From 54346d9686ffef12bb418879a8ee6b9311612691 Mon Sep 17 00:00:00 2001 From: Yang Ding Date: Fri, 9 Oct 2020 00:08:30 -0700 Subject: [PATCH] Add omitempty to appliedTo fields and address test failures --- build/yamls/antrea-aks.yml | 1 - build/yamls/antrea-eks.yml | 1 - build/yamls/antrea-gke.yml | 1 - build/yamls/antrea-ipsec.yml | 1 - build/yamls/antrea.yml | 1 - build/yamls/base/crds.yml | 3 +- pkg/apis/security/v1alpha1/types.go | 8 ++-- .../networkpolicy/antreanetworkpolicy.go | 12 ++--- .../networkpolicy/clusternetworkpolicy.go | 12 ++--- pkg/controller/networkpolicy/validate.go | 22 ++++----- test/e2e/antreapolicy_test.go | 44 ++++++++--------- test/e2e/utils/anpspecbuilder.go | 43 +++++++++++------ test/e2e/utils/cnpspecbuilder.go | 48 +++++++++++++------ 13 files changed, 114 insertions(+), 83 deletions(-) diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index 97add29c67b..6ce4de06c96 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -193,7 +193,6 @@ spec: tier: type: string required: - - appliedTo - priority type: object type: object diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index a304811128b..90f38fe2f7d 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -193,7 +193,6 @@ spec: tier: type: string required: - - appliedTo - priority type: object type: object diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index d8ed065a765..c68bf896acf 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -193,7 +193,6 @@ spec: tier: type: string required: - - appliedTo - priority type: object type: object diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index baa46259fc9..0f558095055 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -193,7 +193,6 @@ spec: tier: type: string required: - - appliedTo - priority type: object type: object diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index feca7676222..70e08a5eabf 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -193,7 +193,6 @@ spec: tier: type: string required: - - appliedTo - priority type: object type: object diff --git a/build/yamls/base/crds.yml b/build/yamls/base/crds.yml index 01e4ea55210..12e87a5ba37 100644 --- a/build/yamls/base/crds.yml +++ b/build/yamls/base/crds.yml @@ -279,9 +279,8 @@ spec: type: object properties: spec: - # Ensure that Spec.AppliedTo and Spec.Priority fields are set + # Ensure that Spec.Priority field is set required: - - appliedTo - priority type: object properties: diff --git a/pkg/apis/security/v1alpha1/types.go b/pkg/apis/security/v1alpha1/types.go index b77f9f341da..091bc81502b 100644 --- a/pkg/apis/security/v1alpha1/types.go +++ b/pkg/apis/security/v1alpha1/types.go @@ -47,7 +47,7 @@ type NetworkPolicySpec struct { // Select workloads on which the rules will be applied to. Cannot be set in // conjunction with AppliedTo in each rule. // +optional - AppliedTo []NetworkPolicyPeer `json:"appliedTo"` + AppliedTo []NetworkPolicyPeer `json:"appliedTo,omitempty"` // Set of ingress rules evaluated based on the order in which they are set. // Currently Ingress rule supports setting the `From` field but not the `To` // field within a Rule. @@ -86,7 +86,7 @@ type Rule struct { // Select workloads on which this rule will be applied to. Cannot be set in // conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. // +optional - AppliedTo []NetworkPolicyPeer `json:"appliedTo"` + AppliedTo []NetworkPolicyPeer `json:"appliedTo,omitempty"` } // NetworkPolicyPeer describes the grouping selector of workloads. @@ -114,6 +114,7 @@ type NetworkPolicyPeer struct { // ExternalEntities are matched from Namespaces matched by the // NamespaceSelector. // Cannot be set with any other selector except NamespaceSelector. + // +optional ExternalEntitySelector *metav1.LabelSelector `json:"externalEntitySelector,omitempty"` } @@ -186,7 +187,8 @@ type ClusterNetworkPolicySpec struct { Priority float64 `json:"priority"` // Select workloads on which the rules will be applied to. Cannot be set in // conjunction with AppliedTo in each rule. - AppliedTo []NetworkPolicyPeer `json:"appliedTo"` + // +optional + AppliedTo []NetworkPolicyPeer `json:"appliedTo,omitempty"` // Set of ingress rules evaluated based on the order in which they are set. // Currently Ingress rule supports setting the `From` field but not the `To` // field within a Rule. diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy.go b/pkg/controller/networkpolicy/antreanetworkpolicy.go index e2b847c61cc..3e6b6e2273f 100644 --- a/pkg/controller/networkpolicy/antreanetworkpolicy.go +++ b/pkg/controller/networkpolicy/antreanetworkpolicy.go @@ -138,11 +138,11 @@ func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *secv1alpha1.Net for idx, ingressRule := range np.Spec.Ingress { // Set default action to ALLOW to allow traffic. services, namedPortExists := toAntreaServicesForCRD(ingressRule.Ports) - appliedToGroupNamesForRule := make([]string, len(ingressRule.AppliedTo)) + var appliedToGroupNamesForRule []string // Create AppliedToGroup for each AppliedTo present in the ingress rule. - for i, at := range ingressRule.AppliedTo { + for _, at := range ingressRule.AppliedTo { atGroup := n.createAppliedToGroup(np.Namespace, at.PodSelector, at.NamespaceSelector, at.ExternalEntitySelector) - appliedToGroupNamesForRule[i] = atGroup + appliedToGroupNamesForRule = append(appliedToGroupNamesForRule, atGroup) appliedToGroupNamesSet.Insert(atGroup) } rules = append(rules, controlplane.NetworkPolicyRule{ @@ -158,11 +158,11 @@ func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *secv1alpha1.Net for idx, egressRule := range np.Spec.Egress { // Set default action to ALLOW to allow traffic. services, namedPortExists := toAntreaServicesForCRD(egressRule.Ports) - appliedToGroupNamesForRule := make([]string, len(egressRule.AppliedTo)) + var appliedToGroupNamesForRule []string // Create AppliedToGroup for each AppliedTo present in the ingress rule. - for i, at := range egressRule.AppliedTo { + for _, at := range egressRule.AppliedTo { atGroup := n.createAppliedToGroup(np.Namespace, at.PodSelector, at.NamespaceSelector, at.ExternalEntitySelector) - appliedToGroupNamesForRule[i] = atGroup + appliedToGroupNamesForRule = append(appliedToGroupNamesForRule, atGroup) appliedToGroupNamesSet.Insert(atGroup) } rules = append(rules, controlplane.NetworkPolicyRule{ diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy.go b/pkg/controller/networkpolicy/clusternetworkpolicy.go index 2fb2f8a5342..40db53cd847 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy.go @@ -138,11 +138,11 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *secv1alpha1.C for idx, ingressRule := range cnp.Spec.Ingress { // Set default action to ALLOW to allow traffic. services, namedPortExists := toAntreaServicesForCRD(ingressRule.Ports) - appliedToGroupNamesForRule := make([]string, len(ingressRule.AppliedTo)) + var appliedToGroupNamesForRule []string // Create AppliedToGroup for each AppliedTo present in the ingress rule. - for i, at := range ingressRule.AppliedTo { + for _, at := range ingressRule.AppliedTo { atGroup := n.createAppliedToGroup("", at.PodSelector, at.NamespaceSelector, at.ExternalEntitySelector) - appliedToGroupNamesForRule[i] = atGroup + appliedToGroupNamesForRule = append(appliedToGroupNamesForRule, atGroup) appliedToGroupNamesSet.Insert(atGroup) } rules = append(rules, controlplane.NetworkPolicyRule{ @@ -158,11 +158,11 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *secv1alpha1.C for idx, egressRule := range cnp.Spec.Egress { // Set default action to ALLOW to allow traffic. services, namedPortExists := toAntreaServicesForCRD(egressRule.Ports) - appliedToGroupNamesForRule := make([]string, len(egressRule.AppliedTo)) + var appliedToGroupNamesForRule []string // Create AppliedToGroup for each AppliedTo present in the ingress rule. - for i, at := range egressRule.AppliedTo { + for _, at := range egressRule.AppliedTo { atGroup := n.createAppliedToGroup("", at.PodSelector, at.NamespaceSelector, at.ExternalEntitySelector) - appliedToGroupNamesForRule[i] = atGroup + appliedToGroupNamesForRule = append(appliedToGroupNamesForRule, atGroup) appliedToGroupNamesSet.Insert(atGroup) } rules = append(rules, controlplane.NetworkPolicyRule{ diff --git a/pkg/controller/networkpolicy/validate.go b/pkg/controller/networkpolicy/validate.go index 7acfc635e03..7912e7c4127 100644 --- a/pkg/controller/networkpolicy/validate.go +++ b/pkg/controller/networkpolicy/validate.go @@ -134,19 +134,19 @@ func (v *NetworkPolicyValidator) validateAntreaPolicy(op admv1.Operation, tier s if tier != "" && !staticTierSet.Has(tier) && !v.tierExists(tier) { allowed, reason = false, fmt.Sprintf("tier %s does not exist", tier) } - appliedToInSpec, appliedToInRules := specAppliedTo != nil, false - for i, rule := range append(ingress, egress...) { - if i == 0 { - appliedToInRules = rule.AppliedTo != nil + appliedToInSpec, appliedToInRules := specAppliedTo != nil, false + for i, rule := range append(ingress, egress...) { + if i == 0 { + appliedToInRules = rule.AppliedTo != nil + } + if (rule.AppliedTo != nil) != appliedToInRules { + allowed, reason = false, fmt.Sprintf("appliedTo field does not appear consistently in all rules") + return reason, allowed + } } - if (rule.AppliedTo != nil) != appliedToInRules { - allowed, reason = false, fmt.Sprintf("appliedTo field does not appear consistently in all rules") - return reason, allowed + if appliedToInSpec == appliedToInRules { + allowed, reason = false, fmt.Sprintf("appliedTo is set in both spec and rules") } - } - if appliedToInSpec == appliedToInRules { - allowed, reason = false, fmt.Sprintf("appliedTo is set in both spec and rules") - } case admv1.Delete: // Delete of Antrea Policies have no validation allowed = true diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go index 377629d470c..b7059654de2 100644 --- a/test/e2e/antreapolicy_test.go +++ b/test/e2e/antreapolicy_test.go @@ -154,7 +154,7 @@ func testCNPAllowXBtoA(t *testing.T) { SetPriority(1.0). SetAppliedToGroup(map[string]string{"pod": "a"}, nil, nil, nil) builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, - nil, nil, secv1alpha1.RuleActionAllow) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionAllow) reachability := NewReachability(allPods, false) reachability.Expect(Pod("x/b"), Pod("x/a"), true) @@ -186,7 +186,7 @@ func testCNPAllowXBtoYA(t *testing.T) { SetPriority(2.0). SetAppliedToGroup(map[string]string{"pod": "a"}, map[string]string{"ns": "y"}, nil, nil) builder.AddIngress(v1.ProtocolTCP, nil, &port81Name, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, - nil, nil, secv1alpha1.RuleActionAllow) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionAllow) reachability := NewReachability(allPods, false) reachability.Expect(Pod("x/b"), Pod("y/a"), true) @@ -216,14 +216,14 @@ func testCNPPriorityOverrideDefaultDeny(t *testing.T) { SetPriority(2). SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) builder1.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, secv1alpha1.RuleActionAllow) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionAllow) builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("cnp-priority1"). SetPriority(1). SetAppliedToGroup(map[string]string{"pod": "a"}, map[string]string{"ns": "x"}, nil, nil) builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, secv1alpha1.RuleActionDrop) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionDrop) // Ingress from ns:z to x/a will be dropped since cnp-priority1 has higher precedence. reachabilityBothCNP := NewReachability(allPods, false) @@ -257,9 +257,9 @@ func testCNPAllowNoDefaultIsolation(t *testing.T) { SetPriority(1.1). SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) builder.AddIngress(v1.ProtocolTCP, &p81, nil, nil, nil, map[string]string{"ns": "y"}, - nil, nil, secv1alpha1.RuleActionAllow) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionAllow) builder.AddEgress(v1.ProtocolTCP, &p81, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, secv1alpha1.RuleActionAllow) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionAllow) reachability := NewReachability(allPods, true) testStep := []*TestStep{ @@ -284,7 +284,7 @@ func testCNPDropEgress(t *testing.T) { SetPriority(1.0). SetAppliedToGroup(map[string]string{"pod": "a"}, nil, nil, nil) builder.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, secv1alpha1.RuleActionDrop) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionDrop) reachability := NewReachability(allPods, true) reachability.Expect(Pod("x/a"), Pod("z/a"), false) @@ -322,7 +322,7 @@ func testCNPPriorityOverride(t *testing.T) { cidr := podZBIP + "/32" // Highest priority. Drops traffic from z/b to x/a. builder1.AddIngress(v1.ProtocolTCP, &p80, nil, &cidr, nil, nil, - nil, nil, secv1alpha1.RuleActionDrop) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionDrop) builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("cnp-priority2"). @@ -330,7 +330,7 @@ func testCNPPriorityOverride(t *testing.T) { SetAppliedToGroup(map[string]string{"pod": "a"}, map[string]string{"ns": "x"}, nil, nil) // Medium priority. Allows traffic from z to x/a. builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, secv1alpha1.RuleActionAllow) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionAllow) builder3 := &ClusterNetworkPolicySpecBuilder{} builder3 = builder3.SetName("cnp-priority3"). @@ -338,7 +338,7 @@ func testCNPPriorityOverride(t *testing.T) { SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) // Lowest priority. Drops traffic from z to x. builder3.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, secv1alpha1.RuleActionDrop) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionDrop) reachabilityTwoCNPs := NewReachability(allPods, true) reachabilityTwoCNPs.Expect(Pod("z/a"), Pod("x/b"), false) @@ -395,7 +395,7 @@ func testCNPTierOverride(t *testing.T) { cidr := podZBIP + "/32" // Highest priority tier. Drops traffic from z/b to x/a. builder1.AddIngress(v1.ProtocolTCP, &p80, nil, &cidr, nil, nil, - nil, nil, secv1alpha1.RuleActionDrop) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionDrop) builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("cnp-tier-securityops"). @@ -404,7 +404,7 @@ func testCNPTierOverride(t *testing.T) { SetAppliedToGroup(map[string]string{"pod": "a"}, map[string]string{"ns": "x"}, nil, nil) // Medium priority tier. Allows traffic from z to x/a. builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, secv1alpha1.RuleActionAllow) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionAllow) builder3 := &ClusterNetworkPolicySpecBuilder{} builder3 = builder3.SetName("cnp-tier-application"). @@ -413,7 +413,7 @@ func testCNPTierOverride(t *testing.T) { SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) // Lowest priority tier. Drops traffic from z to x. builder3.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, secv1alpha1.RuleActionDrop) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionDrop) reachabilityTwoCNPs := NewReachability(allPods, true) reachabilityTwoCNPs.Expect(Pod("z/a"), Pod("x/b"), false) @@ -473,7 +473,7 @@ func testCNPCustomTiers(t *testing.T) { SetAppliedToGroup(map[string]string{"pod": "a"}, map[string]string{"ns": "x"}, nil, nil) // Medium priority tier. Allows traffic from z to x/a. builder1.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, secv1alpha1.RuleActionAllow) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionAllow) builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("cnp-tier-low"). @@ -482,7 +482,7 @@ func testCNPCustomTiers(t *testing.T) { SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) // Lowest priority tier. Drops traffic from z to x. builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, secv1alpha1.RuleActionDrop) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionDrop) reachabilityTwoCNPs := NewReachability(allPods, true) reachabilityTwoCNPs.Expect(Pod("z/a"), Pod("x/b"), false) @@ -519,7 +519,7 @@ func testCNPPriorityConflictingRule(t *testing.T) { SetPriority(1). SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) builder1.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, secv1alpha1.RuleActionDrop) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionDrop) builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("cnp-allow"). @@ -528,7 +528,7 @@ func testCNPPriorityConflictingRule(t *testing.T) { // The following ingress rule will take no effect as it is exactly the same as ingress rule of cnp-drop, // but cnp-allow has lower priority. builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, secv1alpha1.RuleActionAllow) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionAllow) reachabilityBothCNP := NewReachability(allPods, true) reachabilityBothCNP.Expect(Pod("z/a"), Pod("x/a"), false) @@ -565,10 +565,10 @@ func testCNPRulePrioirty(t *testing.T) { SetPriority(5). SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) builder1.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "y"}, - nil, nil, secv1alpha1.RuleActionDrop) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionDrop) // This rule should take no effect as it will be overridden by the first rule of cnp-allow builder1.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, secv1alpha1.RuleActionDrop) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionDrop) builder2 := &ClusterNetworkPolicySpecBuilder{} // cnp-allow will also apply to all pods in namespace x @@ -576,10 +576,10 @@ func testCNPRulePrioirty(t *testing.T) { SetPriority(5). SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) builder2.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, secv1alpha1.RuleActionAllow) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionAllow) // This rule should take no effect as it will be overridden by the first rule of cnp-drop builder2.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "y"}, - nil, nil, secv1alpha1.RuleActionAllow) + nil, nil, []ACNPRuleAppliedToSpec{}, secv1alpha1.RuleActionAllow) // Only egress from pods in namespace x to namespace y should be denied reachabilityBothCNP := NewReachability(allPods, true) @@ -617,7 +617,7 @@ func testANPBasic(t *testing.T) { SetPriority(1.0). SetAppliedToGroup(map[string]string{"pod": "a"}, nil) builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, - nil, nil, secv1alpha1.RuleActionDrop) + nil, nil, []ANPRuleAppliedToSpec{}, secv1alpha1.RuleActionDrop) reachability := NewReachability(allPods, true) reachability.Expect(Pod("x/b"), Pod("y/a"), false) diff --git a/test/e2e/utils/anpspecbuilder.go b/test/e2e/utils/anpspecbuilder.go index ff116c7db84..02f0a66f7c0 100644 --- a/test/e2e/utils/anpspecbuilder.go +++ b/test/e2e/utils/anpspecbuilder.go @@ -28,6 +28,11 @@ type AntreaNetworkPolicySpecBuilder struct { Namespace string } +type ANPRuleAppliedToSpec struct { + podSelector map[string]string + podSelectorMatchExp *[]metav1.LabelSelectorRequirement +} + func (b *AntreaNetworkPolicySpecBuilder) Get() *secv1alpha1.NetworkPolicy { if b.Spec.Ingress == nil { b.Spec.Ingress = []secv1alpha1.Rule{} @@ -60,11 +65,9 @@ func (b *AntreaNetworkPolicySpecBuilder) SetTier(tier string) *AntreaNetworkPoli return b } -func (b *AntreaNetworkPolicySpecBuilder) SetAppliedToGroup(podSelector map[string]string, - podSelectorMatchExp *[]metav1.LabelSelectorRequirement) *AntreaNetworkPolicySpecBuilder { - +func (b *AntreaNetworkPolicySpecBuilder) GetAppliedToPeer(podSelector map[string]string, + podSelectorMatchExp *[]metav1.LabelSelectorRequirement) secv1alpha1.NetworkPolicyPeer { var ps *metav1.LabelSelector - if podSelector != nil { ps = &metav1.LabelSelector{ MatchLabels: podSelector, @@ -78,9 +81,14 @@ func (b *AntreaNetworkPolicySpecBuilder) SetAppliedToGroup(podSelector map[strin MatchExpressions: *podSelectorMatchExp, } } - appliedToPeer := secv1alpha1.NetworkPolicyPeer{ + return secv1alpha1.NetworkPolicyPeer{ PodSelector: ps, } +} + +func (b *AntreaNetworkPolicySpecBuilder) SetAppliedToGroup(podSelector map[string]string, + podSelectorMatchExp *[]metav1.LabelSelectorRequirement) *AntreaNetworkPolicySpecBuilder { + appliedToPeer := b.GetAppliedToPeer(podSelector, podSelectorMatchExp) b.Spec.AppliedTo = append(b.Spec.AppliedTo, appliedToPeer) return b } @@ -89,10 +97,11 @@ func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol, port *int, portName *string, cidr *string, podSelector map[string]string, nsSelector map[string]string, podSelectorMatchExp *[]metav1.LabelSelectorRequirement, nsSelectorMatchExp *[]metav1.LabelSelectorRequirement, - action secv1alpha1.RuleAction) *AntreaNetworkPolicySpecBuilder { + ruleAppliedToSpecs []ANPRuleAppliedToSpec, action secv1alpha1.RuleAction) *AntreaNetworkPolicySpecBuilder { var ps *metav1.LabelSelector var ns *metav1.LabelSelector + var appliedTos []secv1alpha1.NetworkPolicyPeer if b.Spec.Ingress == nil { b.Spec.Ingress = []secv1alpha1.Rule{} } @@ -129,6 +138,9 @@ func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol, CIDR: *cidr, } } + for _, at := range ruleAppliedToSpecs { + appliedTos = append(appliedTos, b.GetAppliedToPeer(at.podSelector, at.podSelectorMatchExp)) + } var policyPeer []secv1alpha1.NetworkPolicyPeer if ps != nil || ns != nil || ipBlock != nil { policyPeer = []secv1alpha1.NetworkPolicyPeer{{ @@ -159,9 +171,10 @@ func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol, } } newRule := secv1alpha1.Rule{ - From: policyPeer, - Ports: ports, - Action: &action, + From: policyPeer, + Ports: ports, + Action: &action, + AppliedTo: appliedTos, } b.Spec.Ingress = append(b.Spec.Ingress, newRule) return b @@ -171,18 +184,20 @@ func (b *AntreaNetworkPolicySpecBuilder) AddEgress(protoc v1.Protocol, port *int, portName *string, cidr *string, podSelector map[string]string, nsSelector map[string]string, podSelectorMatchExp *[]metav1.LabelSelectorRequirement, nsSelectorMatchExp *[]metav1.LabelSelectorRequirement, - action secv1alpha1.RuleAction) *AntreaNetworkPolicySpecBuilder { + ruleAppliedToSpecs []ANPRuleAppliedToSpec, action secv1alpha1.RuleAction) *AntreaNetworkPolicySpecBuilder { // For simplicity, we just reuse the Ingress code here. The underlying data model for ingress/egress is identical // With the exception of calling the rule `To` vs. `From`. c := &AntreaNetworkPolicySpecBuilder{} - c.AddIngress(protoc, port, portName, cidr, podSelector, nsSelector, podSelectorMatchExp, nsSelectorMatchExp, action) + c.AddIngress(protoc, port, portName, cidr, podSelector, nsSelector, + podSelectorMatchExp, nsSelectorMatchExp, ruleAppliedToSpecs, action) theRule := c.Get().Spec.Ingress[0] b.Spec.Egress = append(b.Spec.Egress, secv1alpha1.Rule{ - To: theRule.From, - Ports: theRule.Ports, - Action: theRule.Action, + To: theRule.From, + Ports: theRule.Ports, + Action: theRule.Action, + AppliedTo: theRule.AppliedTo, }) return b } diff --git a/test/e2e/utils/cnpspecbuilder.go b/test/e2e/utils/cnpspecbuilder.go index 2306de66654..555d0961324 100644 --- a/test/e2e/utils/cnpspecbuilder.go +++ b/test/e2e/utils/cnpspecbuilder.go @@ -27,6 +27,13 @@ type ClusterNetworkPolicySpecBuilder struct { Name string } +type ACNPRuleAppliedToSpec struct { + podSelector map[string]string + nsSelector map[string]string + podSelectorMatchExp *[]metav1.LabelSelectorRequirement + nsSelectorMatchExp *[]metav1.LabelSelectorRequirement +} + func (b *ClusterNetworkPolicySpecBuilder) Get() *secv1alpha1.ClusterNetworkPolicy { if b.Spec.Ingress == nil { b.Spec.Ingress = []secv1alpha1.Rule{} @@ -57,10 +64,10 @@ func (b *ClusterNetworkPolicySpecBuilder) SetTier(tier string) *ClusterNetworkPo return b } -func (b *ClusterNetworkPolicySpecBuilder) SetAppliedToGroup(podSelector map[string]string, +func (b *ClusterNetworkPolicySpecBuilder) GetAppliedToPeer(podSelector map[string]string, nsSelector map[string]string, podSelectorMatchExp *[]metav1.LabelSelectorRequirement, - nsSelectorMatchExp *[]metav1.LabelSelectorRequirement) *ClusterNetworkPolicySpecBuilder { + nsSelectorMatchExp *[]metav1.LabelSelectorRequirement) secv1alpha1.NetworkPolicyPeer { var ps *metav1.LabelSelector var ns *metav1.LabelSelector @@ -86,17 +93,23 @@ func (b *ClusterNetworkPolicySpecBuilder) SetAppliedToGroup(podSelector map[stri ns.MatchExpressions = *nsSelectorMatchExp } } - if nsSelectorMatchExp != nil { ns = &metav1.LabelSelector{ MatchExpressions: *nsSelectorMatchExp, } } - - appliedToPeer := secv1alpha1.NetworkPolicyPeer{ + return secv1alpha1.NetworkPolicyPeer{ PodSelector: ps, NamespaceSelector: ns, } +} + +func (b *ClusterNetworkPolicySpecBuilder) SetAppliedToGroup(podSelector map[string]string, + nsSelector map[string]string, + podSelectorMatchExp *[]metav1.LabelSelectorRequirement, + nsSelectorMatchExp *[]metav1.LabelSelectorRequirement) *ClusterNetworkPolicySpecBuilder { + + appliedToPeer := b.GetAppliedToPeer(podSelector, nsSelector, podSelectorMatchExp, nsSelectorMatchExp) b.Spec.AppliedTo = append(b.Spec.AppliedTo, appliedToPeer) return b } @@ -105,10 +118,11 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol, port *int, portName *string, cidr *string, podSelector map[string]string, nsSelector map[string]string, podSelectorMatchExp *[]metav1.LabelSelectorRequirement, nsSelectorMatchExp *[]metav1.LabelSelectorRequirement, - action secv1alpha1.RuleAction) *ClusterNetworkPolicySpecBuilder { + ruleAppliedToSpecs []ACNPRuleAppliedToSpec, action secv1alpha1.RuleAction) *ClusterNetworkPolicySpecBuilder { var ps *metav1.LabelSelector var ns *metav1.LabelSelector + var appliedTos []secv1alpha1.NetworkPolicyPeer if b.Spec.Ingress == nil { b.Spec.Ingress = []secv1alpha1.Rule{} } @@ -145,6 +159,9 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol, CIDR: *cidr, } } + for _, at := range ruleAppliedToSpecs { + appliedTos = append(appliedTos, b.GetAppliedToPeer(at.podSelector, at.nsSelector, at.podSelectorMatchExp, at.nsSelectorMatchExp)) + } var policyPeer []secv1alpha1.NetworkPolicyPeer if ps != nil || ns != nil || ipBlock != nil { policyPeer = []secv1alpha1.NetworkPolicyPeer{{ @@ -175,9 +192,10 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol, } } newRule := secv1alpha1.Rule{ - From: policyPeer, - Ports: ports, - Action: &action, + From: policyPeer, + Ports: ports, + Action: &action, + AppliedTo: appliedTos, } b.Spec.Ingress = append(b.Spec.Ingress, newRule) return b @@ -187,18 +205,20 @@ func (b *ClusterNetworkPolicySpecBuilder) AddEgress(protoc v1.Protocol, port *int, portName *string, cidr *string, podSelector map[string]string, nsSelector map[string]string, podSelectorMatchExp *[]metav1.LabelSelectorRequirement, nsSelectorMatchExp *[]metav1.LabelSelectorRequirement, - action secv1alpha1.RuleAction) *ClusterNetworkPolicySpecBuilder { + ruleAppliedToSpecs []ACNPRuleAppliedToSpec, action secv1alpha1.RuleAction) *ClusterNetworkPolicySpecBuilder { // For simplicity, we just reuse the Ingress code here. The underlying data model for ingress/egress is identical // With the exception of calling the rule `To` vs. `From`. c := &ClusterNetworkPolicySpecBuilder{} - c.AddIngress(protoc, port, portName, cidr, podSelector, nsSelector, podSelectorMatchExp, nsSelectorMatchExp, action) + c.AddIngress(protoc, port, portName, cidr, podSelector, nsSelector, + podSelectorMatchExp, nsSelectorMatchExp, ruleAppliedToSpecs, action) theRule := c.Get().Spec.Ingress[0] b.Spec.Egress = append(b.Spec.Egress, secv1alpha1.Rule{ - To: theRule.From, - Ports: theRule.Ports, - Action: theRule.Action, + To: theRule.From, + Ports: theRule.Ports, + Action: theRule.Action, + AppliedTo: theRule.AppliedTo, }) return b }