev1.NamespaceList{
@@ -1254,6 +1315,44 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
 			expectedUnsafeServicesAtRisk:     []string{"namespace1/external-traffic-policy-cluster-service"},
 			expectedUnsafeNoSelectorServices: []string{},
 		},
+		{
+			name: "LoadBalancer service with externalTrafficPolicy=Cluster with a selector and an allow all ingress policy with a selector that doesnt match",
+			namespaces: &corev1.NamespaceList{
+				Items: []corev1.Namespace{
+					{ObjectMeta: metav1.ObjectMeta{Name: "namespace1"}},
+				},
+			},
+			servicesByNamespace: map[string][]*corev1.Service{
+				"namespace1": {
+					{
+						ObjectMeta: metav1.ObjectMeta{Name: "service-with-selector"},
+						Spec: corev1.ServiceSpec{
+							Type:                  corev1.ServiceTypeLoadBalancer,
+							Selector:              map[string]string{"app": "test", "app3": "test3", "app4": "test4"},
+							ExternalTrafficPolicy: corev1.ServiceExternalTrafficPolicyTypeCluster,
+						},
+					},
+				},
+			},
+			policiesByNamespace: map[string][]*networkingv1.NetworkPolicy{
+				"namespace1": {
+					{
+						ObjectMeta: metav1.ObjectMeta{Name: "allow-all-ingress-policy-with-selector"},
+						Spec: networkingv1.NetworkPolicySpec{
+							PodSelector: metav1.LabelSelector{
+								MatchLabels: map[string]string{"app": "test", "app2": "test2"},
+							},
+							PolicyTypes: []networkingv1.PolicyType{"Ingress"},
+							Ingress: []networkingv1.NetworkPolicyIngressRule{
+								{},
+							},
+						},
+					},
+				},
+			},
+			expectedUnsafeServicesAtRisk:     []string{"namespace1/service-with-selector"},
+			expectedUnsafeNoSelectorServices: []string{},
+		},
 		{
 			name: "LoadBalancer service with externalTrafficPolicy=Cluster with a selector and an allow all ingress policy with a matching selector but ports dont match",
 			namespaces: &corev1.NamespaceList{
@@ -1274,6 +1373,11 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
 									Protocol:   corev1.ProtocolTCP,
 									TargetPort: intstr.FromInt(80),
 								},
+								{
+									Port:       100,
+									Protocol:   corev1.ProtocolTCP,
+									TargetPort: intstr.FromInt(100),
+								},
 							},
 							ExternalTrafficPolicy: corev1.ServiceExternalTrafficPolicyTypeCluster,
 						},
@@ -1292,6 +1396,13 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
 							Ingress: []networkingv1.NetworkPolicyIngressRule{
 								{
 									Ports: []networkingv1.NetworkPolicyPort{
+										{
+											Port: intstrPtr(intstr.FromInt(80)),
+											Protocol: func() *corev1.Protocol {
+												protocol := corev1.ProtocolTCP
+												return &protocol
+											}(),
+										},
 										{
 											Port: intstrPtr(intstr.FromInt(90)),
 											Protocol: func() *corev1.Protocol {
@@ -1364,82 +1475,11 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
 			expectedUnsafeServicesAtRisk:     []string{"namespace1/service-with-selector-and-named-ports"},
 			expectedUnsafeNoSelectorServices: []string{},
 		},
-		// {
-		// 	name: "Multiple namespaces with various policies and services",
-		// 	namespaces: &corev1.NamespaceList{
-		// 		Items: []corev1.Namespace{
-		// 			{ObjectMeta: metav1.ObjectMeta{Name: "namespace1"}},
-		// 			{ObjectMeta: metav1.ObjectMeta{Name: "namespace2"}},
-		// 		},
-		// 	},
-		// 	servicesByNamespace: map[string][]*corev1.Service{
-		// 		"namespace1": {
-		// 			{
-		// 				ObjectMeta: metav1.ObjectMeta{Name: "service1"},
-		// 				Spec: corev1.ServiceSpec{
-		// 					Type:                  corev1.ServiceTypeLoadBalancer,
-		// 					ExternalTrafficPolicy: corev1.ServiceExternalTrafficPolicyTypeCluster,
-		// 					Selector:              map[string]string{"app": "test1"},
-		// 				},
-		// 			},
-		// 		},
-		// 		"namespace2": {
-		// 			{
-		// 				ObjectMeta: metav1.ObjectMeta{Name: "service2"},
-		// 				Spec: corev1.ServiceSpec{
-		// 					Type:                  corev1.ServiceTypeNodePort,
-		// 					ExternalTrafficPolicy: corev1.ServiceExternalTrafficPolicyTypeCluster,
-		// 					Selector:              map[string]string{"app": "test2"},
-		// 				},
-		// 			},
-		// 			{
-		// 				ObjectMeta: metav1.ObjectMeta{Name: "service3"},
-		// 				Spec: corev1.ServiceSpec{
-		// 					Type:                  corev1.ServiceTypeLoadBalancer,
-		// 					ExternalTrafficPolicy: corev1.ServiceExternalTrafficPolicyTypeCluster,
-		// 				},
-		// 			},
-		// 		},
-		// 	},
-		// 	policiesByNamespace: map[string][]*networkingv1.NetworkPolicy{
-		// 		"namespace1": {
-		// 			{
-		// 				ObjectMeta: metav1.ObjectMeta{Name: "policy1"},
-		// 				Spec: networkingv1.NetworkPolicySpec{
-		// 					PodSelector: metav1.LabelSelector{
-		// 						MatchLabels: map[string]string{"app": "test1"},
-		// 					},
-		// 					Ingress: []networkingv1.NetworkPolicyIngressRule{
-		// 						{
-		// 							From: []networkingv1.NetworkPolicyPeer{
-		// 								{PodSelector: &metav1.LabelSelector{}},
-		// 							},
-		// 						},
-		// 					},
-		// 				},
-		// 			},
-		// 		},
-		// 		"namespace2": {
-		// 			{
-		// 				ObjectMeta: metav1.ObjectMeta{Name: "policy2"},
-		// 				Spec: networkingv1.NetworkPolicySpec{
-		// 					PodSelector: metav1.LabelSelector{
-		// 						MatchLabels: map[string]string{"app": "test2"},
-		// 					},
-		// 					Ingress: []networkingv1.NetworkPolicyIngressRule{
-		// 						{
-		// 							From: []networkingv1.NetworkPolicyPeer{
-		// 								{PodSelector: &metav1.LabelSelector{}},
-		// 							},
-		// 						},
-		// 					},
-		// 				},
-		// 			},
-		// 		},
-		// 	},
-		// 	expectedUnsafeServicesAtRisk:     []string{"namespace2/service3"},
-		// 	expectedUnsafeNoSelectorServices: []string{"namespace2/service3"},
-		// },
+		// Scenarios where there are LoadBalancer or NodePort services with externalTrafficPolicy=Cluster and there are multiple policies
+
+		// Scenarios where there are LoadBalancer or NodePort services with externalTrafficPolicy=Cluster and there are multiple services
+
+		// Scenarios where there are LoadBalancer or NodePort services with externalTrafficPolicy=Cluster and there are multiple namespaces
 	}
 
 	for _, tt := range tests {

Original file line number	Diff line number	Diff line change
`@@ -282,18 +282,22 @@ func checkServiceTargetPortMatchPolicyPorts(servicePorts *[]corev1.ServicePort,`
`282`	`282`	`}`
`283`	`283`
`284`	`284`	`// Check if all the services target ports are in the policies ingress ports`
`285`		`- serviceTargetPortPolicyPort := false`
	`285`	`+ matchedserviceTargetPortToPolicyPort := false`
`286`	`286`	`for _, policyPort := range *policyPorts {`
`287`	`287`	`// Check if the policys port exists`
`288`	`288`	`if policyPort.Port == nil {`
`289`	`289`	`return false`
`290`	`290`	`}`
	`291`	`+ // If the port is a string then it is a named port and service is at risk`
	`292`	`+ if policyPort.Port.Type == intstr.String {`
	`293`	`+ return false`
	`294`	`+ }`
`291`	`295`	`if servicePort.TargetPort.IntValue() == int(policyPort.Port.IntVal) && string(servicePort.Protocol) == string(*policyPort.Protocol) {`
`292`		`- serviceTargetPortPolicyPort = true`
	`296`	`+ matchedserviceTargetPortToPolicyPort = true`
`293`	`297`	`break`
`294`	`298`	`}`
`295`	`299`	`}`
`296`		`- if !serviceTargetPortPolicyPort {`
	`300`	`+ if !matchedserviceTargetPortToPolicyPort {`
`297`	`301`	`return false`
`298`	`302`	`}`
`299`	`303`	`}`