Merge pull request #99 from tssurya/add-conformance-tests

Add ANP conformance tests for `.Spec.Ingress` and `.Spec.Egress` fields

Author: k8s-ci-robot

conformance/tests/admin-network-policy-core-egress-sctp-rules.go

@@ -0,0 +1,219 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tests
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/kubernetes/test/e2e/framework"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"sigs.k8s.io/network-policy-api/apis/v1alpha1"
+	"sigs.k8s.io/network-policy-api/conformance/utils/kubernetes"
+	"sigs.k8s.io/network-policy-api/conformance/utils/suite"
+)
+
+func init() {
+	ConformanceTests = append(ConformanceTests,
+		AdminNetworkPolicyEgressSCTP,
+	)
+}
+
+var AdminNetworkPolicyEgressSCTP = suite.ConformanceTest{
+	ShortName:   "AdminNetworkPolicyEgressSCTP",
+	Description: "Tests support for egress traffic (SCTP protocol) using admin network policy API based on a server and client model",
+	Features: []suite.SupportedFeature{
+		suite.SupportAdminNetworkPolicy,
+	},
+	Manifests: []string{"tests/admin-network-policy-core-egress-sctp-rules_base.yaml"},
+	Test: func(t *testing.T, s *suite.ConformanceTestSuite) {
+
+		t.Run("Should support an 'allow-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) {
+			ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout)
+			defer cancel()
+			// This test uses `egress-sctp` ANP
+			// harry-potter-0 is our server pod in gryffindor namespace
+			clientPod := &v1.Pod{}
+			err := s.Client.Get(ctx, client.ObjectKey{
+				Namespace: "network-policy-conformance-gryffindor",
+				Name:      "harry-potter-0",
+			}, clientPod)
+			framework.ExpectNoError(err, "unable to fetch the server pod")
+			// luna-lovegood-0 is our client pod in ravenclaw namespace
+			// ensure egress is ALLOWED to gryffindor from ravenclaw
+			// egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered
+			success := kubernetes.PokeServer(t, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp",
+				clientPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true)
+			assert.Equal(t, true, success)
+			// luna-lovegood-1 is our client pod in ravenclaw namespace
+			success = kubernetes.PokeServer(t, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp",
+				clientPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true)
+			assert.Equal(t, true, success)
+		})
+
+		t.Run("Should support an 'allow-egress' policy for SCTP protocol at the specified port", func(t *testing.T) {
+			ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout)
+			defer cancel()
+			// This test uses `egress-sctp` ANP
+			// cedric-diggory-1 is our server pod in hufflepuff namespace
+			clientPod := &v1.Pod{}
+			err := s.Client.Get(ctx, client.ObjectKey{
+				Namespace: "network-policy-conformance-hufflepuff",
+				Name:      "cedric-diggory-1",
+			}, clientPod)
+			framework.ExpectNoError(err, "unable to fetch the server pod")
+			// luna-lovegood-0 is our client pod in ravenclaw namespace
+			// ensure egress is ALLOWED to hufflepuff from ravenclaw at port 9003; egressRule at index5
+			success := kubernetes.PokeServer(t, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp",
+				clientPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true)
+			assert.Equal(t, true, success)
+			// luna-lovegood-1 is our client pod in ravenclaw namespace
+			// ensure egress is DENIED to hufflepuff from ravenclaw for rest of the traffic; egressRule at index6
+			success = kubernetes.PokeServer(t, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp",
+				clientPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false)
+			assert.Equal(t, true, success)
+		})
+
+		t.Run("Should support an 'deny-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) {
+			ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout)
+			defer cancel()
+			// This test uses `egress-sctp` ANP
+			// harry-potter-0 is our server pod in gryffindor namespace
+			clientPod := &v1.Pod{}
+			err := s.Client.Get(ctx, client.ObjectKey{
+				Namespace: "network-policy-conformance-gryffindor",
+				Name:      "harry-potter-1",
+			}, clientPod)
+			framework.ExpectNoError(err, "unable to fetch the server pod")
+			anp := &v1alpha1.AdminNetworkPolicy{}
+			err = s.Client.Get(ctx, client.ObjectKey{
+				Name: "egress-sctp",
+			}, anp)
+			framework.ExpectNoError(err, "unable to fetch the admin network policy")
+			// swap rules at index0 and index1
+			allowRule := anp.DeepCopy().Spec.Egress[0]
+			anp.Spec.Egress[0] = anp.DeepCopy().Spec.Egress[1]
+			anp.Spec.Egress[1] = allowRule
+			err = s.Client.Update(ctx, anp)
+			framework.ExpectNoError(err, "unable to update the admin network policy")
+			// luna-lovegood-0 is our client pod in gryffindor namespace
+			// ensure egress is DENIED to gryffindor from ravenclaw
+			// egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered
+			success := kubernetes.PokeServer(t, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp",
+				clientPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false)
+			assert.Equal(t, true, success)
+			// luna-lovegood-1 is our client pod in ravenclaw namespace
+			success = kubernetes.PokeServer(t, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp",
+				clientPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false)
+			assert.Equal(t, true, success)
+		})
+
+		t.Run("Should support a 'deny-egress' policy for SCTP protocol at the specified port", func(t *testing.T) {
+			ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout)
+			defer cancel()
+			// This test uses `egress-sctp` ANP
+			// draco-malfoy-0 is our server pod in slytherin namespace
+			clientPod := &v1.Pod{}
+			err := s.Client.Get(ctx, client.ObjectKey{
+				Namespace: "network-policy-conformance-slytherin",
+				Name:      "draco-malfoy-0",
+			}, clientPod)
+			framework.ExpectNoError(err, "unable to fetch the server pod")
+			// luna-lovegood-0 is our client pod in ravenclaw namespace
+			// ensure egress to slytherin is DENIED from ravenclaw at port 9003; egressRule at index3
+			success := kubernetes.PokeServer(t, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp",
+				clientPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false)
+			assert.Equal(t, true, success)
+			// luna-lovegood-1 is our client pod in ravenclaw namespace
+			// ensure egress to slytherin is ALLOWED from ravenclaw for rest of the traffic; matches no rules hence allowed
+			success = kubernetes.PokeServer(t, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp",
+				clientPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true)
+			assert.Equal(t, true, success)
+		})
+
+		t.Run("Should support an 'pass-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) {
+			ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout)
+			defer cancel()
+			// This test uses `egress-sctp` ANP
+			// harry-potter-0 is our server pod in gryffindor namespace
+			clientPod := &v1.Pod{}
+			err := s.Client.Get(ctx, client.ObjectKey{
+				Namespace: "network-policy-conformance-gryffindor",
+				Name:      "harry-potter-1",
+			}, clientPod)
+			framework.ExpectNoError(err, "unable to fetch the server pod")
+			anp := &v1alpha1.AdminNetworkPolicy{}
+			err = s.Client.Get(ctx, client.ObjectKey{
+				Name: "egress-sctp",
+			}, anp)
+			framework.ExpectNoError(err, "unable to fetch the admin network policy")
+			// swap rules at index0 and index2
+			denyRule := anp.DeepCopy().Spec.Egress[0]
+			anp.Spec.Egress[0] = anp.DeepCopy().Spec.Egress[2]
+			anp.Spec.Egress[2] = denyRule
+			err = s.Client.Update(ctx, anp)
+			framework.ExpectNoError(err, "unable to update the admin network policy")
+			// luna-lovegood-0 is our client pod in ravenclaw namespace
+			// ensure egress is PASSED from gryffindor to ravenclaw
+			// egressRule at index0 will take precedence over egressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered
+			success := kubernetes.PokeServer(t, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp",
+				clientPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true)
+			assert.Equal(t, true, success)
+			// luna-lovegood-1 is our client pod in ravenclaw namespace
+			success = kubernetes.PokeServer(t, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp",
+				clientPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true)
+			assert.Equal(t, true, success)
+		})
+
+		t.Run("Should support a 'pass-egress' policy for SCTP protocol at the specified port", func(t *testing.T) {
+			ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout)
+			defer cancel()
+			// This test uses `egress-sctp` ANP
+			// draco-malfoy-0 is our server pod in slytherin namespace
+			clientPod := &v1.Pod{}
+			err := s.Client.Get(ctx, client.ObjectKey{
+				Namespace: "network-policy-conformance-slytherin",
+				Name:      "draco-malfoy-0",
+			}, clientPod)
+			framework.ExpectNoError(err, "unable to fetch the server pod")
+			anp := &v1alpha1.AdminNetworkPolicy{}
+			err = s.Client.Get(ctx, client.ObjectKey{
+				Name: "egress-sctp",
+			}, anp)
+			framework.ExpectNoError(err, "unable to fetch the admin network policy")
+			// swap rules at index3 and index4
+			denyRule := anp.DeepCopy().Spec.Egress[3]
+			anp.Spec.Egress[3] = anp.DeepCopy().Spec.Egress[4]
+			anp.Spec.Egress[4] = denyRule
+			err = s.Client.Update(ctx, anp)
+			framework.ExpectNoError(err, "unable to update the admin network policy")
+			// luna-lovegood-0 is our client pod in ravenclaw namespace
+			// ensure egress to slytherin is PASSED from ravenclaw at port 9003; egressRule at index3
+			success := kubernetes.PokeServer(t, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp",
+				clientPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true)
+			assert.Equal(t, true, success)
+			// luna-lovegood-1 is our client pod in ravenclaw namespace
+			// ensure egress to slytherin is ALLOWED from ravenclaw for rest of the traffic; matches no rules hence allowed
+			success = kubernetes.PokeServer(t, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp",
+				clientPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true)
+			assert.Equal(t, true, success)
+		})
+	},
+}

conformance/tests/admin-network-policy-core-egress-sctp-rules_base.yaml

@@ -0,0 +1,72 @@
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: AdminNetworkPolicy
+metadata:
+  name: egress-sctp
+spec:
+  priority: 8
+  subject:
+    namespaces:
+      matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-ravenclaw
+  egress:
+  - name: "allow-to-gryffindor-everything"
+    action: "Allow"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+  - name: "deny-to-gryffindor-everything"
+    action: "Deny"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+  - name: "pass-to-gryffindor-everything"
+    action: "Pass"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+  - name: "deny-to-slytherin-at-port-9003"
+    action: "Deny"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-slytherin
+    ports:
+      - portNumber:
+          protocol: SCTP
+          port: 9003
+  - name: "pass-to-slytherin-at-port-9003"
+    action: "Pass"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-slytherin
+    ports:
+      - portNumber:
+          protocol: SCTP
+          port: 9003
+  - name: "allow-to-hufflepuff-at-port-9003"
+    action: "Allow"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-hufflepuff
+    ports:
+      - portNumber:
+          protocol: SCTP
+          port: 9003
+  - name: "deny-to-hufflepuff-everything-else"
+    action: "Deny"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-hufflepuff