Skip to content

Commit 5cb1ec5

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request kubernetes#86298 from aojea/netpolicyv6
networkPolicy ipv6 unit tests validation
2 parents e136426 + f401d71 commit 5cb1ec5

File tree

1 file changed

+133
-0
lines changed

1 file changed

+133
-0
lines changed

pkg/apis/networking/validation/validation_test.go

Lines changed: 133 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -283,6 +283,99 @@ func TestValidateNetworkPolicy(t *testing.T) {
283283
},
284284
},
285285
},
286+
{
287+
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
288+
Spec: networking.NetworkPolicySpec{
289+
PodSelector: metav1.LabelSelector{
290+
MatchLabels: map[string]string{"a": "b"},
291+
},
292+
Egress: []networking.NetworkPolicyEgressRule{
293+
{
294+
To: []networking.NetworkPolicyPeer{
295+
{
296+
NamespaceSelector: &metav1.LabelSelector{
297+
MatchLabels: map[string]string{"c": "d"},
298+
},
299+
},
300+
},
301+
},
302+
},
303+
Ingress: []networking.NetworkPolicyIngressRule{
304+
{
305+
From: []networking.NetworkPolicyPeer{
306+
{
307+
IPBlock: &networking.IPBlock{
308+
CIDR: "fd00:192:168::/48",
309+
Except: []string{"fd00:192:168:3::/64", "fd00:192:168:4::/64"},
310+
},
311+
},
312+
},
313+
},
314+
},
315+
},
316+
},
317+
{
318+
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
319+
Spec: networking.NetworkPolicySpec{
320+
PodSelector: metav1.LabelSelector{
321+
MatchLabels: map[string]string{"a": "b"},
322+
},
323+
Ingress: []networking.NetworkPolicyIngressRule{
324+
{
325+
From: []networking.NetworkPolicyPeer{
326+
{
327+
IPBlock: &networking.IPBlock{
328+
CIDR: "fd00:192:168::/48",
329+
Except: []string{"fd00:192:168:3::/64", "fd00:192:168:4::/64"},
330+
},
331+
},
332+
},
333+
},
334+
},
335+
},
336+
},
337+
{
338+
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
339+
Spec: networking.NetworkPolicySpec{
340+
PodSelector: metav1.LabelSelector{
341+
MatchLabels: map[string]string{"a": "b"},
342+
},
343+
Egress: []networking.NetworkPolicyEgressRule{
344+
{
345+
To: []networking.NetworkPolicyPeer{
346+
{
347+
IPBlock: &networking.IPBlock{
348+
CIDR: "fd00:192:168::/48",
349+
Except: []string{"fd00:192:168:3::/64", "fd00:192:168:4::/64"},
350+
},
351+
},
352+
},
353+
},
354+
},
355+
PolicyTypes: []networking.PolicyType{networking.PolicyTypeEgress},
356+
},
357+
},
358+
{
359+
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
360+
Spec: networking.NetworkPolicySpec{
361+
PodSelector: metav1.LabelSelector{
362+
MatchLabels: map[string]string{"a": "b"},
363+
},
364+
Egress: []networking.NetworkPolicyEgressRule{
365+
{
366+
To: []networking.NetworkPolicyPeer{
367+
{
368+
IPBlock: &networking.IPBlock{
369+
CIDR: "fd00:192:168::/48",
370+
Except: []string{"fd00:192:168:3::/64", "fd00:192:168:4::/64"},
371+
},
372+
},
373+
},
374+
},
375+
},
376+
PolicyTypes: []networking.PolicyType{networking.PolicyTypeIngress, networking.PolicyTypeEgress},
377+
},
378+
},
286379
}
287380

288381
// Success cases are expected to pass validation.
@@ -562,6 +655,26 @@ func TestValidateNetworkPolicy(t *testing.T) {
562655
},
563656
},
564657
},
658+
"invalid ipv6 cidr format": {
659+
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
660+
Spec: networking.NetworkPolicySpec{
661+
PodSelector: metav1.LabelSelector{
662+
MatchLabels: map[string]string{"a": "b"},
663+
},
664+
Ingress: []networking.NetworkPolicyIngressRule{
665+
{
666+
From: []networking.NetworkPolicyPeer{
667+
{
668+
IPBlock: &networking.IPBlock{
669+
CIDR: "fd00:192:168::",
670+
Except: []string{"fd00:192:168:3::/64", "fd00:192:168:4::/64"},
671+
},
672+
},
673+
},
674+
},
675+
},
676+
},
677+
},
565678
"except field is an empty string": {
566679
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
567680
Spec: networking.NetworkPolicySpec{
@@ -602,6 +715,26 @@ func TestValidateNetworkPolicy(t *testing.T) {
602715
},
603716
},
604717
},
718+
"except IPv6 is outside of CIDR range": {
719+
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
720+
Spec: networking.NetworkPolicySpec{
721+
PodSelector: metav1.LabelSelector{
722+
MatchLabels: map[string]string{"a": "b"},
723+
},
724+
Ingress: []networking.NetworkPolicyIngressRule{
725+
{
726+
From: []networking.NetworkPolicyPeer{
727+
{
728+
IPBlock: &networking.IPBlock{
729+
CIDR: "fd00:192:168:1::/64",
730+
Except: []string{"fd00:192:168:2::/64"},
731+
},
732+
},
733+
},
734+
},
735+
},
736+
},
737+
},
605738
"invalid policyTypes": {
606739
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
607740
Spec: networking.NetworkPolicySpec{

0 commit comments

Comments
 (0)