Skip to content

Commit

Permalink
Add testcases for appliedTo per rule
Browse files Browse the repository at this point in the history
  • Loading branch information
Dyanngg committed Oct 16, 2020
1 parent d43bd23 commit 1e886f1
Show file tree
Hide file tree
Showing 8 changed files with 288 additions and 13 deletions.
19 changes: 19 additions & 0 deletions pkg/agent/controller/networkpolicy/cache_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -598,6 +598,13 @@ func TestRuleCacheAddNetworkPolicy(t *testing.T) {
To: v1beta1.NetworkPolicyPeer{},
Services: nil,
}
networkPolicyRule3 := &v1beta1.NetworkPolicyRule{
Direction: v1beta1.DirectionIn,
AppliedToGroups: []string{"appliedToGroup1"},
From: v1beta1.NetworkPolicyPeer{AddressGroups: []string{"addressGroup3"}},
To: v1beta1.NetworkPolicyPeer{},
Services: nil,
}
networkPolicy1 := &v1beta1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{UID: "policy1", Namespace: "ns1", Name: "name1"},
Rules: nil,
Expand All @@ -620,8 +627,14 @@ func TestRuleCacheAddNetworkPolicy(t *testing.T) {
UID: "policy2",
},
}
networkPolicy3 := &v1beta1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{UID: "policy3", Namespace: "ns3", Name: "name3"},
Rules: []v1beta1.NetworkPolicyRule{*networkPolicyRule3},
AppliedToGroups: nil,
}
rule1 := toRule(networkPolicyRule1, networkPolicy2, k8sNPMaxPriority)
rule2 := toRule(networkPolicyRule2, networkPolicy2, k8sNPMaxPriority)
rule3 := toRule(networkPolicyRule3, networkPolicy3, k8sNPMaxPriority)
tests := []struct {
name string
args *v1beta1.NetworkPolicy
Expand All @@ -640,6 +653,12 @@ func TestRuleCacheAddNetworkPolicy(t *testing.T) {
[]*rule{rule1, rule2},
sets.NewString(rule1.ID, rule2.ID),
},
{
"rule-with-appliedTo",
networkPolicy3,
[]*rule{rule3},
sets.NewString(rule3.ID),
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down
4 changes: 2 additions & 2 deletions pkg/controller/networkpolicy/antreanetworkpolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -125,8 +125,8 @@ func (n *NetworkPolicyController) deleteANP(old interface{}) {
// of an UPDATE event.
func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *secv1alpha1.NetworkPolicy) *antreatypes.NetworkPolicy {
appliedToPerRule := np.Spec.AppliedTo == nil
// appliedToGroupNames tracks all distinct appliedToGroups referred by the NetworkPolicy,
// both in the spec section and in ingress/egress rules.
// appliedToGroupNames tracks all distinct appliedToGroups referred to by the Antrea NetworkPolicy,
// either in the spec section or in ingress/egress rules.
appliedToGroupNamesSet := sets.String{}
// Create AppliedToGroup for each AppliedTo present in AntreaNetworkPolicy spec.
for _, at := range np.Spec.AppliedTo {
Expand Down
101 changes: 100 additions & 1 deletion pkg/controller/networkpolicy/antreanetworkpolicy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -221,11 +221,110 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) {
expectedAppliedToGroups: 1,
expectedAddressGroups: 2,
},
{
name: "appliedTo-per-rule",
inputPolicy: &secv1alpha1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{Namespace: "ns3", Name: "npC", UID: "uidC"},
Spec: secv1alpha1.NetworkPolicySpec{
AppliedTo: nil,
Priority: p10,
Ingress: []secv1alpha1.Rule{
{
AppliedTo: []secv1alpha1.NetworkPolicyPeer{
{
PodSelector: &selectorA,
},
},
Ports: []secv1alpha1.NetworkPolicyPort{
{
Port: &intstr80,
},
},
From: []secv1alpha1.NetworkPolicyPeer{
{
PodSelector: &selectorB,
},
},
Action: &allowAction,
},
{
AppliedTo: []secv1alpha1.NetworkPolicyPeer{
{
PodSelector: &selectorB,
},
},
Ports: []secv1alpha1.NetworkPolicyPort{
{
Port: &intstr81,
},
},
From: []secv1alpha1.NetworkPolicyPeer{
{
NamespaceSelector: &selectorC,
},
},
Action: &allowAction,
},
},
},
},
expectedPolicy: &antreatypes.NetworkPolicy{
UID: "uidC",
Name: "npC",
Namespace: "ns3",
SourceRef: &controlplane.NetworkPolicyReference{
Type: controlplane.AntreaNetworkPolicy,
Namespace: "ns3",
Name: "npC",
UID: "uidC",
},
Priority: &p10,
TierPriority: &defaultTierPriority,
Rules: []controlplane.NetworkPolicyRule{
{
Direction: controlplane.DirectionIn,
AppliedToGroups: []string{getNormalizedUID(toGroupSelector("ns3", &selectorA, nil, nil).NormalizedName)},
From: controlplane.NetworkPolicyPeer{
AddressGroups: []string{getNormalizedUID(toGroupSelector("ns3", &selectorB, nil, nil).NormalizedName)},
},
Services: []controlplane.Service{
{
Protocol: &protocolTCP,
Port: &intstr80,
},
},
Priority: 0,
Action: &allowAction,
},
{
Direction: controlplane.DirectionIn,
AppliedToGroups: []string{getNormalizedUID(toGroupSelector("ns3", &selectorB, nil, nil).NormalizedName)},
From: controlplane.NetworkPolicyPeer{
AddressGroups: []string{getNormalizedUID(toGroupSelector("", nil, &selectorC, nil).NormalizedName)},
},
Services: []controlplane.Service{
{
Protocol: &protocolTCP,
Port: &intstr81,
},
},
Priority: 1,
Action: &allowAction,
},
},
AppliedToGroups: []string{
getNormalizedUID(toGroupSelector("ns3", &selectorA, nil, nil).NormalizedName),
getNormalizedUID(toGroupSelector("ns3", &selectorB, nil, nil).NormalizedName),
},
AppliedToPerRule: true,
},
expectedAppliedToGroups: 2,
expectedAddressGroups: 2,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
_, c := newController()

assert.Equal(t, tt.expectedPolicy, c.processAntreaNetworkPolicy(tt.inputPolicy))
assert.Equal(t, tt.expectedAddressGroups, len(c.addressGroupStore.List()))
assert.Equal(t, tt.expectedAppliedToGroups, len(c.appliedToGroupStore.List()))
Expand Down
4 changes: 2 additions & 2 deletions pkg/controller/networkpolicy/clusternetworkpolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -125,8 +125,8 @@ func (n *NetworkPolicyController) deleteCNP(old interface{}) {
// of an UPDATE event.
func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *secv1alpha1.ClusterNetworkPolicy) *antreatypes.NetworkPolicy {
appliedToPerRule := cnp.Spec.AppliedTo == nil
// appliedToGroupNames tracks all distinct appliedToGroups referred by the ClusterNetworkPolicy,
// both in the spec section and in ingress/egress rules.
// appliedToGroupNames tracks all distinct appliedToGroups referred to by the ClusterNetworkPolicy,
// either in the spec section or in ingress/egress rules.
appliedToGroupNamesSet := sets.String{}
// Create AppliedToGroup for each AppliedTo present in ClusterNetworkPolicy spec.
for _, at := range cnp.Spec.AppliedTo {
Expand Down
100 changes: 100 additions & 0 deletions pkg/controller/networkpolicy/clusternetworkpolicy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -309,6 +309,106 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
expectedAppliedToGroups: 1,
expectedAddressGroups: 2,
},
{
name: "appliedTo-per-rule",
inputPolicy: &secv1alpha1.ClusterNetworkPolicy{
ObjectMeta: metav1.ObjectMeta{Name: "cnpH", UID: "uidH"},
Spec: secv1alpha1.ClusterNetworkPolicySpec{
AppliedTo: nil,
Priority: p10,
Ingress: []secv1alpha1.Rule{
{
AppliedTo: []secv1alpha1.NetworkPolicyPeer{
{
PodSelector: &selectorA,
},
},
Ports: []secv1alpha1.NetworkPolicyPort{
{
Port: &intstr80,
},
},
From: []secv1alpha1.NetworkPolicyPeer{
{
PodSelector: &selectorB,
},
},
Action: &allowAction,
},
{
AppliedTo: []secv1alpha1.NetworkPolicyPeer{
{
PodSelector: &selectorB,
NamespaceSelector: &selectorC,
},
},
Ports: []secv1alpha1.NetworkPolicyPort{
{
Port: &intstr81,
},
},
From: []secv1alpha1.NetworkPolicyPeer{
{
NamespaceSelector: &selectorC,
},
},
Action: &allowAction,
},
},
},
},
expectedPolicy: &antreatypes.NetworkPolicy{
UID: "uidH",
Name: "cnpH",
Namespace: "",
SourceRef: &controlplane.NetworkPolicyReference{
Type: controlplane.AntreaClusterNetworkPolicy,
Name: "cnpH",
UID: "uidH",
},
Priority: &p10,
TierPriority: &defaultTierPriority,
Rules: []controlplane.NetworkPolicyRule{
{
Direction: controlplane.DirectionIn,
AppliedToGroups: []string{getNormalizedUID(toGroupSelector("", &selectorA, nil, nil).NormalizedName)},
From: controlplane.NetworkPolicyPeer{
AddressGroups: []string{getNormalizedUID(toGroupSelector("", &selectorB, nil, nil).NormalizedName)},
},
Services: []controlplane.Service{
{
Protocol: &protocolTCP,
Port: &int80,
},
},
Priority: 0,
Action: &allowAction,
},
{
Direction: controlplane.DirectionIn,
AppliedToGroups: []string{getNormalizedUID(toGroupSelector("", &selectorB, &selectorC, nil).NormalizedName)},
From: controlplane.NetworkPolicyPeer{
AddressGroups: []string{getNormalizedUID(toGroupSelector("", nil, &selectorC, nil).NormalizedName)},
},
Services: []controlplane.Service{
{
Protocol: &protocolTCP,
Port: &int81,
},
},
Priority: 1,
Action: &allowAction,
},
},
AppliedToGroups: []string{
getNormalizedUID(toGroupSelector("", &selectorA, nil, nil).NormalizedName),
getNormalizedUID(toGroupSelector("", &selectorB, &selectorC, nil).NormalizedName),
},
AppliedToPerRule: true,
},
expectedAppliedToGroups: 2,
expectedAddressGroups: 2,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down
57 changes: 57 additions & 0 deletions test/e2e/antreapolicy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -663,6 +663,62 @@ func testANPBasic(t *testing.T) {
executeTests(t, testCase)
}

func testAppliedToPerRule(t *testing.T) {
builder := &AntreaNetworkPolicySpecBuilder{}
builder = builder.SetName("y", "np1").SetPriority(1.0)
anpATGrp1 := ANPRuleAppliedToSpec{PodSelector: map[string]string{"pod": "a"}, PodSelectorMatchExp: nil}
anpATGrp2 := ANPRuleAppliedToSpec{PodSelector: map[string]string{"pod": "b"}, PodSelectorMatchExp: nil}
builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
nil, nil, []ANPRuleAppliedToSpec{anpATGrp1}, secv1alpha1.RuleActionDrop)
builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "z"},
nil, nil, []ANPRuleAppliedToSpec{anpATGrp2}, secv1alpha1.RuleActionDrop)

reachability := NewReachability(allPods, true)
reachability.Expect(Pod("x/b"), Pod("y/a"), false)
reachability.Expect(Pod("z/b"), Pod("y/b"), false)
testStep := []*TestStep{
{
"Port 80",
reachability,
[]metav1.Object{builder.Get()},
80,
0,
},
}

builder2 := &ClusterNetworkPolicySpecBuilder{}
builder2 = builder2.SetName("cnp1").SetPriority(1.0)
cnpATGrp1 := ACNPRuleAppliedToSpec{PodSelector: map[string]string{"pod": "a"}, PodSelectorMatchExp: nil}
cnpATGrp2 := ACNPRuleAppliedToSpec{
PodSelector: map[string]string{"pod": "b"}, NSSelector: map[string]string{"ns": "y"},
PodSelectorMatchExp: nil, NSSelectorMatchExp: nil}
builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
nil, nil, []ACNPRuleAppliedToSpec{cnpATGrp1}, secv1alpha1.RuleActionDrop)
builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "z"},
nil, nil, []ACNPRuleAppliedToSpec{cnpATGrp2}, secv1alpha1.RuleActionDrop)

reachability2 := NewReachability(allPods, true)
reachability2.Expect(Pod("x/b"), Pod("x/a"), false)
reachability2.Expect(Pod("x/b"), Pod("y/a"), false)
reachability2.Expect(Pod("x/b"), Pod("z/a"), false)
reachability2.Expect(Pod("z/b"), Pod("y/b"), false)
testStep2 := []*TestStep{
{
"Port 80",
reachability2,
[]metav1.Object{builder2.Get()},
80,
0,
},
}

testCase := []*TestCase{
{"ANP AppliedTo per rule", testStep},
{"ACNP AppliedTo per rule", testStep2},
}
executeTests(t, testCase)
}

// executeTests runs all the tests in testList and prints results
func executeTests(t *testing.T, testList []*TestCase) {
for _, testCase := range testList {
Expand Down Expand Up @@ -772,6 +828,7 @@ func TestAntreaPolicy(t *testing.T) {
t.Run("Case=CNPPriorityConflictingRule", func(t *testing.T) { testCNPPriorityConflictingRule(t) })
t.Run("Case=CNPRulePriority", func(t *testing.T) { testCNPRulePrioirty(t) })
t.Run("Case=ANPBasic", func(t *testing.T) { testANPBasic(t) })
t.Run("Case=AppliedToPerRule", func(t *testing.T) { testAppliedToPerRule(t) })
})

printResults()
Expand Down
6 changes: 3 additions & 3 deletions test/e2e/utils/anpspecbuilder.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,8 @@ type AntreaNetworkPolicySpecBuilder struct {
}

type ANPRuleAppliedToSpec struct {
podSelector map[string]string
podSelectorMatchExp *[]metav1.LabelSelectorRequirement
PodSelector map[string]string
PodSelectorMatchExp *[]metav1.LabelSelectorRequirement
}

func (b *AntreaNetworkPolicySpecBuilder) Get() *secv1alpha1.NetworkPolicy {
Expand Down Expand Up @@ -139,7 +139,7 @@ func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol,
}
}
for _, at := range ruleAppliedToSpecs {
appliedTos = append(appliedTos, b.GetAppliedToPeer(at.podSelector, at.podSelectorMatchExp))
appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.PodSelectorMatchExp))
}
var policyPeer []secv1alpha1.NetworkPolicyPeer
if ps != nil || ns != nil || ipBlock != nil {
Expand Down
10 changes: 5 additions & 5 deletions test/e2e/utils/cnpspecbuilder.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,10 @@ type ClusterNetworkPolicySpecBuilder struct {
}

type ACNPRuleAppliedToSpec struct {
podSelector map[string]string
nsSelector map[string]string
podSelectorMatchExp *[]metav1.LabelSelectorRequirement
nsSelectorMatchExp *[]metav1.LabelSelectorRequirement
PodSelector map[string]string
NSSelector map[string]string
PodSelectorMatchExp *[]metav1.LabelSelectorRequirement
NSSelectorMatchExp *[]metav1.LabelSelectorRequirement
}

func (b *ClusterNetworkPolicySpecBuilder) Get() *secv1alpha1.ClusterNetworkPolicy {
Expand Down Expand Up @@ -160,7 +160,7 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol,
}
}
for _, at := range ruleAppliedToSpecs {
appliedTos = append(appliedTos, b.GetAppliedToPeer(at.podSelector, at.nsSelector, at.podSelectorMatchExp, at.nsSelectorMatchExp))
appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.NSSelector, at.PodSelectorMatchExp, at.NSSelectorMatchExp))
}
var policyPeer []secv1alpha1.NetworkPolicyPeer
if ps != nil || ns != nil || ipBlock != nil {
Expand Down

0 comments on commit 1e886f1

Please sign in to comment.