test: add e2e tests for service-ca network policies

wangke19 · wangke19 · commit 5cd8b2707fe4 · 2026-03-23T17:22:17.000+08:00
Verify that NetworkPolicy resources introduced in PR openshift#324 are correctly deployed in both the openshift-service-ca-operator and openshift-service-ca namespaces. Tests check: - existence of allow and default-deny-all policies in each namespace - pod selector targets the correct app label - ingress allows TCP 8443 for metrics scraping - egress allows port 5353 for DNS resolution - both Ingress and Egress policyTypes are declared
diff --git a/test/e2e/network_policy.go b/test/e2e/network_policy.go
@@ -0,0 +1,197 @@
+package e2e
+
+import (
+	"context"
+	"testing"
+
+	g "github.com/onsi/ginkgo/v2"
+	networkingv1 "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+)
+
+var _ = g.Describe("[sig-service-ca] service-ca-operator network policies", func() {
+	g.Context("operator-namespace-network-policies", func() {
+		g.It("[Operator][Serial] should have network policies deployed in the operator namespace", func() {
+			testOperatorNamespaceNetworkPolicies(g.GinkgoTB())
+		})
+	})
+
+	g.Context("controller-namespace-network-policies", func() {
+		g.It("[Operator][Serial] should have network policies deployed in the controller namespace", func() {
+			testControllerNamespaceNetworkPolicies(g.GinkgoTB())
+		})
+	})
+
+	g.Context("operator-network-policy-spec", func() {
+		g.It("[Operator][Serial] should allow metrics scraping on port 8443 and restrict other ingress in the operator namespace", func() {
+			testOperatorNetworkPolicySpec(g.GinkgoTB())
+		})
+	})
+
+	g.Context("controller-network-policy-spec", func() {
+		g.It("[Operator][Serial] should allow metrics scraping on port 8443 and restrict other ingress in the controller namespace", func() {
+			testControllerNetworkPolicySpec(g.GinkgoTB())
+		})
+	})
+})
+
+// testOperatorNamespaceNetworkPolicies verifies that the expected NetworkPolicy resources
+// exist in the openshift-service-ca-operator namespace.
+func testOperatorNamespaceNetworkPolicies(t testing.TB) {
+	client, err := getKubeClient()
+	if err != nil {
+		t.Fatalf("error getting kube client: %v", err)
+	}
+
+	checkNetworkPoliciesExist(t, client, serviceCAOperatorNamespace, []string{
+		"service-ca-operator",
+		"default-deny-all",
+	})
+}
+
+// testControllerNamespaceNetworkPolicies verifies that the expected NetworkPolicy resources
+// exist in the openshift-service-ca namespace.
+func testControllerNamespaceNetworkPolicies(t testing.TB) {
+	client, err := getKubeClient()
+	if err != nil {
+		t.Fatalf("error getting kube client: %v", err)
+	}
+
+	checkNetworkPoliciesExist(t, client, serviceCAControllerNamespace, []string{
+		"service-ca",
+		"default-deny-all",
+	})
+}
+
+// testOperatorNetworkPolicySpec verifies the spec of the service-ca-operator NetworkPolicy:
+// - Selects pods with app=service-ca-operator
+// - Allows ingress on TCP 8443 (metrics)
+// - Applies both Ingress and Egress policyTypes
+func testOperatorNetworkPolicySpec(t testing.TB) {
+	client, err := getKubeClient()
+	if err != nil {
+		t.Fatalf("error getting kube client: %v", err)
+	}
+
+	np, err := client.NetworkingV1().NetworkPolicies(serviceCAOperatorNamespace).Get(
+		context.TODO(), "service-ca-operator", metav1.GetOptions{},
+	)
+	if err != nil {
+		t.Fatalf("failed to get NetworkPolicy service-ca-operator in %s: %v", serviceCAOperatorNamespace, err)
+	}
+
+	checkServiceCANetworkPolicySpec(t, np, "app", "service-ca-operator")
+}
+
+// testControllerNetworkPolicySpec verifies the spec of the service-ca NetworkPolicy:
+// - Selects pods with app=service-ca
+// - Allows ingress on TCP 8443 (metrics)
+// - Applies both Ingress and Egress policyTypes
+func testControllerNetworkPolicySpec(t testing.TB) {
+	client, err := getKubeClient()
+	if err != nil {
+		t.Fatalf("error getting kube client: %v", err)
+	}
+
+	np, err := client.NetworkingV1().NetworkPolicies(serviceCAControllerNamespace).Get(
+		context.TODO(), "service-ca", metav1.GetOptions{},
+	)
+	if err != nil {
+		t.Fatalf("failed to get NetworkPolicy service-ca in %s: %v", serviceCAControllerNamespace, err)
+	}
+
+	checkServiceCANetworkPolicySpec(t, np, "app", "service-ca")
+}
+
+// checkNetworkPoliciesExist asserts that all named NetworkPolicies exist in the given namespace.
+func checkNetworkPoliciesExist(t testing.TB, client *kubernetes.Clientset, namespace string, names []string) {
+	t.Helper()
+	existing, err := client.NetworkingV1().NetworkPolicies(namespace).List(context.TODO(), metav1.ListOptions{})
+	if err != nil {
+		t.Fatalf("failed to list NetworkPolicies in %s: %v", namespace, err)
+	}
+
+	nameSet := make(map[string]bool, len(existing.Items))
+	for _, np := range existing.Items {
+		nameSet[np.Name] = true
+	}
+
+	for _, name := range names {
+		if !nameSet[name] {
+			t.Errorf("expected NetworkPolicy %q to exist in namespace %s, but it was not found (found: %v)",
+				name, namespace, existingNetworkPolicyNames(existing.Items))
+		}
+	}
+}
+
+// checkServiceCANetworkPolicySpec validates common spec requirements for service-ca allow policies:
+// - podSelector targets the expected label
+// - ingress allows port 8443/TCP (metrics scraping)
+// - egress allows port 5353 (DNS)
+// - both Ingress and Egress policyTypes are set
+func checkServiceCANetworkPolicySpec(t testing.TB, np *networkingv1.NetworkPolicy, labelKey, labelValue string) {
+	t.Helper()
+
+	if v, ok := np.Spec.PodSelector.MatchLabels[labelKey]; !ok || v != labelValue {
+		t.Errorf("NetworkPolicy %q podSelector: expected matchLabel %s=%s, got %v",
+			np.Name, labelKey, labelValue, np.Spec.PodSelector.MatchLabels)
+	}
+
+	hasIngress, hasEgress := false, false
+	for _, pt := range np.Spec.PolicyTypes {
+		switch pt {
+		case networkingv1.PolicyTypeIngress:
+			hasIngress = true
+		case networkingv1.PolicyTypeEgress:
+			hasEgress = true
+		}
+	}
+	if !hasIngress {
+		t.Errorf("NetworkPolicy %q: expected policyTypes to include Ingress", np.Name)
+	}
+	if !hasEgress {
+		t.Errorf("NetworkPolicy %q: expected policyTypes to include Egress", np.Name)
+	}
+
+	if !hasIngressPort(np, 8443) {
+		t.Errorf("NetworkPolicy %q: expected an ingress rule allowing TCP port 8443 for metrics scraping", np.Name)
+	}
+
+	if !hasEgressPort(np, 5353) {
+		t.Errorf("NetworkPolicy %q: expected an egress rule allowing port 5353 for DNS resolution", np.Name)
+	}
+}
+
+// hasIngressPort returns true if the NetworkPolicy has an ingress rule that opens the given port.
+func hasIngressPort(np *networkingv1.NetworkPolicy, port int) bool {
+	for _, rule := range np.Spec.Ingress {
+		for _, p := range rule.Ports {
+			if p.Port != nil && int(p.Port.IntVal) == port {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// hasEgressPort returns true if the NetworkPolicy has an egress rule that allows the given port.
+func hasEgressPort(np *networkingv1.NetworkPolicy, port int) bool {
+	for _, rule := range np.Spec.Egress {
+		for _, p := range rule.Ports {
+			if p.Port != nil && int(p.Port.IntVal) == port {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// existingNetworkPolicyNames returns the names of the given NetworkPolicies for error messages.
+func existingNetworkPolicyNames(policies []networkingv1.NetworkPolicy) []string {
+	names := make([]string, 0, len(policies))
+	for _, np := range policies {
+		names = append(names, np.Name)
+	}
+	return names
+}
