From b5ffd4084c1aafd5276156428bde3f1bb8369230 Mon Sep 17 00:00:00 2001
From: Mathew Merrick <mathew.merrick@microsoft.com>
Date: Fri, 20 Dec 2019 15:30:01 -0800
Subject: [PATCH 1/3] add policy yamls for test scenarios

---
 .../allow-all-from-app-backend.yaml           |  13 +
 .../allow-all-ns-to-frontend.yaml             |  14 +
 .../allow-all-to-app-frontend.yaml            |  13 +
 ...app-backend-to-app-frontend-port-8000.yaml |  18 +
 ...-app-frontend-tcp-port-or-udp-port-53.yaml |  19 +
 .../allow-backend-to-frontend.yaml            |  16 +
 .../allow-internal-and-external.yaml          |  13 +
 ...ow-multiple-labels-to-multiple-labels.yaml |  22 +
 ...s-dev-and-app-backend-to-app-frontend.yaml |  19 +
 .../allow-ns-dev-to-app-frontend.yaml         |  22 +
 .../allow-ns-test-namespace-to-frontend.yaml  |  15 +
 npm/testpolicies/complex-policy.yaml          |  34 +
 .../deny-all-from-app-backend.yaml            |  11 +
 npm/testpolicies/deny-all-from-ns-unsafe.yaml |  10 +
 npm/testpolicies/deny-all-policy.yaml         |  10 +
 .../deny-all-to-app-frontend.yaml             |  11 +
 ...low-all-to-k0-and-k1-and-app-frontend.yaml |  23 +
 npm/translatePolicy_test.go                   | 794 +++++-------------
 18 files changed, 481 insertions(+), 596 deletions(-)
 create mode 100644 npm/testpolicies/allow-all-from-app-backend.yaml
 create mode 100644 npm/testpolicies/allow-all-ns-to-frontend.yaml
 create mode 100644 npm/testpolicies/allow-all-to-app-frontend.yaml
 create mode 100644 npm/testpolicies/allow-app-backend-to-app-frontend-port-8000.yaml
 create mode 100644 npm/testpolicies/allow-app-frontend-tcp-port-or-udp-port-53.yaml
 create mode 100644 npm/testpolicies/allow-backend-to-frontend.yaml
 create mode 100644 npm/testpolicies/allow-internal-and-external.yaml
 create mode 100644 npm/testpolicies/allow-multiple-labels-to-multiple-labels.yaml
 create mode 100644 npm/testpolicies/allow-ns-dev-and-app-backend-to-app-frontend.yaml
 create mode 100644 npm/testpolicies/allow-ns-dev-to-app-frontend.yaml
 create mode 100644 npm/testpolicies/allow-ns-test-namespace-to-frontend.yaml
 create mode 100644 npm/testpolicies/complex-policy.yaml
 create mode 100644 npm/testpolicies/deny-all-from-app-backend.yaml
 create mode 100644 npm/testpolicies/deny-all-from-ns-unsafe.yaml
 create mode 100644 npm/testpolicies/deny-all-policy.yaml
 create mode 100644 npm/testpolicies/deny-all-to-app-frontend.yaml
 create mode 100644 npm/testpolicies/test-allow-all-to-k0-and-k1-and-app-frontend.yaml

diff --git a/npm/testpolicies/allow-all-from-app-backend.yaml b/npm/testpolicies/allow-all-from-app-backend.yaml
new file mode 100644
index 0000000000..8bbb1ec169
--- /dev/null
+++ b/npm/testpolicies/allow-all-from-app-backend.yaml
@@ -0,0 +1,13 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-policy
+  namespace: "testnamespace"
+spec:
+  policyTypes:
+    - Egress
+  podSelector:
+    matchLabels:
+      app: "backend"
+  egress:
+    - {}
diff --git a/npm/testpolicies/allow-all-ns-to-frontend.yaml b/npm/testpolicies/allow-all-ns-to-frontend.yaml
new file mode 100644
index 0000000000..f813f086f7
--- /dev/null
+++ b/npm/testpolicies/allow-all-ns-to-frontend.yaml
@@ -0,0 +1,14 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-policy
+  namespace: "testnamespace"
+spec:
+  policyTypes:
+    - Ingress
+  podSelector:
+    matchLabels:
+      app: "frontend"
+  ingress:
+    - from:
+        - namespaceSelector: {}
diff --git a/npm/testpolicies/allow-all-to-app-frontend.yaml b/npm/testpolicies/allow-all-to-app-frontend.yaml
new file mode 100644
index 0000000000..f1f5776e9c
--- /dev/null
+++ b/npm/testpolicies/allow-all-to-app-frontend.yaml
@@ -0,0 +1,13 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ALLOW-all-TO-app:frontend-FROM-all-namespaces-policy
+  namespace: "testnamespace"
+spec:
+  podSelector:
+    matchLabels:
+      app: "frontend"
+  ingress:
+    - {}
+  policyTypes:
+    - Ingress
diff --git a/npm/testpolicies/allow-app-backend-to-app-frontend-port-8000.yaml b/npm/testpolicies/allow-app-backend-to-app-frontend-port-8000.yaml
new file mode 100644
index 0000000000..a722f3bc64
--- /dev/null
+++ b/npm/testpolicies/allow-app-backend-to-app-frontend-port-8000.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ALLOW-app:backend-TO-app:frontend-port-8000-policy
+  namespace: "testnamespace"
+spec:
+  policyTypes:
+    - Ingress
+  podSelector:
+    matchLabels:
+      app: frontend
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: backend
+      ports:
+        - port: 8000
diff --git a/npm/testpolicies/allow-app-frontend-tcp-port-or-udp-port-53.yaml b/npm/testpolicies/allow-app-frontend-tcp-port-or-udp-port-53.yaml
new file mode 100644
index 0000000000..5c7a5fd09d
--- /dev/null
+++ b/npm/testpolicies/allow-app-frontend-tcp-port-or-udp-port-53.yaml
@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ALLOW-app:backend-TO-app:frontend-port-8000-policy
+  namespace: "testnamespace"
+spec:
+  policyTypes:
+    - Egress
+  podSelector:
+    matchLabels:
+      app: frontend
+  egress:
+    - ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+    - to:
+        - namespaceSelector: {}
diff --git a/npm/testpolicies/allow-backend-to-frontend.yaml b/npm/testpolicies/allow-backend-to-frontend.yaml
new file mode 100644
index 0000000000..7afbfbeee9
--- /dev/null
+++ b/npm/testpolicies/allow-backend-to-frontend.yaml
@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-policy
+  namespace: "testnamespace"
+spec:
+  podSelector:
+    matchLabels:
+      app: "backend"
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: frontend
+  policyTypes:
+    - Ingress
diff --git a/npm/testpolicies/allow-internal-and-external.yaml b/npm/testpolicies/allow-internal-and-external.yaml
new file mode 100644
index 0000000000..61f0fb1ef7
--- /dev/null
+++ b/npm/testpolicies/allow-internal-and-external.yaml
@@ -0,0 +1,13 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-policy
+  namespace: "dangerous"
+spec:
+  policyTypes:
+    - Ingress
+  podSelector:
+    matchLabels:
+      app: "backdoor"
+  ingress:
+    - from: []
diff --git a/npm/testpolicies/allow-multiple-labels-to-multiple-labels.yaml b/npm/testpolicies/allow-multiple-labels-to-multiple-labels.yaml
new file mode 100644
index 0000000000..0f83383c76
--- /dev/null
+++ b/npm/testpolicies/allow-multiple-labels-to-multiple-labels.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-policy
+  namespace: "acn"
+spec:
+  policyTypes:
+    - Ingress
+  podSelector:
+    matchLabels:
+      app: k8s
+      team: aks
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              program: cni
+              team: acn
+        - podSelector:
+            matchLabels:
+              binary: cns
+              group: container
diff --git a/npm/testpolicies/allow-ns-dev-and-app-backend-to-app-frontend.yaml b/npm/testpolicies/allow-ns-dev-and-app-backend-to-app-frontend.yaml
new file mode 100644
index 0000000000..88b5b22921
--- /dev/null
+++ b/npm/testpolicies/allow-ns-dev-and-app-backend-to-app-frontend.yaml
@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-policy
+  namespace: "testnamespace"
+spec:
+  policyTypes:
+    - Ingress
+  podSelector:
+    matchLabels:
+      app: "frontend"
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: backend
+          namespaceSelector:
+            matchLabels:
+              ns: dev
diff --git a/npm/testpolicies/allow-ns-dev-to-app-frontend.yaml b/npm/testpolicies/allow-ns-dev-to-app-frontend.yaml
new file mode 100644
index 0000000000..05bc5ab5e0
--- /dev/null
+++ b/npm/testpolicies/allow-ns-dev-to-app-frontend.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: "ALLOW-ns-namespace:dev-AND-!ns-namespace:test0-AND-!ns-namespace:test1-TO-app:frontend-policy"
+  namespace: "testnamespace"
+spec:
+  policyTypes:
+    - Ingress
+  podSelector:
+    matchLabels:
+      app: "frontend"
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              namespace: "dev"
+            matchExpressions:
+              - key: namespace
+                operator: NotIn
+                values:
+                  - test0
+                  - test1
diff --git a/npm/testpolicies/allow-ns-test-namespace-to-frontend.yaml b/npm/testpolicies/allow-ns-test-namespace-to-frontend.yaml
new file mode 100644
index 0000000000..146e0aab11
--- /dev/null
+++ b/npm/testpolicies/allow-ns-test-namespace-to-frontend.yaml
@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-policy
+  namespace: "testnamespace"
+spec:
+  policyTypes:
+    - Ingress
+  podSelector:
+    matchLabels:
+      app: "frontend"
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
diff --git a/npm/testpolicies/complex-policy.yaml b/npm/testpolicies/complex-policy.yaml
new file mode 100644
index 0000000000..057225e51c
--- /dev/null
+++ b/npm/testpolicies/complex-policy.yaml
@@ -0,0 +1,34 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: k8s-example-policy
+  namespace: default
+spec:
+  podSelector:
+    matchLabels:
+      role: db
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - ipBlock:
+            cidr: 172.17.0.0/16
+            except:
+              - 172.17.1.0/24
+        - namespaceSelector:
+            matchLabels:
+              project: myproject
+        - podSelector:
+            matchLabels:
+              role: frontend
+      ports:
+        - protocol: TCP
+          port: 6379
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 10.0.0.0/24
+      ports:
+        - protocol: TCP
+          port: 5978
diff --git a/npm/testpolicies/deny-all-from-app-backend.yaml b/npm/testpolicies/deny-all-from-app-backend.yaml
new file mode 100644
index 0000000000..60ef7286a1
--- /dev/null
+++ b/npm/testpolicies/deny-all-from-app-backend.yaml
@@ -0,0 +1,11 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-policy
+  namespace: "testnamespace"
+spec:
+  policyTypes:
+    - Egress
+  podSelector:
+    matchLabels:
+      app: "backend"
diff --git a/npm/testpolicies/deny-all-from-ns-unsafe.yaml b/npm/testpolicies/deny-all-from-ns-unsafe.yaml
new file mode 100644
index 0000000000..706ba19acc
--- /dev/null
+++ b/npm/testpolicies/deny-all-from-ns-unsafe.yaml
@@ -0,0 +1,10 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-policy
+  namespace: "unsafe"
+spec:
+  policyTypes:
+    - Egress
+  podSelector: {}
+  egress: []
diff --git a/npm/testpolicies/deny-all-policy.yaml b/npm/testpolicies/deny-all-policy.yaml
new file mode 100644
index 0000000000..6f818340ac
--- /dev/null
+++ b/npm/testpolicies/deny-all-policy.yaml
@@ -0,0 +1,10 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-policy
+  namespace: "testnamespace"
+spec:
+  policyTypes:
+    - Ingress
+  podSelector: {}
+  ingress: []
diff --git a/npm/testpolicies/deny-all-to-app-frontend.yaml b/npm/testpolicies/deny-all-to-app-frontend.yaml
new file mode 100644
index 0000000000..9afcd56781
--- /dev/null
+++ b/npm/testpolicies/deny-all-to-app-frontend.yaml
@@ -0,0 +1,11 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-policy
+  namespace: "testnamespace"
+spec:
+  podSelector:
+    matchLabels:
+      app: "frontend"
+  policyTypes:
+    - Ingress
diff --git a/npm/testpolicies/test-allow-all-to-k0-and-k1-and-app-frontend.yaml b/npm/testpolicies/test-allow-all-to-k0-and-k1-and-app-frontend.yaml
new file mode 100644
index 0000000000..546e8254b8
--- /dev/null
+++ b/npm/testpolicies/test-allow-all-to-k0-and-k1-and-app-frontend.yaml
@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-policy
+  namespace: "testnamespace"
+spec:
+  policyTypes:
+    - Ingress
+  podSelector:
+    matchLabels:
+      app: "frontend"
+    matchExpressions:
+      - key: k0
+        operator: DoesNotExist
+        values: []
+      - key: k1
+        operator: In
+        values:
+          - v0
+          - v1
+  ingress:
+    - from:
+        - namespaceSelector: {}
diff --git a/npm/translatePolicy_test.go b/npm/translatePolicy_test.go
index ba8f839322..9b74804971 100644
--- a/npm/translatePolicy_test.go
+++ b/npm/translatePolicy_test.go
@@ -2,6 +2,7 @@ package npm
 
 import (
 	"encoding/json"
+	"io/ioutil"
 	"reflect"
 	"testing"
 
@@ -11,6 +12,7 @@ import (
 	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/client-go/kubernetes/scheme"
 )
 
 func TestCraftPartialIptEntrySpecFromPort(t *testing.T) {
@@ -1064,20 +1066,23 @@ func TestTranslateEgress(t *testing.T) {
 	}
 }
 
-func TestTranslatePolicy(t *testing.T) {
-	targetSelector := metav1.LabelSelector{}
-	denyAllPolicy := &networkingv1.NetworkPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "deny-all-policy",
-			Namespace: "testnamespace",
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: targetSelector,
-			PolicyTypes: []networkingv1.PolicyType{
-				networkingv1.PolicyTypeIngress,
-			},
-			Ingress: []networkingv1.NetworkPolicyIngressRule{},
-		},
+func readPolicyYaml(policyYaml string) (*networkingv1.NetworkPolicy, error) {
+	decode := scheme.Codecs.UniversalDeserializer().Decode
+	b, err := ioutil.ReadFile(policyYaml)
+	if err != nil {
+		return nil, err
+	}
+	obj, _, err := decode([]byte(b), nil, nil)
+	if err != nil {
+		return nil, err
+	}
+	return obj.(*networkingv1.NetworkPolicy), nil
+}
+
+func TestDenyAllPolicy(t *testing.T) {
+	denyAllPolicy, err := readPolicyYaml("testpolicies/deny-all-policy.yaml")
+	if err != nil {
+		t.Fatal(err)
 	}
 
 	sets, lists, iptEntries := translatePolicy(denyAllPolicy)
@@ -1097,7 +1102,7 @@ func TestTranslatePolicy(t *testing.T) {
 	}
 
 	expectedIptEntries := []*iptm.IptEntry{}
-	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", targetSelector, true, false)...)
+	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", denyAllPolicy.Spec.PodSelector, true, false)...)
 	if !reflect.DeepEqual(iptEntries, expectedIptEntries) {
 		t.Errorf("translatedPolicy failed @ deny-all-policy policy comparison")
 		marshalledIptEntries, _ := json.Marshal(iptEntries)
@@ -1105,41 +1110,16 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("iptEntries: %s", marshalledIptEntries)
 		t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries)
 	}
+}
 
-	targetSelector = metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"app": "backend",
-		},
-	}
-	allowBackendToFrontendPolicy := &networkingv1.NetworkPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "ALLOW-app:backend-TO-app:frontend-policy",
-			Namespace: "testnamespace",
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: targetSelector,
-			PolicyTypes: []networkingv1.PolicyType{
-				networkingv1.PolicyTypeIngress,
-			},
-			Ingress: []networkingv1.NetworkPolicyIngressRule{
-				networkingv1.NetworkPolicyIngressRule{
-					From: []networkingv1.NetworkPolicyPeer{
-						networkingv1.NetworkPolicyPeer{
-							PodSelector: &metav1.LabelSelector{
-								MatchLabels: map[string]string{
-									"app": "frontend",
-								},
-							},
-						},
-					},
-				},
-			},
-		},
+func TestAllowBackendToFrontend(t *testing.T) {
+	allowBackendToFrontendPolicy, err := readPolicyYaml("testpolicies/allow-backend-to-frontend.yaml")
+	if err != nil {
+		t.Fatal(err)
 	}
+	sets, lists, iptEntries := translatePolicy(allowBackendToFrontendPolicy)
 
-	sets, lists, iptEntries = translatePolicy(allowBackendToFrontendPolicy)
-
-	expectedSets = []string{
+	expectedSets := []string{
 		"app:backend",
 		"ns-testnamespace",
 		"app:frontend",
@@ -1150,14 +1130,14 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedSets: %v", expectedSets)
 	}
 
-	expectedLists = []string{}
+	expectedLists := []string{}
 	if !reflect.DeepEqual(lists, expectedLists) {
 		t.Errorf("translatedPolicy failed @ ALLOW-app:backend-TO-app:frontend-policy lists comparison")
 		t.Errorf("lists: %v", lists)
 		t.Errorf("expectedLists: %v", expectedLists)
 	}
 
-	expectedIptEntries = []*iptm.IptEntry{}
+	expectedIptEntries := []*iptm.IptEntry{}
 
 	nonKubeSystemEntries := []*iptm.IptEntry{
 		&iptm.IptEntry{
@@ -1240,31 +1220,17 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("iptEntries: %s", marshalledIptEntries)
 		t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries)
 	}
+}
 
-	targetSelector = metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"app": "frontend",
-		},
-	}
-	allowToFrontendPolicy := &networkingv1.NetworkPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "ALLOW-all-TO-app:frontend-FROM-all-namespaces-policy",
-			Namespace: "testnamespace",
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: targetSelector,
-			PolicyTypes: []networkingv1.PolicyType{
-				networkingv1.PolicyTypeIngress,
-			},
-			Ingress: []networkingv1.NetworkPolicyIngressRule{
-				networkingv1.NetworkPolicyIngressRule{},
-			},
-		},
+func TestAllowAllToAppFrontend(t *testing.T) {
+	allowToFrontendPolicy, err := readPolicyYaml("testpolicies/allow-all-to-app-frontend.yaml")
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	sets, lists, iptEntries = translatePolicy(allowToFrontendPolicy)
+	sets, lists, iptEntries := translatePolicy(allowToFrontendPolicy)
 
-	expectedSets = []string{
+	expectedSets := []string{
 		"app:frontend",
 		"ns-testnamespace",
 	}
@@ -1274,7 +1240,7 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedSets: %v", expectedSets)
 	}
 
-	expectedLists = []string{
+	expectedLists := []string{
 		util.KubeAllNamespacesFlag,
 	}
 	if !reflect.DeepEqual(lists, expectedLists) {
@@ -1283,9 +1249,9 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedLists: %v", expectedLists)
 	}
 
-	expectedIptEntries = []*iptm.IptEntry{}
+	expectedIptEntries := []*iptm.IptEntry{}
 
-	nonKubeSystemEntries = []*iptm.IptEntry{
+	nonKubeSystemEntries := []*iptm.IptEntry{
 		&iptm.IptEntry{
 			Chain: util.IptablesAzureIngressPortChain,
 			Specs: []string{
@@ -1309,7 +1275,7 @@ func TestTranslatePolicy(t *testing.T) {
 		},
 	}
 	expectedIptEntries = append(expectedIptEntries, nonKubeSystemEntries...)
-	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", targetSelector, false, false)...)
+	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", allowToFrontendPolicy.Spec.PodSelector, false, false)...)
 	if !reflect.DeepEqual(iptEntries, expectedIptEntries) {
 		t.Errorf("translatedPolicy failed @ ALLOW-all-TO-app:frontend-FROM-all-namespaces-policy policy comparison")
 		marshalledIptEntries, _ := json.Marshal(iptEntries)
@@ -1317,29 +1283,17 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("iptEntries: %s", marshalledIptEntries)
 		t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries)
 	}
+}
 
-	targetSelector = metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"app": "frontend",
-		},
-	}
-	denyAllToFrontendPolicy := &networkingv1.NetworkPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "ALLOW-none-TO-app:frontend-policy",
-			Namespace: "testnamespace",
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: targetSelector,
-			PolicyTypes: []networkingv1.PolicyType{
-				networkingv1.PolicyTypeIngress,
-			},
-			Ingress: []networkingv1.NetworkPolicyIngressRule{},
-		},
+func TestDenyAllToAppFrontend(t *testing.T) {
+	denyAllToFrontendPolicy, err := readPolicyYaml("testpolicies/deny-all-to-app-frontend.yaml")
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	sets, lists, iptEntries = translatePolicy(denyAllToFrontendPolicy)
+	sets, lists, iptEntries := translatePolicy(denyAllToFrontendPolicy)
 
-	expectedSets = []string{
+	expectedSets := []string{
 		"app:frontend",
 		"ns-testnamespace",
 	}
@@ -1349,15 +1303,15 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedSets: %v", expectedSets)
 	}
 
-	expectedLists = []string{}
+	expectedLists := []string{}
 	if !reflect.DeepEqual(lists, expectedLists) {
 		t.Errorf("translatedPolicy failed @ ALLOW-none-TO-app:frontend-policy lists comparison")
 		t.Errorf("lists: %v", lists)
 		t.Errorf("expectedLists: %v", expectedLists)
 	}
 
-	expectedIptEntries = []*iptm.IptEntry{}
-	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", targetSelector, true, false)...)
+	expectedIptEntries := []*iptm.IptEntry{}
+	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", denyAllToFrontendPolicy.Spec.PodSelector, true, false)...)
 	if !reflect.DeepEqual(iptEntries, expectedIptEntries) {
 		t.Errorf("translatedPolicy failed @ ALLOW-none-TO-app:frontend-policy policy comparison")
 		marshalledIptEntries, _ := json.Marshal(iptEntries)
@@ -1365,37 +1319,17 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("iptEntries: %s", marshalledIptEntries)
 		t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries)
 	}
+}
 
-	targetSelector = metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"app": "frontend",
-		},
-	}
-	allowNsTestNamespaceToFrontendPolicy := &networkingv1.NetworkPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "ALLOW-ns-testnamespace-TO-app:frontend-policy",
-			Namespace: "testnamespace",
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: targetSelector,
-			PolicyTypes: []networkingv1.PolicyType{
-				networkingv1.PolicyTypeIngress,
-			},
-			Ingress: []networkingv1.NetworkPolicyIngressRule{
-				networkingv1.NetworkPolicyIngressRule{
-					From: []networkingv1.NetworkPolicyPeer{
-						networkingv1.NetworkPolicyPeer{
-							PodSelector: &metav1.LabelSelector{},
-						},
-					},
-				},
-			},
-		},
+func TestNamespaceToFrontend(t *testing.T) {
+	allowNsTestNamespaceToFrontendPolicy, err := readPolicyYaml("testpolicies/allow-ns-test-namespace-to-frontend.yaml")
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	sets, lists, iptEntries = translatePolicy(allowNsTestNamespaceToFrontendPolicy)
+	sets, lists, iptEntries := translatePolicy(allowNsTestNamespaceToFrontendPolicy)
 
-	expectedSets = []string{
+	expectedSets := []string{
 		"app:frontend",
 		"ns-testnamespace",
 	}
@@ -1405,15 +1339,15 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedSets: %v", expectedSets)
 	}
 
-	expectedLists = []string{}
+	expectedLists := []string{}
 	if !reflect.DeepEqual(lists, expectedLists) {
 		t.Errorf("translatedPolicy failed @ ALLOW-ns-testnamespace-TO-app:frontend-policy lists comparison")
 		t.Errorf("lists: %v", lists)
 		t.Errorf("expectedLists: %v", expectedLists)
 	}
 
-	expectedIptEntries = []*iptm.IptEntry{}
-	nonKubeSystemEntries = []*iptm.IptEntry{
+	expectedIptEntries := []*iptm.IptEntry{}
+	nonKubeSystemEntries := []*iptm.IptEntry{
 		&iptm.IptEntry{
 			Chain: util.IptablesAzureIngressFromChain,
 			Specs: []string{
@@ -1487,7 +1421,7 @@ func TestTranslatePolicy(t *testing.T) {
 		},
 	}
 	expectedIptEntries = append(expectedIptEntries, nonKubeSystemEntries...)
-	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", targetSelector, false, false)...)
+	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", allowNsTestNamespaceToFrontendPolicy.Spec.PodSelector, false, false)...)
 	if !reflect.DeepEqual(iptEntries, expectedIptEntries) {
 		t.Errorf("translatedPolicy failed @ ALLOW-ns-testnamespace-TO-app:frontend-policy policy comparison")
 		marshalledIptEntries, _ := json.Marshal(iptEntries)
@@ -1495,36 +1429,16 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("iptEntries: %s", marshalledIptEntries)
 		t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries)
 	}
+}
 
-	targetSelector = metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"app": "frontend",
-		},
-	}
-	allowAllNsToFrontendPolicy := &networkingv1.NetworkPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "ALLOW-all-namespaces-TO-app:frontend-policy",
-			Namespace: "testnamespace",
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: targetSelector,
-			PolicyTypes: []networkingv1.PolicyType{
-				networkingv1.PolicyTypeIngress,
-			},
-			Ingress: []networkingv1.NetworkPolicyIngressRule{
-				networkingv1.NetworkPolicyIngressRule{
-					From: []networkingv1.NetworkPolicyPeer{
-						networkingv1.NetworkPolicyPeer{
-							NamespaceSelector: &metav1.LabelSelector{},
-						},
-					},
-				},
-			},
-		},
+func TestAllowAllNamespacesToAppFrontend(t *testing.T) {
+	allowAllNsToFrontendPolicy, err := readPolicyYaml("testpolicies/allow-all-ns-to-frontend.yaml")
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	sets, lists, iptEntries = translatePolicy(allowAllNsToFrontendPolicy)
-	expectedSets = []string{
+	sets, lists, iptEntries := translatePolicy(allowAllNsToFrontendPolicy)
+	expectedSets := []string{
 		"app:frontend",
 		"ns-testnamespace",
 	}
@@ -1534,7 +1448,7 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedSets: %v", expectedSets)
 	}
 
-	expectedLists = []string{
+	expectedLists := []string{
 		util.KubeAllNamespacesFlag,
 	}
 	if !reflect.DeepEqual(lists, expectedLists) {
@@ -1543,8 +1457,8 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedLists: %v", expectedLists)
 	}
 
-	expectedIptEntries = []*iptm.IptEntry{}
-	nonKubeSystemEntries = []*iptm.IptEntry{
+	expectedIptEntries := []*iptm.IptEntry{}
+	nonKubeSystemEntries := []*iptm.IptEntry{
 		&iptm.IptEntry{
 			Chain: util.IptablesAzureIngressFromChain,
 			Specs: []string{
@@ -1618,7 +1532,7 @@ func TestTranslatePolicy(t *testing.T) {
 		},
 	}
 	expectedIptEntries = append(expectedIptEntries, nonKubeSystemEntries...)
-	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", targetSelector, false, false)...)
+	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", allowAllNsToFrontendPolicy.Spec.PodSelector, false, false)...)
 	if !reflect.DeepEqual(iptEntries, expectedIptEntries) {
 		t.Errorf("translatedPolicy failed @ ALLOW-all-namespaces-TO-app:frontend-policy policy comparison")
 		marshalledIptEntries, _ := json.Marshal(iptEntries)
@@ -1626,51 +1540,17 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("iptEntries: %s", marshalledIptEntries)
 		t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries)
 	}
+}
 
-	targetSelector = metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"app": "frontend",
-		},
-	}
-	allowNsDevToFrontendPolicy := &networkingv1.NetworkPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "ALLOW-ns-namespace:dev-AND-!ns-namespace:test0-AND-!ns-namespace:test1-TO-app:frontend-policy",
-			Namespace: "testnamespace",
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: targetSelector,
-			PolicyTypes: []networkingv1.PolicyType{
-				networkingv1.PolicyTypeIngress,
-			},
-			Ingress: []networkingv1.NetworkPolicyIngressRule{
-				networkingv1.NetworkPolicyIngressRule{
-					From: []networkingv1.NetworkPolicyPeer{
-						networkingv1.NetworkPolicyPeer{
-							NamespaceSelector: &metav1.LabelSelector{
-								MatchLabels: map[string]string{
-									"namespace": "dev",
-								},
-								MatchExpressions: []metav1.LabelSelectorRequirement{
-									metav1.LabelSelectorRequirement{
-										Key:      "namespace",
-										Operator: metav1.LabelSelectorOpNotIn,
-										Values: []string{
-											"test0",
-											"test1",
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-		},
+func TestAllowNamespaceDevToAppFrontend(t *testing.T) {
+	allowNsDevToFrontendPolicy, err := readPolicyYaml("testpolicies/allow-ns-dev-to-app-frontend.yaml")
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	sets, lists, iptEntries = translatePolicy(allowNsDevToFrontendPolicy)
+	sets, lists, iptEntries := translatePolicy(allowNsDevToFrontendPolicy)
 
-	expectedSets = []string{
+	expectedSets := []string{
 		"app:frontend",
 		"ns-testnamespace",
 	}
@@ -1680,7 +1560,7 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedSets: %v", expectedSets)
 	}
 
-	expectedLists = []string{
+	expectedLists := []string{
 		"ns-namespace:dev",
 		"ns-namespace:test0",
 		"ns-namespace:test1",
@@ -1691,8 +1571,8 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedLists: %v", expectedLists)
 	}
 
-	expectedIptEntries = []*iptm.IptEntry{}
-	nonKubeSystemEntries = []*iptm.IptEntry{
+	expectedIptEntries := []*iptm.IptEntry{}
+	nonKubeSystemEntries := []*iptm.IptEntry{
 		&iptm.IptEntry{
 			Chain: util.IptablesAzureIngressFromChain,
 			Specs: []string{
@@ -1779,7 +1659,7 @@ func TestTranslatePolicy(t *testing.T) {
 	}
 
 	expectedIptEntries = append(expectedIptEntries, nonKubeSystemEntries...)
-	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", targetSelector, false, false)...)
+	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", allowNsDevToFrontendPolicy.Spec.PodSelector, false, false)...)
 	if !reflect.DeepEqual(iptEntries, expectedIptEntries) {
 		t.Errorf("translatedPolicy failed @ ALLOW-ns-namespace:dev-AND-!ns-namespace:test0-AND-!ns-namespace:test1-TO-app:frontend-policy policy comparison")
 		marshalledIptEntries, _ := json.Marshal(iptEntries)
@@ -1787,49 +1667,17 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("iptEntries: %s", marshalledIptEntries)
 		t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries)
 	}
+}
 
-	targetSelector = metav1.LabelSelector{
-		MatchExpressions: []metav1.LabelSelectorRequirement{
-			metav1.LabelSelectorRequirement{
-				Key:      "k0",
-				Operator: metav1.LabelSelectorOpDoesNotExist,
-				Values:   []string{},
-			},
-			metav1.LabelSelectorRequirement{
-				Key:      "k1",
-				Operator: metav1.LabelSelectorOpIn,
-				Values:   []string{"v0", "v1"},
-			},
-		},
-		MatchLabels: map[string]string{
-			"app": "frontend",
-		},
-	}
-	allowAllToFrontendPolicy := &networkingv1.NetworkPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "AllOW-ALL-TO-k0-AND-k1:v0-AND-k1:v1-AND-app:frontend-policy",
-			Namespace: "testnamespace",
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: targetSelector,
-			PolicyTypes: []networkingv1.PolicyType{
-				networkingv1.PolicyTypeIngress,
-			},
-			Ingress: []networkingv1.NetworkPolicyIngressRule{
-				networkingv1.NetworkPolicyIngressRule{
-					From: []networkingv1.NetworkPolicyPeer{
-						networkingv1.NetworkPolicyPeer{
-							NamespaceSelector: &metav1.LabelSelector{},
-						},
-					},
-				},
-			},
-		},
+func TestAllowAllToK0AndK1AndAppFrontend(t *testing.T) {
+	allowAllToFrontendPolicy, err := readPolicyYaml("testpolicies/test-allow-all-to-k0-and-k1-and-app-frontend.yaml")
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	sets, lists, iptEntries = translatePolicy(allowAllToFrontendPolicy)
+	sets, lists, iptEntries := translatePolicy(allowAllToFrontendPolicy)
 
-	expectedSets = []string{
+	expectedSets := []string{
 		"app:frontend",
 		"k0",
 		"k1:v0",
@@ -1842,15 +1690,15 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedSets: %v", expectedSets)
 	}
 
-	expectedLists = []string{util.KubeAllNamespacesFlag}
+	expectedLists := []string{util.KubeAllNamespacesFlag}
 	if !reflect.DeepEqual(lists, expectedLists) {
 		t.Errorf("translatedPolicy failed @ AllOW-ALL-TO-k0-AND-k1:v0-AND-k1:v1-AND-app:frontend-policy lists comparison")
 		t.Errorf("lists: %v", lists)
 		t.Errorf("expectedLists: %v", expectedLists)
 	}
 
-	expectedIptEntries = []*iptm.IptEntry{}
-	nonKubeSystemEntries = []*iptm.IptEntry{
+	expectedIptEntries := []*iptm.IptEntry{}
+	nonKubeSystemEntries := []*iptm.IptEntry{
 		&iptm.IptEntry{
 			Chain: util.IptablesAzureIngressFromChain,
 			Specs: []string{
@@ -1989,7 +1837,7 @@ func TestTranslatePolicy(t *testing.T) {
 	}
 
 	expectedIptEntries = append(expectedIptEntries, nonKubeSystemEntries...)
-	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", targetSelector, false, false)...)
+	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", allowAllToFrontendPolicy.Spec.PodSelector, false, false)...)
 	if !reflect.DeepEqual(iptEntries, expectedIptEntries) {
 		t.Errorf("translatedPolicy failed @ AllOW-all-TO-k0-AND-k1:v0-AND-k1:v1-AND-app:frontend-policy policy comparison")
 		marshalledIptEntries, _ := json.Marshal(iptEntries)
@@ -1997,47 +1845,18 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("iptEntries: %s", marshalledIptEntries)
 		t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries)
 	}
+}
 
-	targetSelector = metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"app": "frontend",
-		},
-	}
-	allowNsDevAndBackendToFrontendPolicy := &networkingv1.NetworkPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "ALLOW-ns-ns:dev-AND-app:backend-TO-app:frontend",
-			Namespace: "testnamespace",
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: targetSelector,
-			PolicyTypes: []networkingv1.PolicyType{
-				networkingv1.PolicyTypeIngress,
-			},
-			Ingress: []networkingv1.NetworkPolicyIngressRule{
-				networkingv1.NetworkPolicyIngressRule{
-					From: []networkingv1.NetworkPolicyPeer{
-						networkingv1.NetworkPolicyPeer{
-							PodSelector: &metav1.LabelSelector{
-								MatchLabels: map[string]string{
-									"app": "backend",
-								},
-							},
-							NamespaceSelector: &metav1.LabelSelector{
-								MatchLabels: map[string]string{
-									"ns": "dev",
-								},
-							},
-						},
-					},
-				},
-			},
-		},
+func TestAllowNsDevAndAppBackendToAppFrontend(t *testing.T) {
+	allowNsDevAndBackendToFrontendPolicy, err := readPolicyYaml("testpolicies/allow-ns-dev-and-app-backend-to-app-frontend.yaml")
+	if err != nil {
+		t.Fatal(err)
 	}
 
 	util.IsNewNwPolicyVerFlag = true
-	sets, lists, iptEntries = translatePolicy(allowNsDevAndBackendToFrontendPolicy)
+	sets, lists, iptEntries := translatePolicy(allowNsDevAndBackendToFrontendPolicy)
 
-	expectedSets = []string{
+	expectedSets := []string{
 		"app:frontend",
 		"ns-testnamespace",
 		"app:backend",
@@ -2048,7 +1867,7 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedSets: %v", expectedSets)
 	}
 
-	expectedLists = []string{
+	expectedLists := []string{
 		"ns-ns:dev",
 	}
 	if !reflect.DeepEqual(lists, expectedLists) {
@@ -2057,8 +1876,8 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedLists: %v", expectedLists)
 	}
 
-	expectedIptEntries = []*iptm.IptEntry{}
-	nonKubeSystemEntries = []*iptm.IptEntry{
+	expectedIptEntries := []*iptm.IptEntry{}
+	nonKubeSystemEntries := []*iptm.IptEntry{
 		&iptm.IptEntry{
 			Chain: util.IptablesAzureIngressFromChain,
 			Specs: []string{
@@ -2138,7 +1957,7 @@ func TestTranslatePolicy(t *testing.T) {
 	}
 
 	expectedIptEntries = append(expectedIptEntries, nonKubeSystemEntries...)
-	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", targetSelector, false, false)...)
+	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", allowNsDevAndBackendToFrontendPolicy.Spec.PodSelector, false, false)...)
 	if !reflect.DeepEqual(iptEntries, expectedIptEntries) {
 		t.Errorf("translatedPolicy failed @ ALLOW-ns-ns:dev-AND-app:backend-TO-app:frontend policy comparison")
 		marshalledIptEntries, _ := json.Marshal(iptEntries)
@@ -2146,33 +1965,17 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("iptEntries: %s", marshalledIptEntries)
 		t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries)
 	}
+}
 
-	targetSelector = metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"app": "backdoor",
-		},
-	}
-	allowInternalAndExternalPolicy := &networkingv1.NetworkPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "ALLOW-ALL-TO-app:backdoor-policy",
-			Namespace: "dangerous",
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: targetSelector,
-			PolicyTypes: []networkingv1.PolicyType{
-				networkingv1.PolicyTypeIngress,
-			},
-			Ingress: []networkingv1.NetworkPolicyIngressRule{
-				networkingv1.NetworkPolicyIngressRule{
-					From: []networkingv1.NetworkPolicyPeer{},
-				},
-			},
-		},
+func TestAllowInternalAndExternal(t *testing.T) {
+	allowInternalAndExternalPolicy, err := readPolicyYaml("testpolicies/allow-internal-and-external.yaml")
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	sets, lists, iptEntries = translatePolicy(allowInternalAndExternalPolicy)
+	sets, lists, iptEntries := translatePolicy(allowInternalAndExternalPolicy)
 
-	expectedSets = []string{
+	expectedSets := []string{
 		"app:backdoor",
 		"ns-dangerous",
 	}
@@ -2182,15 +1985,15 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedSets: %v", expectedSets)
 	}
 
-	expectedLists = []string{}
+	expectedLists := []string{}
 	if !reflect.DeepEqual(lists, expectedLists) {
 		t.Errorf("translatedPolicy failed @ ALLOW-ALL-TO-app:backdoor-policy lists comparison")
 		t.Errorf("lists: %v", lists)
 		t.Errorf("expectedLists: %v", expectedLists)
 	}
 
-	expectedIptEntries = []*iptm.IptEntry{}
-	nonKubeSystemEntries = []*iptm.IptEntry{
+	expectedIptEntries := []*iptm.IptEntry{}
+	nonKubeSystemEntries := []*iptm.IptEntry{
 		&iptm.IptEntry{
 			Chain: util.IptablesAzureIngressPortChain,
 			Specs: []string{
@@ -2210,7 +2013,7 @@ func TestTranslatePolicy(t *testing.T) {
 	}
 
 	expectedIptEntries = append(expectedIptEntries, nonKubeSystemEntries...)
-	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("dangerous", targetSelector, false, false)...)
+	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("dangerous", allowInternalAndExternalPolicy.Spec.PodSelector, false, false)...)
 	if !reflect.DeepEqual(iptEntries, expectedIptEntries) {
 		t.Errorf("translatedPolicy failed @ ALLOW-ALL-TO-app:backdoor-policy policy comparison")
 		marshalledIptEntries, _ := json.Marshal(iptEntries)
@@ -2218,48 +2021,17 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("iptEntries: %s", marshalledIptEntries)
 		t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries)
 	}
+}
 
-	targetSelector = metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"app": "frontend",
-		},
-	}
-
-	port8000 := intstr.FromInt(8000)
-	allowBackendToFrontendPort8000Policy := &networkingv1.NetworkPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "ALLOW-app:backend-TO-app:frontend-port-8000-policy",
-			Namespace: "testnamespace",
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: targetSelector,
-			PolicyTypes: []networkingv1.PolicyType{
-				networkingv1.PolicyTypeIngress,
-			},
-			Ingress: []networkingv1.NetworkPolicyIngressRule{
-				networkingv1.NetworkPolicyIngressRule{
-					Ports: []networkingv1.NetworkPolicyPort{
-						networkingv1.NetworkPolicyPort{
-							Port: &port8000,
-						},
-					},
-					From: []networkingv1.NetworkPolicyPeer{
-						networkingv1.NetworkPolicyPeer{
-							PodSelector: &metav1.LabelSelector{
-								MatchLabels: map[string]string{
-									"app": "backend",
-								},
-							},
-						},
-					},
-				},
-			},
-		},
+func TestAllowBackendToFrontendPort8000(t *testing.T) {
+	allowBackendToFrontendPort8000Policy, err := readPolicyYaml("testpolicies/allow-app-backend-to-app-frontend-port-8000.yaml")
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	sets, lists, iptEntries = translatePolicy(allowBackendToFrontendPort8000Policy)
+	sets, lists, iptEntries := translatePolicy(allowBackendToFrontendPort8000Policy)
 
-	expectedSets = []string{
+	expectedSets := []string{
 		"app:frontend",
 		"ns-testnamespace",
 		"app:backend",
@@ -2270,15 +2042,15 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedSets: %v", expectedSets)
 	}
 
-	expectedLists = []string{}
+	expectedLists := []string{}
 	if !reflect.DeepEqual(lists, expectedLists) {
 		t.Errorf("translatedPolicy failed @ ALLOW-app:backend-TO-app:frontend-port-8000-policy lists comparison")
 		t.Errorf("lists: %v", lists)
 		t.Errorf("expectedLists: %v", expectedLists)
 	}
 
-	expectedIptEntries = []*iptm.IptEntry{}
-	nonKubeSystemEntries = []*iptm.IptEntry{
+	expectedIptEntries := []*iptm.IptEntry{}
+	nonKubeSystemEntries := []*iptm.IptEntry{
 		&iptm.IptEntry{
 			Chain: util.IptablesAzureIngressPortChain,
 			Specs: []string{
@@ -2315,7 +2087,7 @@ func TestTranslatePolicy(t *testing.T) {
 				util.IptablesModuleFlag,
 				util.IptablesCommentModuleFlag,
 				util.IptablesCommentFlag,
-				"ALLOW-ALL-TO-app:frontend-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain,
+				"ALLOW-ALL-TO-app:frontend-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain,
 			},
 		},
 		&iptm.IptEntry{
@@ -2337,7 +2109,7 @@ func TestTranslatePolicy(t *testing.T) {
 	}
 
 	expectedIptEntries = append(expectedIptEntries, nonKubeSystemEntries...)
-	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("dangerous", targetSelector, false, false)...)
+	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("dangerous", allowBackendToFrontendPort8000Policy.Spec.PodSelector, false, false)...)
 	if !reflect.DeepEqual(iptEntries, expectedIptEntries) {
 		t.Errorf("translatedPolicy failed @ ALLOW-ALL-TO-app:backdoor-policy policy comparison")
 		marshalledIptEntries, _ := json.Marshal(iptEntries)
@@ -2345,51 +2117,17 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("iptEntries: %s", marshalledIptEntries)
 		t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries)
 	}
+}
 
-	targetSelector = metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"app":  "k8s",
-			"team": "aks",
-		},
-	}
-	allowCniOrCnsToK8sPolicy := &networkingv1.NetworkPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "ALLOW-program:cni-AND-team:acn-OR-binary:cns-AND-group:container-TO-app:k8s-AND-team:aks-policy",
-			Namespace: "acn",
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: targetSelector,
-			PolicyTypes: []networkingv1.PolicyType{
-				networkingv1.PolicyTypeIngress,
-			},
-			Ingress: []networkingv1.NetworkPolicyIngressRule{
-				networkingv1.NetworkPolicyIngressRule{
-					From: []networkingv1.NetworkPolicyPeer{
-						networkingv1.NetworkPolicyPeer{
-							PodSelector: &metav1.LabelSelector{
-								MatchLabels: map[string]string{
-									"program": "cni",
-									"team":    "acn",
-								},
-							},
-						},
-						networkingv1.NetworkPolicyPeer{
-							PodSelector: &metav1.LabelSelector{
-								MatchLabels: map[string]string{
-									"binary": "cns",
-									"group":  "container",
-								},
-							},
-						},
-					},
-				},
-			},
-		},
+func TestAllowMultipleLabelsToMultipleLabels(t *testing.T) {
+	allowCniOrCnsToK8sPolicy, err := readPolicyYaml("testpolicies/allow-multiple-labels-to-multiple-labels.yaml")
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	sets, lists, iptEntries = translatePolicy(allowCniOrCnsToK8sPolicy)
+	sets, lists, iptEntries := translatePolicy(allowCniOrCnsToK8sPolicy)
 
-	expectedSets = []string{
+	expectedSets := []string{
 		"app:k8s",
 		"team:aks",
 		"ns-acn",
@@ -2404,15 +2142,15 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedSets: %v", expectedSets)
 	}
 
-	expectedLists = []string{}
+	expectedLists := []string{}
 	if !reflect.DeepEqual(lists, expectedLists) {
 		t.Errorf("translatedPolicy failed @ ALLOW-program:cni-AND-team:acn-OR-binary:cns-AND-group:container-TO-app:k8s-AND-team:aks-policy lists comparison")
 		t.Errorf("lists: %v", lists)
 		t.Errorf("expectedLists: %v", expectedLists)
 	}
 
-	expectedIptEntries = []*iptm.IptEntry{}
-	nonKubeSystemEntries = []*iptm.IptEntry{
+	expectedIptEntries := []*iptm.IptEntry{}
+	nonKubeSystemEntries := []*iptm.IptEntry{
 		&iptm.IptEntry{
 			Chain: util.IptablesAzureIngressFromChain,
 			Specs: []string{
@@ -2515,7 +2253,7 @@ func TestTranslatePolicy(t *testing.T) {
 				util.IptablesModuleFlag,
 				util.IptablesCommentModuleFlag,
 				util.IptablesCommentFlag,
-				"ALLOW-ALL-TO-app:k8s-AND-team:aks-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain,
+				"ALLOW-ALL-TO-app:k8s-AND-team:aks-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain,
 			},
 		},
 		&iptm.IptEntry{
@@ -2542,7 +2280,7 @@ func TestTranslatePolicy(t *testing.T) {
 	}
 
 	expectedIptEntries = append(expectedIptEntries, nonKubeSystemEntries...)
-	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("acn", targetSelector, false, false)...)
+	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("acn", allowCniOrCnsToK8sPolicy.Spec.PodSelector, false, false)...)
 	if !reflect.DeepEqual(iptEntries, expectedIptEntries) {
 		t.Errorf("translatedPolicy failed @ ALLOW-program:cni-AND-team:acn-OR-binary:cns-AND-group:container-TO-app:k8s-AND-team:aks-policy policy comparison")
 		marshalledIptEntries, _ := json.Marshal(iptEntries)
@@ -2550,28 +2288,17 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("iptEntries: %s", marshalledIptEntries)
 		t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries)
 	}
+}
 
-	targetSelector = metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"app": "backend",
-		},
-	}
-	denyAllFromBackendPolicy := &networkingv1.NetworkPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "ALLOW-none-FROM-app:backend-policy",
-			Namespace: "testnamespace",
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: targetSelector,
-			PolicyTypes: []networkingv1.PolicyType{
-				networkingv1.PolicyTypeEgress,
-			},
-		},
+func TestDenyAllFromAppBackend(t *testing.T) {
+	denyAllFromBackendPolicy, err := readPolicyYaml("testpolicies/deny-all-from-app-backend.yaml")
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	sets, lists, iptEntries = translatePolicy(denyAllFromBackendPolicy)
+	sets, lists, iptEntries := translatePolicy(denyAllFromBackendPolicy)
 
-	expectedSets = []string{
+	expectedSets := []string{
 		"app:backend",
 		"ns-testnamespace",
 	}
@@ -2581,15 +2308,15 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedSets: %v", expectedSets)
 	}
 
-	expectedLists = []string{}
+	expectedLists := []string{}
 	if !reflect.DeepEqual(lists, expectedLists) {
 		t.Errorf("translatedPolicy failed @ ALLOW-none-FROM-app:backend-policy lists comparison")
 		t.Errorf("lists: %v", lists)
 		t.Errorf("expectedLists: %v", expectedLists)
 	}
 
-	expectedIptEntries = []*iptm.IptEntry{}
-	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", targetSelector, false, true)...)
+	expectedIptEntries := []*iptm.IptEntry{}
+	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", denyAllFromBackendPolicy.Spec.PodSelector, false, true)...)
 	if !reflect.DeepEqual(iptEntries, expectedIptEntries) {
 		t.Errorf("translatedPolicy failed @ ALLOW-none-FROM-app:backend-policy policy comparison")
 		marshalledIptEntries, _ := json.Marshal(iptEntries)
@@ -2597,33 +2324,17 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("iptEntries: %s", marshalledIptEntries)
 		t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries)
 	}
+}
 
-	targetSelector = metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"app": "backend",
-		},
+func TestAllowAllFromAppBackend(t *testing.T) {
+	allowAllEgress, err := readPolicyYaml("testpolicies/allow-all-from-app-backend.yaml")
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	//////
-	/// This policy tests the case where pods should have unlimited egress traffic
-	//////
-	allowAllEgress := &networkingv1.NetworkPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "ALLOW-all-FROM-app:backend-policy",
-			Namespace: "testnamespace",
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: targetSelector,
-			PolicyTypes: []networkingv1.PolicyType{
-				networkingv1.PolicyTypeEgress,
-			},
-			Egress: []networkingv1.NetworkPolicyEgressRule{networkingv1.NetworkPolicyEgressRule{}},
-		},
-	}
+	sets, lists, iptEntries := translatePolicy(allowAllEgress)
 
-	sets, lists, iptEntries = translatePolicy(allowAllEgress)
-
-	expectedSets = []string{
+	expectedSets := []string{
 		"app:backend",
 		"ns-testnamespace",
 	}
@@ -2633,7 +2344,7 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedSets: %v", expectedSets)
 	}
 
-	expectedLists = []string{
+	expectedLists := []string{
 		util.KubeAllNamespacesFlag,
 	}
 	if !reflect.DeepEqual(lists, expectedLists) {
@@ -2642,8 +2353,8 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedLists: %v", expectedLists)
 	}
 
-	expectedIptEntries = []*iptm.IptEntry{}
-	nonKubeSystemEntries = []*iptm.IptEntry{
+	expectedIptEntries := []*iptm.IptEntry{}
+	nonKubeSystemEntries := []*iptm.IptEntry{
 		&iptm.IptEntry{
 			Chain: util.IptablesAzureEgressPortChain,
 			Specs: []string{
@@ -2669,7 +2380,7 @@ func TestTranslatePolicy(t *testing.T) {
 	}
 	expectedIptEntries = append(expectedIptEntries, nonKubeSystemEntries...)
 	// has egress, but empty map means allow all
-	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", targetSelector, false, false)...)
+	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", allowAllEgress.Spec.PodSelector, false, false)...)
 	if !reflect.DeepEqual(iptEntries, expectedIptEntries) {
 		t.Errorf("translatedPolicy failed @ ALLOW-all-FROM-app:backend-policy policy comparison")
 		marshalledIptEntries, _ := json.Marshal(iptEntries)
@@ -2677,25 +2388,16 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("iptEntries: %s", marshalledIptEntries)
 		t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries)
 	}
+}
 
-	targetSelector = metav1.LabelSelector{}
-	denyAllFromNsUnsafePolicy := &networkingv1.NetworkPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "ALLOW-none-FROM-ns-unsafe-policy",
-			Namespace: "unsafe",
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: targetSelector,
-			PolicyTypes: []networkingv1.PolicyType{
-				networkingv1.PolicyTypeEgress,
-			},
-			Egress: []networkingv1.NetworkPolicyEgressRule{},
-		},
+func TestDenyAllFromNsUnsafe(t *testing.T) {
+	denyAllFromNsUnsafePolicy, err := readPolicyYaml("testpolicies/deny-all-from-ns-unsafe.yaml")
+	if err != nil {
+		t.Fatal(err)
 	}
+	sets, lists, iptEntries := translatePolicy(denyAllFromNsUnsafePolicy)
 
-	sets, lists, iptEntries = translatePolicy(denyAllFromNsUnsafePolicy)
-
-	expectedSets = []string{
+	expectedSets := []string{
 		"ns-unsafe",
 	}
 	if !reflect.DeepEqual(sets, expectedSets) {
@@ -2703,15 +2405,15 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("sets: %v", sets)
 		t.Errorf("expectedSets: %v", expectedSets)
 	}
-	expectedLists = []string{}
+	expectedLists := []string{}
 	if !reflect.DeepEqual(lists, expectedLists) {
 		t.Errorf("translatedPolicy failed @ ALLOW-none-FROM-app:backend-policy lists comparison")
 		t.Errorf("lists: %v", lists)
 		t.Errorf("expectedLists: %v", expectedLists)
 	}
 
-	expectedIptEntries = []*iptm.IptEntry{}
-	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("unsafe", targetSelector, false, true)...)
+	expectedIptEntries := []*iptm.IptEntry{}
+	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("unsafe", denyAllFromNsUnsafePolicy.Spec.PodSelector, false, true)...)
 	if !reflect.DeepEqual(iptEntries, expectedIptEntries) {
 		t.Errorf("translatedPolicy failed @ ALLOW-none-FROM-app:backend-policy policy comparison")
 		marshalledIptEntries, _ := json.Marshal(iptEntries)
@@ -2719,52 +2421,17 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("iptEntries: %s", marshalledIptEntries)
 		t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries)
 	}
+}
 
-	targetSelector = metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"app": "frontend",
-		},
-	}
-
-	tcp, udp := v1.ProtocolTCP, v1.ProtocolUDP
-	port53 := intstr.FromInt(53)
-	allowFrontendToTCPPort80UDPPOrt443Policy := &networkingv1.NetworkPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "ALLOW-ALL-FROM-app:frontend-TCP-PORT-53-OR-UDP-PORT-53-policy",
-			Namespace: "testnamespace",
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: targetSelector,
-			PolicyTypes: []networkingv1.PolicyType{
-				networkingv1.PolicyTypeEgress,
-			},
-			Egress: []networkingv1.NetworkPolicyEgressRule{
-				networkingv1.NetworkPolicyEgressRule{
-					Ports: []networkingv1.NetworkPolicyPort{
-						networkingv1.NetworkPolicyPort{
-							Protocol: &tcp,
-							Port:     &port53,
-						},
-						networkingv1.NetworkPolicyPort{
-							Protocol: &udp,
-							Port:     &port53,
-						},
-					},
-				},
-				networkingv1.NetworkPolicyEgressRule{
-					To: []networkingv1.NetworkPolicyPeer{
-						networkingv1.NetworkPolicyPeer{
-							NamespaceSelector: &metav1.LabelSelector{},
-						},
-					},
-				},
-			},
-		},
+func TestAllowAppFrontendToTCPPort53UDPPort53Policy(t *testing.T) {
+	allowFrontendToTCPPort53UDPPort53Policy, err := readPolicyYaml("testpolicies/allow-app-frontend-tcp-port-or-udp-port-53.yaml")
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	sets, lists, iptEntries = translatePolicy(allowFrontendToTCPPort80UDPPOrt443Policy)
+	sets, lists, iptEntries := translatePolicy(allowFrontendToTCPPort53UDPPort53Policy)
 
-	expectedSets = []string{
+	expectedSets := []string{
 		"app:frontend",
 		"ns-testnamespace",
 	}
@@ -2774,7 +2441,7 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedSets: %v", expectedSets)
 	}
 
-	expectedLists = []string{
+	expectedLists := []string{
 		util.KubeAllNamespacesFlag,
 	}
 	if !reflect.DeepEqual(lists, expectedLists) {
@@ -2783,8 +2450,8 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedLists: %v", expectedLists)
 	}
 
-	expectedIptEntries = []*iptm.IptEntry{}
-	nonKubeSystemEntries = []*iptm.IptEntry{
+	expectedIptEntries := []*iptm.IptEntry{}
+	nonKubeSystemEntries := []*iptm.IptEntry{
 		&iptm.IptEntry{
 			Chain: util.IptablesAzureEgressPortChain,
 			Specs: []string{
@@ -2877,7 +2544,7 @@ func TestTranslatePolicy(t *testing.T) {
 				util.IptablesModuleFlag,
 				util.IptablesCommentModuleFlag,
 				util.IptablesCommentFlag,
-				"ALLOW-ALL-FROM-app:frontend-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain,
+				"ALLOW-ALL-FROM-app:frontend-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain,
 			},
 		},
 		&iptm.IptEntry{
@@ -2898,7 +2565,7 @@ func TestTranslatePolicy(t *testing.T) {
 		},
 	}
 	expectedIptEntries = append(expectedIptEntries, nonKubeSystemEntries...)
-	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", targetSelector, false, false)...)
+	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", allowFrontendToTCPPort53UDPPort53Policy.Spec.PodSelector, false, false)...)
 	if !reflect.DeepEqual(iptEntries, expectedIptEntries) {
 		t.Errorf("translatedPolicy failed @ ALLOW-ALL-FROM-app:frontend-TCP-PORT-53-OR-UDP-PORT-53-policy policy comparison")
 		marshalledIptEntries, _ := json.Marshal(iptEntries)
@@ -2906,83 +2573,17 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("iptEntries: %s", marshalledIptEntries)
 		t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries)
 	}
+}
 
-	targetSelector = metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"role": "db",
-		},
+func TestComplexPolicy(t *testing.T) {
+	k8sExamplePolicy, err := readPolicyYaml("testpolicies/complex-policy.yaml")
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	tcp = v1.ProtocolTCP
-	port6379, port5978 := intstr.FromInt(6379), intstr.FromInt(5978)
-	k8sExamplePolicy := &networkingv1.NetworkPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "k8s-example-policy",
-			Namespace: "default",
-		},
-		Spec: networkingv1.NetworkPolicySpec{
-			PodSelector: targetSelector,
-			PolicyTypes: []networkingv1.PolicyType{
-				networkingv1.PolicyTypeIngress,
-				networkingv1.PolicyTypeEgress,
-			},
-			Ingress: []networkingv1.NetworkPolicyIngressRule{
-				networkingv1.NetworkPolicyIngressRule{
-					From: []networkingv1.NetworkPolicyPeer{
-						networkingv1.NetworkPolicyPeer{
-							IPBlock: &networkingv1.IPBlock{
-								CIDR: "172.17.0.0/16",
-								Except: []string{
-									"172.17.1.0/24",
-								},
-							},
-						},
-						networkingv1.NetworkPolicyPeer{
-							NamespaceSelector: &metav1.LabelSelector{
-								MatchLabels: map[string]string{
-									"project": "myproject",
-								},
-							},
-						},
-						networkingv1.NetworkPolicyPeer{
-							PodSelector: &metav1.LabelSelector{
-								MatchLabels: map[string]string{
-									"role": "frontend",
-								},
-							},
-						},
-					},
-					Ports: []networkingv1.NetworkPolicyPort{
-						networkingv1.NetworkPolicyPort{
-							Protocol: &tcp,
-							Port:     &port6379,
-						},
-					},
-				},
-			},
-			Egress: []networkingv1.NetworkPolicyEgressRule{
-				networkingv1.NetworkPolicyEgressRule{
-					To: []networkingv1.NetworkPolicyPeer{
-						networkingv1.NetworkPolicyPeer{
-							IPBlock: &networkingv1.IPBlock{
-								CIDR: "10.0.0.0/24",
-							},
-						},
-					},
-					Ports: []networkingv1.NetworkPolicyPort{
-						networkingv1.NetworkPolicyPort{
-							Protocol: &tcp,
-							Port:     &port5978,
-						},
-					},
-				},
-			},
-		},
-	}
+	sets, lists, iptEntries := translatePolicy(k8sExamplePolicy)
 
-	sets, lists, iptEntries = translatePolicy(k8sExamplePolicy)
-
-	expectedSets = []string{
+	expectedSets := []string{
 		"role:db",
 		"ns-default",
 		"role:frontend",
@@ -2993,7 +2594,7 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedSets: %v", expectedSets)
 	}
 
-	expectedLists = []string{
+	expectedLists := []string{
 		"ns-project:myproject",
 	}
 	if !reflect.DeepEqual(lists, expectedLists) {
@@ -3002,8 +2603,8 @@ func TestTranslatePolicy(t *testing.T) {
 		t.Errorf("expectedLists: %v", expectedLists)
 	}
 
-	expectedIptEntries = []*iptm.IptEntry{}
-	nonKubeSystemEntries = []*iptm.IptEntry{
+	expectedIptEntries := []*iptm.IptEntry{}
+	nonKubeSystemEntries := []*iptm.IptEntry{
 		&iptm.IptEntry{
 			Chain: util.IptablesAzureIngressPortChain,
 			Specs: []string{
@@ -3107,7 +2708,7 @@ func TestTranslatePolicy(t *testing.T) {
 				util.IptablesModuleFlag,
 				util.IptablesCommentModuleFlag,
 				util.IptablesCommentFlag,
-				"ALLOW-ALL-TO-role:db-TO-JUMP-TO-"+util.IptablesAzureIngressFromChain,
+				"ALLOW-ALL-TO-role:db-TO-JUMP-TO-" + util.IptablesAzureIngressFromChain,
 			},
 		},
 		&iptm.IptEntry{
@@ -3123,7 +2724,7 @@ func TestTranslatePolicy(t *testing.T) {
 				util.IptablesModuleFlag,
 				util.IptablesCommentModuleFlag,
 				util.IptablesCommentFlag,
-				"ALLOW-ALL-TO-role:db-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain,
+				"ALLOW-ALL-TO-role:db-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain,
 			},
 		},
 		&iptm.IptEntry{
@@ -3161,7 +2762,7 @@ func TestTranslatePolicy(t *testing.T) {
 				util.IptablesModuleFlag,
 				util.IptablesCommentModuleFlag,
 				util.IptablesCommentFlag,
-				"ALLOW-ALL-FROM-role:db-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain,
+				"ALLOW-ALL-FROM-role:db-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain,
 			},
 		},
 		&iptm.IptEntry{
@@ -3198,7 +2799,7 @@ func TestTranslatePolicy(t *testing.T) {
 		},
 	}
 	expectedIptEntries = append(expectedIptEntries, nonKubeSystemEntries...)
-	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", targetSelector, false, false)...)
+	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("testnamespace", k8sExamplePolicy.Spec.PodSelector, false, false)...)
 	if !reflect.DeepEqual(iptEntries, expectedIptEntries) {
 		t.Errorf("translatedPolicy failed @ k8s-example-policy policy comparison")
 		marshalledIptEntries, _ := json.Marshal(iptEntries)
@@ -3237,6 +2838,7 @@ func TestDropPrecedenceOverAllow(t *testing.T) {
 			Ingress: []networkingv1.NetworkPolicyIngressRule{},
 		},
 	}
+	denyAllPolicy.ObjectMeta.Namespace = metav1.NamespaceDefault
 	allowToPodPolicy := &networkingv1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "pod-A",

From 7478f9bc38138c0da3c9bb46a4c4eb6ca9a93036 Mon Sep 17 00:00:00 2001
From: Mathew Merrick <mathew.merrick@microsoft.com>
Date: Fri, 20 Dec 2019 15:35:50 -0800
Subject: [PATCH 2/3] fix policy names

---
 npm/testpolicies/allow-all-from-app-backend.yaml              | 2 +-
 npm/testpolicies/allow-all-ns-to-frontend.yaml                | 2 +-
 npm/testpolicies/allow-all-to-app-frontend.yaml               | 4 ++--
 .../allow-app-backend-to-app-frontend-port-8000.yaml          | 4 ++--
 .../allow-app-frontend-tcp-port-or-udp-port-53.yaml           | 4 ++--
 npm/testpolicies/allow-backend-to-frontend.yaml               | 2 +-
 npm/testpolicies/allow-internal-and-external.yaml             | 4 ++--
 .../allow-multiple-labels-to-multiple-labels.yaml             | 4 ++--
 .../allow-ns-dev-and-app-backend-to-app-frontend.yaml         | 2 +-
 npm/testpolicies/allow-ns-dev-to-app-frontend.yaml            | 4 ++--
 npm/testpolicies/allow-ns-test-namespace-to-frontend.yaml     | 4 ++--
 npm/testpolicies/deny-all-from-app-backend.yaml               | 2 +-
 npm/testpolicies/deny-all-from-ns-unsafe.yaml                 | 2 +-
 npm/testpolicies/deny-all-policy.yaml                         | 2 +-
 npm/testpolicies/deny-all-to-app-frontend.yaml                | 2 +-
 .../test-allow-all-to-k0-and-k1-and-app-frontend.yaml         | 2 +-
 16 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/npm/testpolicies/allow-all-from-app-backend.yaml b/npm/testpolicies/allow-all-from-app-backend.yaml
index 8bbb1ec169..e98a37b34e 100644
--- a/npm/testpolicies/allow-all-from-app-backend.yaml
+++ b/npm/testpolicies/allow-all-from-app-backend.yaml
@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: deny-all-policy
-  namespace: "testnamespace"
+  namespace: testnamespace
 spec:
   policyTypes:
     - Egress
diff --git a/npm/testpolicies/allow-all-ns-to-frontend.yaml b/npm/testpolicies/allow-all-ns-to-frontend.yaml
index f813f086f7..d8aebdb0f5 100644
--- a/npm/testpolicies/allow-all-ns-to-frontend.yaml
+++ b/npm/testpolicies/allow-all-ns-to-frontend.yaml
@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: deny-all-policy
-  namespace: "testnamespace"
+  namespace: testnamespace
 spec:
   policyTypes:
     - Ingress
diff --git a/npm/testpolicies/allow-all-to-app-frontend.yaml b/npm/testpolicies/allow-all-to-app-frontend.yaml
index f1f5776e9c..3bd4906494 100644
--- a/npm/testpolicies/allow-all-to-app-frontend.yaml
+++ b/npm/testpolicies/allow-all-to-app-frontend.yaml
@@ -1,8 +1,8 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: ALLOW-all-TO-app:frontend-FROM-all-namespaces-policy
-  namespace: "testnamespace"
+  name: allow-all-to-app-frontend
+  namespace: testnamespace
 spec:
   podSelector:
     matchLabels:
diff --git a/npm/testpolicies/allow-app-backend-to-app-frontend-port-8000.yaml b/npm/testpolicies/allow-app-backend-to-app-frontend-port-8000.yaml
index a722f3bc64..0f3794cc46 100644
--- a/npm/testpolicies/allow-app-backend-to-app-frontend-port-8000.yaml
+++ b/npm/testpolicies/allow-app-backend-to-app-frontend-port-8000.yaml
@@ -1,8 +1,8 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: ALLOW-app:backend-TO-app:frontend-port-8000-policy
-  namespace: "testnamespace"
+  name: allow-backend-to-frontend-on-port-8000-policy
+  namespace: testnamespace
 spec:
   policyTypes:
     - Ingress
diff --git a/npm/testpolicies/allow-app-frontend-tcp-port-or-udp-port-53.yaml b/npm/testpolicies/allow-app-frontend-tcp-port-or-udp-port-53.yaml
index 5c7a5fd09d..0e2b42077c 100644
--- a/npm/testpolicies/allow-app-frontend-tcp-port-or-udp-port-53.yaml
+++ b/npm/testpolicies/allow-app-frontend-tcp-port-or-udp-port-53.yaml
@@ -1,8 +1,8 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: ALLOW-app:backend-TO-app:frontend-port-8000-policy
-  namespace: "testnamespace"
+  name: allow-backend-to-frontend-on-port-53-policy
+  namespace: testnamespace
 spec:
   policyTypes:
     - Egress
diff --git a/npm/testpolicies/allow-backend-to-frontend.yaml b/npm/testpolicies/allow-backend-to-frontend.yaml
index 7afbfbeee9..e7ae161636 100644
--- a/npm/testpolicies/allow-backend-to-frontend.yaml
+++ b/npm/testpolicies/allow-backend-to-frontend.yaml
@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: deny-all-policy
-  namespace: "testnamespace"
+  namespace: testnamespace
 spec:
   podSelector:
     matchLabels:
diff --git a/npm/testpolicies/allow-internal-and-external.yaml b/npm/testpolicies/allow-internal-and-external.yaml
index 61f0fb1ef7..f1cdedecf3 100644
--- a/npm/testpolicies/allow-internal-and-external.yaml
+++ b/npm/testpolicies/allow-internal-and-external.yaml
@@ -1,8 +1,8 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: deny-all-policy
-  namespace: "dangerous"
+  name: allow-backdoor-policy
+  namespace: dangerous
 spec:
   policyTypes:
     - Ingress
diff --git a/npm/testpolicies/allow-multiple-labels-to-multiple-labels.yaml b/npm/testpolicies/allow-multiple-labels-to-multiple-labels.yaml
index 0f83383c76..40b3878a4f 100644
--- a/npm/testpolicies/allow-multiple-labels-to-multiple-labels.yaml
+++ b/npm/testpolicies/allow-multiple-labels-to-multiple-labels.yaml
@@ -1,8 +1,8 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: deny-all-policy
-  namespace: "acn"
+  name: allow-multiple-labels-to-multiple-labels
+  namespace: acn
 spec:
   policyTypes:
     - Ingress
diff --git a/npm/testpolicies/allow-ns-dev-and-app-backend-to-app-frontend.yaml b/npm/testpolicies/allow-ns-dev-and-app-backend-to-app-frontend.yaml
index 88b5b22921..740a1fdd96 100644
--- a/npm/testpolicies/allow-ns-dev-and-app-backend-to-app-frontend.yaml
+++ b/npm/testpolicies/allow-ns-dev-and-app-backend-to-app-frontend.yaml
@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: deny-all-policy
-  namespace: "testnamespace"
+  namespace: testnamespace
 spec:
   policyTypes:
     - Ingress
diff --git a/npm/testpolicies/allow-ns-dev-to-app-frontend.yaml b/npm/testpolicies/allow-ns-dev-to-app-frontend.yaml
index 05bc5ab5e0..fdd5cf0706 100644
--- a/npm/testpolicies/allow-ns-dev-to-app-frontend.yaml
+++ b/npm/testpolicies/allow-ns-dev-to-app-frontend.yaml
@@ -1,8 +1,8 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: "ALLOW-ns-namespace:dev-AND-!ns-namespace:test0-AND-!ns-namespace:test1-TO-app:frontend-policy"
-  namespace: "testnamespace"
+  name: allow-ns-dev-to-app-frontend
+  namespace: testnamespace
 spec:
   policyTypes:
     - Ingress
diff --git a/npm/testpolicies/allow-ns-test-namespace-to-frontend.yaml b/npm/testpolicies/allow-ns-test-namespace-to-frontend.yaml
index 146e0aab11..8b36507dcc 100644
--- a/npm/testpolicies/allow-ns-test-namespace-to-frontend.yaml
+++ b/npm/testpolicies/allow-ns-test-namespace-to-frontend.yaml
@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: deny-all-policy
-  namespace: "testnamespace"
+  namespace: testnamespace
 spec:
   policyTypes:
     - Ingress
@@ -12,4 +12,4 @@ spec:
   ingress:
     - from:
         - podSelector:
-            matchLabels:
+            matchLabels: {}
diff --git a/npm/testpolicies/deny-all-from-app-backend.yaml b/npm/testpolicies/deny-all-from-app-backend.yaml
index 60ef7286a1..f1273d63b9 100644
--- a/npm/testpolicies/deny-all-from-app-backend.yaml
+++ b/npm/testpolicies/deny-all-from-app-backend.yaml
@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: deny-all-policy
-  namespace: "testnamespace"
+  namespace: testnamespace
 spec:
   policyTypes:
     - Egress
diff --git a/npm/testpolicies/deny-all-from-ns-unsafe.yaml b/npm/testpolicies/deny-all-from-ns-unsafe.yaml
index 706ba19acc..27b08f0963 100644
--- a/npm/testpolicies/deny-all-from-ns-unsafe.yaml
+++ b/npm/testpolicies/deny-all-from-ns-unsafe.yaml
@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: deny-all-policy
-  namespace: "unsafe"
+  namespace: unsafe
 spec:
   policyTypes:
     - Egress
diff --git a/npm/testpolicies/deny-all-policy.yaml b/npm/testpolicies/deny-all-policy.yaml
index 6f818340ac..f8e9aa5332 100644
--- a/npm/testpolicies/deny-all-policy.yaml
+++ b/npm/testpolicies/deny-all-policy.yaml
@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: deny-all-policy
-  namespace: "testnamespace"
+  namespace: testnamespace
 spec:
   policyTypes:
     - Ingress
diff --git a/npm/testpolicies/deny-all-to-app-frontend.yaml b/npm/testpolicies/deny-all-to-app-frontend.yaml
index 9afcd56781..0197643e53 100644
--- a/npm/testpolicies/deny-all-to-app-frontend.yaml
+++ b/npm/testpolicies/deny-all-to-app-frontend.yaml
@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: deny-all-policy
-  namespace: "testnamespace"
+  namespace: testnamespace
 spec:
   podSelector:
     matchLabels:
diff --git a/npm/testpolicies/test-allow-all-to-k0-and-k1-and-app-frontend.yaml b/npm/testpolicies/test-allow-all-to-k0-and-k1-and-app-frontend.yaml
index 546e8254b8..c37778c035 100644
--- a/npm/testpolicies/test-allow-all-to-k0-and-k1-and-app-frontend.yaml
+++ b/npm/testpolicies/test-allow-all-to-k0-and-k1-and-app-frontend.yaml
@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: deny-all-policy
-  namespace: "testnamespace"
+  namespace: testnamespace
 spec:
   policyTypes:
     - Ingress

From f8db249037a88364e41e7263c105688ee82c3b89 Mon Sep 17 00:00:00 2001
From: Mathew Merrick <mathew.merrick@microsoft.com>
Date: Thu, 2 Jan 2020 16:39:19 -0800
Subject: [PATCH 3/3] fix jump entry

---
 npm/translatePolicy_test.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/npm/translatePolicy_test.go b/npm/translatePolicy_test.go
index 426fd3ab94..17d8eaf537 100644
--- a/npm/translatePolicy_test.go
+++ b/npm/translatePolicy_test.go
@@ -2380,7 +2380,8 @@ func TestAllowAllFromAppBackend(t *testing.T) {
 			},
 		},
 		&iptm.IptEntry{
-			Chain: util.IptablesAzureEgressPortChain,
+			Chain:       util.IptablesAzureEgressPortChain,
+			IsJumpEntry: true,
 			Specs: []string{
 				util.IptablesModuleFlag,
 				util.IptablesSetModuleFlag,