Split network policies tests between Calico & Cilium (#2746)

rarescosma · lunkan93 · commit 4babc49415c6 · 2025-10-09T09:01:54.000+02:00
diff --git a/tests/common/cypress/index.d.ts b/tests/common/cypress/index.d.ts
@@ -2,7 +2,6 @@ type Cluster = 'sc' | 'wc'
 type GrafanaRole = 'Admin' | 'Editor' | 'Viewer'
 
 declare const yqArgumentsToConfigFiles: (cluster: Cluster, expression: string) => string
-declare const userToSession: (user: string) => string
 
 /// <reference types="cypress" />
 
diff --git a/tests/end-to-end/grafana/dashboards-admin.cy.js b/tests/end-to-end/grafana/dashboards-admin.cy.js
@@ -36,7 +36,7 @@ describe('grafana admin dashboards', function () {
 
   it('open the NetworkPolicy Dashboard', function () {
     cy.yqDig('sc', '.networkPlugin.type').then((value) => {
-      if (value == 'calico') {
+      if (value === 'calico') {
         cy.testGrafanaDashboard('NetworkPolicy Dashboard', false)
         cy.get(
           '[data-testid="data-testid Panel menu Packets allowed by NetworkPolicy going from pod"]'
diff --git a/tests/end-to-end/netpol/netpol-calico.cy.js b/tests/end-to-end/netpol/netpol-calico.cy.js
@@ -10,7 +10,15 @@ function makePrometheusURL(/** @type {Cluster} */ cluster) {
   )
 }
 
-describe('workload cluster network policies', function () {
+describe('workload cluster network policies (calico)', function () {
+  before(function () {
+    cy.yqDig('wc', '.networkPlugin.type').then(function (value) {
+      if (value !== 'calico') {
+        this.skip('not a calico cluster')
+      }
+    })
+  })
+
   it('are not dropping any packets from workloads', function () {
     cy.request('GET', makeQueryURL('wc', DROP_QUERY)).then((response) => {
       assertNoDrops(response, 'fw', 'from')
@@ -33,7 +41,15 @@ describe('workload cluster network policies', function () {
   })
 })
 
-describe('service cluster network policies', function () {
+describe('service cluster network policies (calico)', function () {
+  before(function () {
+    cy.yqDig('sc', '.networkPlugin.type').then(function (value) {
+      if (value !== 'calico') {
+        this.skip('not a calico cluster')
+      }
+    })
+  })
+
   it('are not dropping any packets from workloads', function () {
     cy.request('GET', makeQueryURL('sc', DROP_QUERY)).then((response) => {
       assertNoDrops(response, 'fw', 'from')
diff --git a/tests/end-to-end/netpol/netpol-calico.gen.bats b/tests/end-to-end/netpol/netpol-calico.gen.bats
@@ -0,0 +1,40 @@
+#!/usr/bin/env bats
+
+setup_file() {
+  load "../../bats.lib.bash"
+
+  cypress_setup "${ROOT}/tests/end-to-end/netpol/netpol-calico.cy.js"
+}
+
+setup() {
+  load "../../bats.lib.bash"
+  load_assert
+}
+
+teardown_file() {
+  cypress_teardown
+}
+
+@test "workload cluster network policies (calico) are not dropping any packets from workloads" {
+  cypress_test "workload cluster network policies (calico) are not dropping any packets from workloads"
+}
+
+@test "workload cluster network policies (calico) are not dropping any packets to workloads" {
+  cypress_test "workload cluster network policies (calico) are not dropping any packets to workloads"
+}
+
+@test "workload cluster network policies (calico) are accepting allowed traffic" {
+  cypress_test "workload cluster network policies (calico) are accepting allowed traffic"
+}
+
+@test "service cluster network policies (calico) are not dropping any packets from workloads" {
+  cypress_test "service cluster network policies (calico) are not dropping any packets from workloads"
+}
+
+@test "service cluster network policies (calico) are not dropping any packets to workloads" {
+  cypress_test "service cluster network policies (calico) are not dropping any packets to workloads"
+}
+
+@test "service cluster network policies (calico) are accepting allowed traffic" {
+  cypress_test "service cluster network policies (calico) are accepting allowed traffic"
+}
diff --git a/tests/end-to-end/netpol/netpol-cilium.cy.js b/tests/end-to-end/netpol/netpol-cilium.cy.js
@@ -0,0 +1,140 @@
+const DROP_QUERY = 'round(increase(hubble_drop_total{reason="POLICY_DENIED"}[5m]))'
+const ACCEPT_QUERY =
+  'sum by (traffic_direction) (round(increase(hubble_flows_processed_total{verdict="FORWARDED"}[5m])))'
+
+function makePrometheusURL(/** @type {Cluster} */ cluster) {
+  const port = cluster === 'wc' ? Cypress.env('WC_PROXY_PORT') : Cypress.env('SC_PROXY_PORT')
+
+  return (
+    `http://127.0.0.1:${port}/api/v1/namespaces/monitoring/services` +
+    '/kube-prometheus-stack-prometheus:9090/proxy'
+  )
+}
+
+describe('workload cluster network policies (cilium)', function () {
+  before(function () {
+    cy.yqDig('wc', '.networkPlugin.type').then(function (value) {
+      if (value !== 'cilium') {
+        this.skip('not a cilium cluster')
+      }
+    })
+  })
+
+  it('are not dropping any packets from workloads', function () {
+    cy.request('GET', makeQueryURL('wc', DROP_QUERY)).then((response) => {
+      assertNoDrops(response, 'egress', 'from')
+    })
+  })
+
+  it('are not dropping any packets to workloads', function () {
+    cy.request('GET', makeQueryURL('wc', DROP_QUERY)).then((response) => {
+      assertNoDrops(response, 'ingress', 'to')
+    })
+  })
+
+  it('are accepting allowed traffic', function () {
+    cy.retryRequest({
+      request: { method: 'GET', url: makeQueryURL('wc', ACCEPT_QUERY) },
+      condition: acceptCondition,
+      waitTime: 10000,
+      attempts: 30,
+    })
+  })
+})
+
+describe('service cluster network policies (cilium)', function () {
+  before(function () {
+    cy.yqDig('sc', '.networkPlugin.type').then(function (value) {
+      if (value !== 'cilium') {
+        this.skip('not a cilium cluster')
+      }
+    })
+  })
+
+  it('are not dropping any packets from workloads', function () {
+    cy.request('GET', makeQueryURL('sc', DROP_QUERY)).then((response) => {
+      assertNoDrops(response, 'egress', 'from')
+    })
+  })
+
+  it('are not dropping any packets to workloads', function () {
+    cy.request('GET', makeQueryURL('sc', DROP_QUERY)).then((response) => {
+      assertNoDrops(response, 'ingress', 'to')
+    })
+  })
+
+  it('are accepting allowed traffic', function () {
+    cy.retryRequest({
+      request: { method: 'GET', url: makeQueryURL('sc', ACCEPT_QUERY) },
+      condition: acceptCondition,
+      waitTime: 10000,
+      attempts: 30,
+    })
+  })
+})
+
+const makeQueryURL = (/** @type {Cluster} */ cluster, query, serverTime = '') => {
+  const metric = encodeURI(query)
+  let returnValue = `${makePrometheusURL(cluster)}/api/v1/query?query=${metric}`
+  if (serverTime !== '') {
+    returnValue = `${returnValue}&${new URLSearchParams({ time: serverTime })}`
+  }
+  return returnValue
+}
+
+const assertNoDrops = (response, trafficDirection, direction) => {
+  expect(response.status).to.eq(200)
+  expect(response.body.data.result).to.be.a('array')
+
+  const result = response.body.data.result
+
+  const drops = result.filter(filterNonZero(trafficDirection)).map((element) => mapDrops(element))
+
+  if (drops.length > 0) {
+    cy.fail(formatError(drops, direction))
+  }
+}
+
+const acceptCondition = (response) => {
+  try {
+    expect(response.status).to.eq(200)
+    expect(response.body.data.result).to.be.a('array')
+
+    const result = response.body.data.result
+
+    const innerAssert = (values) => {
+      expect(values).to.be.an('array')
+      expect(values).to.have.property('0').that.is.a('number').and.is.greaterThan(0)
+    }
+
+    innerAssert(
+      result.filter(filterNonZero('egress')).map((item) => Number.parseInt(item.value[1]))
+    )
+    innerAssert(
+      result.filter(filterNonZero('ingress')).map((item) => Number.parseInt(item.value[1]))
+    )
+    return true
+  } catch {
+    return false
+  }
+}
+
+const filterNonZero = (trafficDirection) => {
+  return (item) =>
+    item.metric.traffic_direction === trafficDirection && item.value && item.value[1] !== '0'
+}
+
+const mapDrops = (item) => {
+  return {
+    podName: item.metric.pod,
+    podNamespace: item.metric.namespace,
+    drops: Number.parseInt(item.value[1]),
+  }
+}
+
+const formatError = (drops, direction) => {
+  const fmtDrops = drops
+    .map((item) => `- ${item.podNamespace}/${item.podName} had ${item.drops} dropped packets`)
+    .join('\n')
+  return `\nFound packets dropped ${direction} workloads:\n${fmtDrops}\n`
+}
diff --git a/tests/end-to-end/netpol/netpol-cilium.gen.bats b/tests/end-to-end/netpol/netpol-cilium.gen.bats
@@ -0,0 +1,40 @@
+#!/usr/bin/env bats
+
+setup_file() {
+  load "../../bats.lib.bash"
+
+  cypress_setup "${ROOT}/tests/end-to-end/netpol/netpol-cilium.cy.js"
+}
+
+setup() {
+  load "../../bats.lib.bash"
+  load_assert
+}
+
+teardown_file() {
+  cypress_teardown
+}
+
+@test "workload cluster network policies (cilium) are not dropping any packets from workloads" {
+  cypress_test "workload cluster network policies (cilium) are not dropping any packets from workloads"
+}
+
+@test "workload cluster network policies (cilium) are not dropping any packets to workloads" {
+  cypress_test "workload cluster network policies (cilium) are not dropping any packets to workloads"
+}
+
+@test "workload cluster network policies (cilium) are accepting allowed traffic" {
+  cypress_test "workload cluster network policies (cilium) are accepting allowed traffic"
+}
+
+@test "service cluster network policies (cilium) are not dropping any packets from workloads" {
+  cypress_test "service cluster network policies (cilium) are not dropping any packets from workloads"
+}
+
+@test "service cluster network policies (cilium) are not dropping any packets to workloads" {
+  cypress_test "service cluster network policies (cilium) are not dropping any packets to workloads"
+}
+
+@test "service cluster network policies (cilium) are accepting allowed traffic" {
+  cypress_test "service cluster network policies (cilium) are accepting allowed traffic"
+}
diff --git a/tests/end-to-end/netpol/netpol.gen.bats b/tests/end-to-end/netpol/netpol.gen.bats
