Merge pull request #132 from Dyanngg/named-port-conformance

Add conformance testcases for AdminNetworkPolicy named port feature

Author: k8s-ci-robot

conformance/base/manifests.yaml

@@ -52,6 +52,10 @@ spec:
         - name: harry-potter-80
           image: registry.k8s.io/e2e-test-images/agnhost:2.43
           command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"]
+          ports:
+            - containerPort: 80
+              protocol: TCP
+              name: web
         - name: harry-potter-8080
           image: registry.k8s.io/e2e-test-images/agnhost:2.43
           command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"]
@@ -61,6 +65,10 @@ spec:
         - name: harry-potter-53
           image: registry.k8s.io/e2e-test-images/agnhost:2.43
           command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"]
+          ports:
+            - containerPort: 53
+              protocol: UDP
+              name: dns
         - name: harry-potter-9003
           image: registry.k8s.io/e2e-test-images/agnhost:2.43
           command: ["/bin/bash", "-c", "/agnhost porter"]
@@ -95,6 +103,10 @@ spec:
         - name: draco-malfoy-80
           image: registry.k8s.io/e2e-test-images/agnhost:2.43
           command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"]
+          ports:
+            - containerPort: 80
+              protocol: TCP
+              name: web
         - name: draco-malfoy-8080
           image: registry.k8s.io/e2e-test-images/agnhost:2.43
           command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"]
@@ -104,6 +116,10 @@ spec:
         - name: draco-malfoy-53
           image: registry.k8s.io/e2e-test-images/agnhost:2.43
           command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"]
+          ports:
+            - containerPort: 53
+              protocol: UDP
+              name: dns
         - name: draco-malfoy-9003
           image: registry.k8s.io/e2e-test-images/agnhost:2.43
           command: ["/bin/bash", "-c", "/agnhost porter"]
@@ -138,6 +154,10 @@ spec:
         - name: cedric-diggory-80
           image: registry.k8s.io/e2e-test-images/agnhost:2.43
           command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"]
+          ports:
+            - containerPort: 80
+              protocol: TCP
+              name: web
         - name: cedric-diggory-8080
           image: registry.k8s.io/e2e-test-images/agnhost:2.43
           command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"]
@@ -147,6 +167,10 @@ spec:
         - name: cedric-diggory-53
           image: registry.k8s.io/e2e-test-images/agnhost:2.43
           command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"]
+          ports:
+            - containerPort: 53
+              protocol: UDP
+              name: dns
         - name: cedric-diggory-9003
           image: registry.k8s.io/e2e-test-images/agnhost:2.43
           command: ["/bin/bash", "-c", "/agnhost porter"]
@@ -181,6 +205,10 @@ spec:
         - name: luna-lovegood-80
           image: registry.k8s.io/e2e-test-images/agnhost:2.43
           command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"]
+          ports:
+            - containerPort: 80
+              protocol: TCP
+              name: web
         - name: luna-lovegood-8080
           image: registry.k8s.io/e2e-test-images/agnhost:2.43
           command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"]
@@ -190,6 +218,10 @@ spec:
         - name: luna-lovegood-53
           image: registry.k8s.io/e2e-test-images/agnhost:2.43
           command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"]
+          ports:
+            - containerPort: 53
+              protocol: UDP
+              name: dns
         - name: luna-lovegood-9003
           image: registry.k8s.io/e2e-test-images/agnhost:2.43
           command: ["/bin/bash", "-c", "/agnhost porter"]

conformance/tests/admin-network-policy-core-egress-tcp-rules.go

@@ -33,6 +33,7 @@ import (
 func init() {
 	ConformanceTests = append(ConformanceTests,
 		AdminNetworkPolicyEgressTCP,
+		AdminNetworkPolicyEgressNamedPort,
 	)
 }
 
@@ -61,10 +62,10 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{
 			// egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered
 			success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp",
 				serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 			success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
 				serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 		})
 
 		t.Run("Should support an 'allow-egress' policy for TCP protocol at the specified port", func(t *testing.T) {
@@ -79,15 +80,15 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{
 			}, serverPod)
 			require.NoErrorf(t, err, "unable to fetch the server pod")
 			// harry-potter-0 is our client pod in gryffindor namespace
-			// ensure egress is ALLOWED to hufflepuff from gryffindor at port 80; egressRule at index5 should take effect
+			// ensure egress is ALLOWED to hufflepuff from gryffindor at port 8080; egressRule at index5 should take effect
 			success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp",
 				serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 			// harry-potter-1 is our client pod in gryffindor namespace
 			// ensure egress is DENIED to hufflepuff from gryffindor for rest of the traffic; egressRule at index6 should take effect
 			success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
 				serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 		})
 
 		t.Run("Should support an 'deny-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) {
@@ -117,11 +118,11 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{
 			// egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered
 			success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp",
 				serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 			// harry-potter-1 is our client pod in gryffindor namespace
 			success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
 				serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 		})
 
 		t.Run("Should support a 'deny-egress' policy for TCP protocol at the specified port", func(t *testing.T) {
@@ -139,12 +140,12 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{
 			// ensure egress to slytherin is DENIED from gryffindor at port 80; egressRule at index3 should take effect
 			success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp",
 				serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 			// harry-potter-1 is our client pod in gryffindor namespace
 			// ensure egress to slytherin is ALLOWED from gryffindor for rest of the traffic; matches no rules hence allowed
 			success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
 				serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 		})
 
 		t.Run("Should support an 'pass-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) {
@@ -174,11 +175,11 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{
 			// egressRule at index0 will take precedence over egressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered
 			success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp",
 				serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 			// harry-potter-1 is our server pod in gryffindor namespace
 			success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
 				serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 		})
 
 		t.Run("Should support a 'pass-egress' policy for TCP protocol at the specified port", func(t *testing.T) {
@@ -207,12 +208,12 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{
 			// ensure egress from gryffindor is PASSED to slytherin at port 80; egressRule at index3 should take effect
 			success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp",
 				serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 			// harry-potter-1 is our client pod in gryffindor namespace
 			// ensure egress from gryffindor is ALLOWED to slytherin for rest of the traffic; matches no rules hence allowed
 			success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
 				serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 		})
 	},
 }

conformance/tests/admin-network-policy-core-egress-udp-rules.go

@@ -61,11 +61,11 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{
 			// egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered
 			success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp",
 				serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 			// cedric-diggory-1 is our client pod in hufflepuff namespace
 			success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp",
 				serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 		})
 
 		t.Run("Should support an 'allow-egress' policy for UDP protocol at the specified port", func(t *testing.T) {
@@ -83,12 +83,12 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{
 			// ensure egress is ALLOWED to gryffindor from hufflepuff at port 53; egressRule at index5
 			success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp",
 				serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 			// cedric-diggory-1 is our client pod in hufflepuff namespace
 			// ensure egress is DENIED to gryffindor from hufflepuff for rest of the traffic; egressRule at index6
 			success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp",
 				serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 		})
 
 		t.Run("Should support an 'deny-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) {
@@ -118,11 +118,11 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{
 			// egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered
 			success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp",
 				serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 			// cedric-diggory-1 is our client pod in hufflepuff namespace
 			success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp",
 				serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 		})
 
 		t.Run("Should support a 'deny-egress' policy for UDP protocol at the specified port", func(t *testing.T) {
@@ -140,12 +140,12 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{
 			// ensure egress to slytherin is DENIED from hufflepuff at port 80; egressRule at index3 should take effect
 			success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp",
 				serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 			// cedric-diggory-0 is our client pod in hufflepuff namespace
 			// ensure egress to slytherin is ALLOWED from hufflepuff for rest of the traffic; matches no rules hence allowed
 			success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp",
 				serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 		})
 
 		t.Run("Should support an 'pass-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) {
@@ -175,11 +175,11 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{
 			// egressRule at index0 will take precedence over egressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered
 			success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp",
 				serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 			// cedric-diggory-1 is our client pod in hufflepuff namespace
 			success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp",
 				serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 		})
 
 		t.Run("Should support a 'pass-egress' policy for UDP protocol at the specified port", func(t *testing.T) {
@@ -208,12 +208,12 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{
 			// ensure egress to slytherin is PASSED from hufflepuff at port 5353; egressRule at index3 should take effect
 			success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp",
 				serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 			// cedric-diggory-1 is our client pod in hufflepuff namespace
 			// ensure egress to slytherin is ALLOWED from hufflepuff for rest of the traffic; matches no rules hence allowed
 			success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp",
 				serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true)
-			assert.Equal(t, true, success)
+			assert.True(t, success)
 		})
 	},
 }