Fixed bug where some CNIs falsely won't allow traffic when network policy has target port instead of service port

src/operator/controllers/intents_reconcilers/networkpolicy/builders/builders_test.go

@@ -108,7 +108,7 @@ func (s *AllBuildersTestSuite) TestCreateEveryRuleKind() {
 			NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{otterizev2alpha1.KubernetesStandardNamespaceNameLabelKey: serverNamespace}},
 		},
 		}},
-		{Ports: []v1.NetworkPolicyPort{{Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}}}, To: []v1.NetworkPolicyPeer{{
+		{Ports: []v1.NetworkPolicyPort{{Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}}, {Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 0}}}, To: []v1.NetworkPolicyPeer{{
 			PodSelector:       &metav1.LabelSelector{MatchLabels: serviceSelector},
 			NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{otterizev2alpha1.KubernetesStandardNamespaceNameLabelKey: serverNamespace}},
 		}}},
@@ -259,7 +259,7 @@ func (s *AllBuildersTestSuite) TestCreateEveryRuleKindShouldCreateSeparatePolici
 			NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{otterizev2alpha1.KubernetesStandardNamespaceNameLabelKey: serverNamespace}},
 		},
 		}},
-		{Ports: []v1.NetworkPolicyPort{{Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}}}, To: []v1.NetworkPolicyPeer{{
+		{Ports: []v1.NetworkPolicyPort{{Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}}, {Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 0}}}, To: []v1.NetworkPolicyPeer{{
 			PodSelector:       &metav1.LabelSelector{MatchLabels: serviceSelector},
 			NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{otterizev2alpha1.KubernetesStandardNamespaceNameLabelKey: serverNamespace}},
 		}}},
@@ -411,7 +411,7 @@ func (s *AllBuildersTestSuite) TestCreateEveryRuleKindWithKinds() {
 			NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{otterizev2alpha1.KubernetesStandardNamespaceNameLabelKey: serverNamespace}},
 		},
 		}},
-		{Ports: []v1.NetworkPolicyPort{{Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}}}, To: []v1.NetworkPolicyPeer{{
+		{Ports: []v1.NetworkPolicyPort{{Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}}, {Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 0}}}, To: []v1.NetworkPolicyPeer{{
 			PodSelector:       &metav1.LabelSelector{MatchLabels: serviceSelector},
 			NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{otterizev2alpha1.KubernetesStandardNamespaceNameLabelKey: serverNamespace}},
 		}}},

src/operator/controllers/intents_reconcilers/networkpolicy/builders/port_egress_network_policy.go

@@ -80,13 +80,23 @@ func getEgressRuleBasedOnServicePodSelector(svc *corev1.Service) v1.NetworkPolic
 	// Create a list of network policy ports
 	networkPolicyPorts := make([]v1.NetworkPolicyPort, 0)
 	for _, port := range svc.Spec.Ports {
-		netpolPort := v1.NetworkPolicyPort{
+		targetPort := v1.NetworkPolicyPort{
 			Port: lo.ToPtr(port.TargetPort),
 		}
 		if len(port.Protocol) != 0 {
-			netpolPort.Protocol = lo.ToPtr(port.Protocol)
+			targetPort.Protocol = lo.ToPtr(port.Protocol)
 		}
-		networkPolicyPorts = append(networkPolicyPorts, netpolPort)
+		// Adding service port to the list to solve some off-brand CNIs having issues with allowing traffic correctly
+		servicePort := v1.NetworkPolicyPort{
+			Port: &intstr.IntOrString{
+				Type:   intstr.Int,
+				IntVal: port.Port,
+			},
+		}
+		if len(port.Protocol) != 0 {
+			servicePort.Protocol = lo.ToPtr(port.Protocol)
+		}
+		networkPolicyPorts = append(networkPolicyPorts, targetPort, servicePort)
 	}
 
 	podSelectorEgressRule.Ports = networkPolicyPorts

src/operator/controllers/intents_reconcilers/networkpolicy/builders/port_egress_network_policy_test.go

@@ -557,10 +557,12 @@ func (s *PortEgressNetworkPolicyReconcilerTestSuite) testCreateNetworkPolicyForK
 		svcObject,
 	)
 	// Add target port and change selector in ingress to use svc
-	newPolicy.Spec.Egress[0].Ports = lo.Map(ports, func(port corev1.ServicePort, _ int) v1.NetworkPolicyPort {
-		return v1.NetworkPolicyPort{Port: &port.TargetPort, Protocol: lo.Ternary(len(port.Protocol) != 0, lo.ToPtr(port.Protocol), nil)}
-	})
-
+	egressPorts := make([]v1.NetworkPolicyPort, 0)
+	for _, port := range ports {
+		egressPorts = append(egressPorts, v1.NetworkPolicyPort{Port: &port.TargetPort, Protocol: lo.Ternary(len(port.Protocol) != 0, lo.ToPtr(port.Protocol), nil)})
+		egressPorts = append(egressPorts, v1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: port.Port}, Protocol: lo.Ternary(len(port.Protocol) != 0, lo.ToPtr(port.Protocol), nil)})
+	}
+	newPolicy.Spec.Egress[0].Ports = egressPorts
 	s.externalNetpolHandler.EXPECT().HandlePodsByLabelSelector(gomock.Any(), gomock.Any(), gomock.Any())
 	s.Client.EXPECT().Create(gomock.Any(), gomock.Eq(newPolicy)).Return(nil)
 
@@ -603,7 +605,7 @@ func (s *PortEgressNetworkPolicyReconcilerTestSuite) TestUpdateNetworkPolicyForK
 	s.expectGetAllEffectivePolicies([]otterizev2alpha1.ClientIntents{clientIntents})
 
 	svcSelector := map[string]string{"a": "b"}
-	svcObject := s.addExpectedKubernetesServiceCall("test-server", testNamespace, []corev1.ServicePort{{TargetPort: intstr.IntOrString{IntVal: 80}}}, svcSelector)
+	svcObject := s.addExpectedKubernetesServiceCall("test-server", testNamespace, []corev1.ServicePort{{TargetPort: intstr.IntOrString{IntVal: 80}, Port: 3333}}, svcSelector)
 	// Search for existing NetworkPolicy
 	emptyNetworkPolicy := &v1.NetworkPolicy{}
 	networkPolicyNamespacedName := types.NamespacedName{
@@ -621,6 +623,8 @@ func (s *PortEgressNetworkPolicyReconcilerTestSuite) TestUpdateNetworkPolicyForK
 	)
 	// Add target port and change selector in egress to use svc
 	newPolicy.Spec.Egress[0].Ports = []v1.NetworkPolicyPort{{Port: &intstr.IntOrString{IntVal: 80}}}
+	port := svcObject.Spec.Ports[0]
+	newPolicy.Spec.Egress[0].Ports = append(newPolicy.Spec.Egress[0].Ports, v1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: port.Port}, Protocol: lo.Ternary(len(port.Protocol) != 0, lo.ToPtr(port.Protocol), nil)})
 	existingBadPolicy := newPolicy.DeepCopy()
 	existingBadPolicy.Spec.Egress[0].Ports = []v1.NetworkPolicyPort{{Port: &intstr.IntOrString{IntVal: 90}}}