[multinetpol] Update controller to handle endPort.

endPort was already supported by the NetworkPolicy, all we need to do is
copy the new field for the netpol handler.

Signed-off-by: Nadia Pinaeva <[email protected]>

Author: npinaeva

go-controller/pkg/ovn/base_network_controller_multipolicy.go

@@ -77,6 +77,7 @@ func convertMultiNetPolicyToNetPolicy(mpolicy *mnpapi.MultiNetworkPolicy, allowP
 			ingress.Ports[j] = knet.NetworkPolicyPort{
 				Protocol: mport.Protocol,
 				Port:     mport.Port,
+				EndPort:  mport.EndPort,
 			}
 		}
 		ingress.From = make([]knet.NetworkPolicyPeer, len(mingress.From))
@@ -104,6 +105,7 @@ func convertMultiNetPolicyToNetPolicy(mpolicy *mnpapi.MultiNetworkPolicy, allowP
 			egress.Ports[j] = knet.NetworkPolicyPort{
 				Protocol: mport.Protocol,
 				Port:     mport.Port,
+				EndPort:  mport.EndPort,
 			}
 		}
 		egress.To = make([]knet.NetworkPolicyPeer, len(megress.To))

test/e2e/multihoming.go

@@ -1165,7 +1165,45 @@ var _ = Describe("Multi Homing", func() {
 						metav1.LabelSelector{
 							MatchLabels: map[string]string{"role": "trusted"},
 						},
-						port,
+						multiNetPolicyPort(port),
+					),
+				),
+				ginkgo.Entry(
+					"using pod selectors and port range for a pure L2 overlay",
+					networkAttachmentConfigParams{
+						name:     secondaryNetworkName,
+						topology: "layer2",
+						cidr:     secondaryFlatL2NetworkCIDR,
+					},
+					podConfiguration{
+						attachments: []nadapi.NetworkSelectionElement{{Name: secondaryNetworkName}},
+						name:        allowedClient(clientPodName),
+						labels: map[string]string{
+							"app":  "client",
+							"role": "trusted",
+						},
+					},
+					podConfiguration{
+						attachments: []nadapi.NetworkSelectionElement{{Name: secondaryNetworkName}},
+						name:        blockedClient(clientPodName),
+						labels:      map[string]string{"app": "client"},
+					},
+					podConfiguration{
+						attachments:  []nadapi.NetworkSelectionElement{{Name: secondaryNetworkName}},
+						name:         podName,
+						containerCmd: httpServerContainerCmd(port),
+						labels:       map[string]string{"app": "stuff-doer"},
+					},
+					multiNetIngressLimitingPolicy(
+						secondaryNetworkName,
+						metav1.LabelSelector{
+							MatchLabels: map[string]string{"app": "stuff-doer"},
+						},
+						metav1.LabelSelector{
+							MatchLabels: map[string]string{"role": "trusted"},
+						},
+						// build a random range around the port we are actually trying to allow without explicitly setting it
+						multiNetPolicyPortRange(port-3, port+5),
 					),
 				),
 				ginkgo.Entry(
@@ -1202,7 +1240,7 @@ var _ = Describe("Multi Homing", func() {
 						metav1.LabelSelector{
 							MatchLabels: map[string]string{"role": "trusted"},
 						},
-						port,
+						multiNetPolicyPort(port),
 					),
 				),
 				ginkgo.Entry(
@@ -1239,7 +1277,7 @@ var _ = Describe("Multi Homing", func() {
 						metav1.LabelSelector{
 							MatchLabels: map[string]string{"role": "trusted"},
 						},
-						port,
+						multiNetPolicyPort(port),
 					),
 				),
 				ginkgo.Entry(
@@ -1608,7 +1646,7 @@ var _ = Describe("Multi Homing", func() {
 			)
 
 			ginkgo.DescribeTable(
-				"deny all",
+				"deny traffic",
 				func(netConfigParams networkAttachmentConfigParams, clientPodConfig podConfiguration, serverPodConfig podConfiguration, policy *mnpapi.MultiNetworkPolicy) {
 					netConfig := newNetworkAttachmentConfig(netConfigParams)
 
@@ -1670,6 +1708,39 @@ var _ = Describe("Multi Homing", func() {
 						nil,
 					),
 				),
+				ginkgo.Entry(
+					"using pod selectors and wrong port range for a localnet topology",
+					networkAttachmentConfigParams{
+						name:     secondaryNetworkName,
+						topology: "localnet",
+						cidr:     secondaryLocalnetNetworkCIDR,
+					},
+					podConfiguration{
+						attachments: []nadapi.NetworkSelectionElement{{Name: secondaryNetworkName}},
+						name:        allowedClient(clientPodName),
+						labels: map[string]string{
+							"app":  "client",
+							"role": "trusted",
+						},
+					},
+					podConfiguration{
+						attachments:  []nadapi.NetworkSelectionElement{{Name: secondaryNetworkName}},
+						name:         podName,
+						containerCmd: httpServerContainerCmd(port),
+						labels:       map[string]string{"app": "stuff-doer"},
+					},
+					multiNetIngressLimitingPolicy(
+						secondaryNetworkName,
+						metav1.LabelSelector{
+							MatchLabels: map[string]string{"app": "stuff-doer"},
+						},
+						metav1.LabelSelector{
+							MatchLabels: map[string]string{"role": "trusted"},
+						},
+						// build a port range that doesn't include server port
+						multiNetPolicyPortRange(port-10, port-1),
+					),
+				),
 			)
 		})
 	})

test/e2e/multihoming_utils.go

@@ -289,18 +289,27 @@ func blockedClient(podName string) string {
 	return "blocked-" + podName
 }
 
-func multiNetIngressLimitingPolicy(policyFor string, appliesFor metav1.LabelSelector, allowForSelector metav1.LabelSelector, allowPorts ...int) *mnpapi.MultiNetworkPolicy {
+func multiNetPolicyPort(port int) mnpapi.MultiNetworkPolicyPort {
+	tcp := v1.ProtocolTCP
+	p := intstr.FromInt32(int32(port))
+	return mnpapi.MultiNetworkPolicyPort{
+		Protocol: &tcp,
+		Port:     &p,
+	}
+}
+
+func multiNetPolicyPortRange(port, endPort int) mnpapi.MultiNetworkPolicyPort {
+	netpolPort := multiNetPolicyPort(port)
+	endPort32 := int32(endPort)
+	netpolPort.EndPort = &endPort32
+	return netpolPort
+}
+
+func multiNetIngressLimitingPolicy(policyFor string, appliesFor metav1.LabelSelector, allowForSelector metav1.LabelSelector, allowPorts ...mnpapi.MultiNetworkPolicyPort) *mnpapi.MultiNetworkPolicy {
 	var (
 		portAllowlist []mnpapi.MultiNetworkPolicyPort
 	)
-	tcp := v1.ProtocolTCP
-	for _, port := range allowPorts {
-		p := intstr.FromInt(port)
-		portAllowlist = append(portAllowlist, mnpapi.MultiNetworkPolicyPort{
-			Protocol: &tcp,
-			Port:     &p,
-		})
-	}
+	portAllowlist = append(portAllowlist, allowPorts...)
 	return &mnpapi.MultiNetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{
 			PolicyForAnnotation: policyFor,