Add e2e test cases

Signed-off-by: Wenqi Qiu <wenqiq@vmware.com>
antrea-io · Mar 9, 2022 · 90e87b5 · 90e87b5
1 parent e029300
commit 90e87b5
Show file tree

Hide file tree

Showing 3 changed files with 109 additions and 6 deletions.
diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go
@@ -1186,6 +1186,7 @@ func podToGroupMember(pod *v1.Pod, includeIP bool) *controlplane.GroupMember {
 }
 
 func nodeToGroupMember(node *v1.Node) (member *controlplane.GroupMember) {
+	member = &controlplane.GroupMember{}
 	nodeIPs, err := k8s.GetNodeAddrs(node)
 	if err != nil {
 		return

diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go
@@ -2690,14 +2690,14 @@ func testServiceAccountSelector(t *testing.T, data *TestData) {
 	time.Sleep(networkPolicyDelay)
 }
 
-func testACNPNodeSelector(t *testing.T) {
+func testACNPNodeSelectorEgress(t *testing.T) {
 	builder := &ClusterNetworkPolicySpecBuilder{}
 	builder = builder.SetName("test-acnp-drop-egress-control-plane").
 		SetPriority(1.0)
 	nodeSelector := metav1.LabelSelector{MatchLabels: map[string]string{"kubernetes.io/hostname": controlPlaneNodeName()}}
 	builder.AddNodeSelectorRule(&nodeSelector, v1.ProtocolTCP, &p6443, "egress-control-plane-drop",
 		[]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}, PodSelector: map[string]string{"pod": "a"}}},
-		crdv1alpha1.RuleActionDrop)
+		crdv1alpha1.RuleActionDrop, true)
 
 	testcases := []podToAddrTestStep{
 		{
@@ -2733,6 +2733,102 @@ func testACNPNodeSelector(t *testing.T) {
 	time.Sleep(networkPolicyDelay)
 }
 
+func testACNPNodeSelectorIngress(t *testing.T, data *TestData) {
+	_, serverIP0, cleanupFunc := createAndWaitForPod(t, data, data.createNginxPodOnNode, "server0", controlPlaneNodeName(), "x", false)
+	defer cleanupFunc()
+
+	_, serverIP1, cleanupFunc := createAndWaitForPod(t, data, data.createNginxPodOnNode, "server1", controlPlaneNodeName(), "y", false)
+	defer cleanupFunc()
+
+	clientName := "agnhost-client"
+	require.NoError(t, data.createAgnhostPodOnNode(clientName, "z", controlPlaneNodeName(), true))
+	defer data.deletePodAndWait(defaultTimeout, clientName, "z")
+	_, err := data.podWaitForIPs(defaultTimeout, clientName, "z")
+	require.NoError(t, err)
+
+	clientName1 := "agnhost-client1"
+	require.NoError(t, data.createAgnhostPodOnNode(clientName1, "z", nodeName(1), true))
+	defer data.deletePodAndWait(defaultTimeout, clientName1, "z")
+	_, err = data.podWaitForIPs(defaultTimeout, clientName1, "z")
+	require.NoError(t, err)
+
+	builder := &ClusterNetworkPolicySpecBuilder{}
+	builder = builder.SetName("test-acnp-drop-ingress-from-control-plane").
+		SetPriority(1.0)
+	nodeSelector := metav1.LabelSelector{MatchLabels: map[string]string{"kubernetes.io/hostname": controlPlaneNodeName()}}
+	builder.AddNodeSelectorRule(&nodeSelector, v1.ProtocolTCP, &p80, "ingress-control-plane-drop",
+		[]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}}},
+		crdv1alpha1.RuleActionDrop, false)
+
+	testcases := []podToAddrTestStep{}
+	if clusterInfo.podV4NetworkCIDR != "" {
+		ipv4TestCases := []podToAddrTestStep{
+			{
+				Pod("z/" + clientName),
+				serverIP0.ipv4.String(),
+				80,
+				Dropped,
+			},
+			{
+				Pod("z/" + clientName),
+				serverIP1.ipv4.String(),
+				80,
+				Connected,
+			},
+			{
+				Pod("z/" + clientName1),
+				serverIP0.ipv4.String(),
+				80,
+				Connected,
+			},
+		}
+		testcases = append(testcases, ipv4TestCases...)
+	}
+	if clusterInfo.podV6NetworkCIDR != "" {
+		ipv6TestCases := []podToAddrTestStep{
+			{
+				Pod("z/" + clientName),
+				serverIP0.ipv6.String(),
+				80,
+				Dropped,
+			},
+			{
+				Pod("z/" + clientName),
+				serverIP1.ipv6.String(),
+				80,
+				Connected,
+			},
+			{
+				Pod("z/" + clientName1),
+				serverIP0.ipv6.String(),
+				80,
+				Connected,
+			},
+		}
+		testcases = append(testcases, ipv6TestCases...)
+	}
+
+	_, err = k8sUtils.CreateOrUpdateACNP(builder.Get())
+	failOnError(err, t)
+	time.Sleep(networkPolicyDelay)
+	for _, tc := range testcases {
+
+		log.Tracef("Probing: %s -> %s", tc.clientPod.PodName(), tc.destAddr)
+		connectivity, err := k8sUtils.ProbeAddr(tc.clientPod.Namespace(), "antrea-e2e", tc.clientPod.PodName(), tc.destAddr, tc.destPort, v1.ProtocolTCP)
+		if err != nil {
+			t.Errorf("failure -- could not complete probe: %v", err)
+		}
+		if connectivity != tc.expectedConnectivity {
+			t.Errorf("failure -- wrong results for probe: Source %s/%s --> Dest %s:%d connectivity: %v, expected: %v",
+				tc.clientPod.Namespace(), tc.clientPod.PodName(), tc.destAddr, tc.destPort, connectivity, tc.expectedConnectivity)
+		}
+	}
+	// cleanup test resources
+	failOnError(k8sUtils.DeleteACNP(builder.Name), t)
+	failOnError(waitForResourceDelete("", builder.Name, resourceACNP, timeout), t)
+	time.Sleep(networkPolicyDelay)
+}
+
 // executeTests runs all the tests in testList and prints results
 func executeTests(t *testing.T, testList []*TestCase) {
 	executeTestsWithData(t, testList, nil)
@@ -3064,7 +3160,8 @@ func TestAntreaPolicy(t *testing.T) {
 		t.Run("Case=FQDNPolicyInCluster", func(t *testing.T) { testFQDNPolicyInClusterService(t) })
 		t.Run("Case=ACNPToServices", func(t *testing.T) { testToServices(t) })
 		t.Run("Case=ACNPServiceAccountSelector", func(t *testing.T) { testServiceAccountSelector(t, data) })
-		t.Run("Case=ACNPNodeSelector", func(t *testing.T) { testACNPNodeSelector(t) })
+		t.Run("Case=ACNPNodeSelectorEgress", func(t *testing.T) { testACNPNodeSelectorEgress(t) })
+		t.Run("Case=ACNPNodeSelectorIngress", func(t *testing.T) { testACNPNodeSelectorIngress(t, data) })
 	})
 	// print results for reachability tests
 	printResults()

diff --git a/test/e2e/utils/cnpspecbuilder.go b/test/e2e/utils/cnpspecbuilder.go
@@ -219,23 +219,28 @@ func (b *ClusterNetworkPolicySpecBuilder) AddEgress(protoc v1.Protocol,
 }
 
 func (b *ClusterNetworkPolicySpecBuilder) AddNodeSelectorRule(nodeSelector *metav1.LabelSelector, protoc v1.Protocol, port *int32, name string,
-	ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1alpha1.RuleAction) *ClusterNetworkPolicySpecBuilder {
+	ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1alpha1.RuleAction, isEgress bool) *ClusterNetworkPolicySpecBuilder {
 	var appliedTos []crdv1alpha1.NetworkPolicyPeer
 	for _, at := range ruleAppliedToSpecs {
 		appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.NSSelector, at.PodSelectorMatchExp, at.NSSelectorMatchExp, at.Group))
 	}
 	policyPeer := []crdv1alpha1.NetworkPolicyPeer{{NodeSelector: nodeSelector}}
 
 	newRule := crdv1alpha1.Rule{
-		To: policyPeer,
 		Ports: []crdv1alpha1.NetworkPolicyPort{
 			{Protocol: &protoc, Port: &intstr.IntOrString{IntVal: *port}},
 		},
 		Action:    &action,
 		Name:      name,
 		AppliedTo: appliedTos,
 	}
-	b.Spec.Egress = append(b.Spec.Egress, newRule)
+	if isEgress {
+		newRule.To = policyPeer
+		b.Spec.Egress = append(b.Spec.Egress, newRule)
+	} else {
+		newRule.From = policyPeer
+		b.Spec.Ingress = append(b.Spec.Ingress, newRule)
+	}
 	return b
 }