Add ipblock bat tests in e2e (#48)

This change introduces ipblock tests in e2e and enables v6
ingress tests in e2e as well.

.github/workflows/kind-e2e.yml

@@ -11,7 +11,7 @@ jobs:
         run: sudo apt install bats
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Setup registry
         run: docker run -d --restart=always -p "5000:5000" --name "kind-registry" registry:2
@@ -28,8 +28,11 @@ jobs:
         working-directory: ./e2e
         run: |
           export TERM=dumb
+          # enable ip6_tables
+          sudo modprobe ip6_tables
           bats ./tests/simple-v4-ingress.bats
           bats ./tests/simple-v4-egress.bats
+          bats ./tests/simple-v6-ingress.bats
           bats ./tests/stacked.bats
-          # this should be validated once the v6 issue is fixed.
-          #bats ./v6work/simple-v6-ingress.bats
+          bats ./tests/ipblock.bats
+          bats ./tests/ipblock-stacked.bats

e2e/tests/ipblock-stacked.bats

@@ -0,0 +1,55 @@
+#!/usr/bin/env bats
+
+# Note:
+# These test cases, stacked, will create stacked policy rules in one multi-networkpolicy and test the
+# traffic policying by ncat (nc) command.
+
+setup() {
+	cd $BATS_TEST_DIRNAME
+	load "common"
+
+	server_net1=$(get_net1_ip "test-ipblock-stacked" "pod-server")
+	client_a_net1=$(get_net1_ip "test-ipblock-stacked" "pod-client-a")
+	client_b_net1=$(get_net1_ip "test-ipblock-stacked" "pod-client-b")
+	client_c_net1=$(get_net1_ip "test-ipblock-stacked" "pod-client-c")
+}
+
+@test "setup stacked test environments" {
+	kubectl create -f ipblock-stacked.yml
+	run kubectl -n test-ipblock-stacked wait --for=condition=ready -l app=test-ipblock-stacked pod --timeout=${kubewait_timeout}
+	[ "$status" -eq  "0" ]
+}
+
+@test "check generated iptables rules" {
+	# wait for sync
+	sleep 3
+        run kubectl -n test-ipblock-stacked exec pod-server -it -- sh -c "iptables-save | grep MULTI-0-INGRESS"
+	[ "$status" -eq  "0" ]
+        run kubectl -n test-ipblock-stacked exec pod-client-a -it -- sh -c "iptables-save | grep MULTI-0-INGRESS"
+	[ "$status" -eq  "1" ]
+        run kubectl -n test-ipblock-stacked exec pod-client-b -it -- sh -c "iptables-save | grep MULTI-0-INGRESS"
+	[ "$status" -eq  "1" ]
+        run kubectl -n test-ipblock-stacked exec pod-client-c -it -- sh -c "iptables-save | grep MULTI-0-INGRESS"
+	[ "$status" -eq  "1" ]
+}
+
+@test "test-ipblock-status check client-a" {
+	run kubectl -n test-ipblock-stacked exec pod-client-a -- sh -c "echo x | nc -w 1 ${server_net1} 5555"
+	[ "$status" -eq  "0" ]
+}
+
+@test "test-ipblock-stacked check client-b" {
+	run kubectl -n test-ipblock-stacked exec pod-client-b -- sh -c "echo x | nc -w 1 ${server_net1} 5555"
+	[ "$status" -eq  "0" ]
+}
+
+@test "test-ipblock-stacked check client-c" {
+	run kubectl -n test-ipblock-stacked exec pod-client-c -- sh -c "echo x | nc -w 1 ${server_net1} 5555"
+	[ "$status" -eq  "1" ]
+}
+
+@test "cleanup environments" {
+	kubectl delete -f ipblock-stacked.yml
+	run kubectl -n test-ipblock-stacked wait --for=delete -l app=test-ipblock-stacked pod --timeout=${kubewait_timeout}
+	[ "$status" -eq  "0" ]
+}

e2e/tests/ipblock-stacked.yml

@@ -0,0 +1,160 @@
+---
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+  namespace: default
+  name: macvlan1-ipblock-stacked
+spec:
+  config: '{
+            "cniVersion": "0.3.1",
+            "name": "macvlan1-ipblock-stacked",
+            "plugins": [
+                {
+                    "type": "macvlan",
+                    "mode": "bridge",
+                    "capabilities": {"ips": true },
+                    "ipam":{
+                      "type":"static"
+                    }
+                }]
+        }'
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+    name: test-ipblock-stacked
+---
+# Pods
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-server
+  namespace: test-ipblock-stacked
+  annotations:
+    k8s.v1.cni.cncf.io/networks: '[{
+      "name": "macvlan1-ipblock-stacked",
+      "namespace": "default",
+      "ips": ["2.2.5.1/24"]
+      }]'
+  labels:
+    app: test-ipblock-stacked
+    name: pod-server
+spec:
+  containers:
+  - name: macvlan-worker1
+    image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
+    command: ["nc", "-kl", "0.0.0.0", "5555"]
+    securityContext:
+      privileged: true
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-client-a
+  namespace: test-ipblock-stacked
+  annotations:
+    k8s.v1.cni.cncf.io/networks: '[{
+      "name": "macvlan1-ipblock-stacked",
+      "namespace": "default",
+      "ips": ["2.2.5.11/24"]
+      }]'
+  labels:
+    app: test-ipblock-stacked
+    name: pod-client-a
+spec:
+  containers:
+  - name: macvlan-worker1
+    image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
+    command: ["nc", "-kl", "0.0.0.0", "5555"]
+    securityContext:
+      privileged: true
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-client-b
+  namespace: test-ipblock-stacked
+  annotations:
+    k8s.v1.cni.cncf.io/networks: '[{
+      "name": "macvlan1-ipblock-stacked",
+      "namespace": "default",
+      "ips": ["2.2.5.12/24"]
+      }]'
+  labels:
+    app: test-ipblock-stacked
+    name: pod-client-b
+spec:
+  containers:
+  - name: macvlan-worker1
+    image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
+    command: ["nc", "-kl", "0.0.0.0", "5555"]
+    securityContext:
+      privileged: true
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-client-c
+  namespace: test-ipblock-stacked
+  annotations:
+    k8s.v1.cni.cncf.io/networks: '[{
+      "name": "macvlan1-ipblock-stacked",
+      "namespace": "default",
+      "ips": ["2.2.5.13/24"]
+      }]'
+  labels:
+    app: test-ipblock-stacked
+    name: pod-client-c
+spec:
+  containers:
+  - name: macvlan-worker1
+    image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
+    command: ["nc", "-kl", "0.0.0.0", "5555"]
+    securityContext:
+      privileged: true
+---
+# MultiNetworkPolicies
+# this policy accepts ingress trafic from pod-client-a to pod-server
+# next policy accepts ingress trafic from pod-client-b to pod-server
+# as a result, these policies accepts ingress traffic from pod-client-a
+# or from pod-client-b, to pod-server.
+apiVersion: k8s.cni.cncf.io/v1beta1
+kind: MultiNetworkPolicy
+metadata:
+  name: testnetwork-policy-ipblock-stacked-1
+  namespace: test-ipblock-stacked
+  annotations:
+    k8s.v1.cni.cncf.io/policy-for: default/macvlan1-ipblock-stacked
+spec:
+  podSelector:
+    matchLabels:
+      name: pod-server
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - ipBlock:
+        cidr: 2.2.5.11/32
+---
+# MultiNetworkPolicies
+# this policy accepts ingress trafic from pod-client-a to pod-server
+# next policy accepts ingress trafic from pod-client-b to pod-server
+# as a result, these policies accepts ingress traffic from pod-client-a
+# or from pod-client-b, to pod-server.
+apiVersion: k8s.cni.cncf.io/v1beta1
+kind: MultiNetworkPolicy
+metadata:
+  name: testnetwork-policy-ipblock-stacked-2
+  namespace: test-ipblock-stacked
+  annotations:
+    k8s.v1.cni.cncf.io/policy-for: default/macvlan1-ipblock-stacked
+spec:
+  podSelector:
+    matchLabels:
+      name: pod-server
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - ipBlock:
+        cidr: 2.2.5.12/32

e2e/tests/ipblock.bats

@@ -0,0 +1,55 @@
+#!/usr/bin/env bats
+
+# Note:
+# These test cases, stacked, will create stacked policy rules in one multi-networkpolicy and test the
+# traffic policying by ncat (nc) command.
+
+setup() {
+	cd $BATS_TEST_DIRNAME
+	load "common"
+
+	server_net1=$(get_net1_ip "test-ipblock" "pod-server")
+	client_a_net1=$(get_net1_ip "test-ipblock" "pod-client-a")
+	client_b_net1=$(get_net1_ip "test-ipblock" "pod-client-b")
+	client_c_net1=$(get_net1_ip "test-ipblock" "pod-client-c")
+}
+
+@test "setup stacked test environments" {
+	kubectl create -f ipblock.yml
+	run kubectl -n test-ipblock wait --for=condition=ready -l app=test-ipblock pod --timeout=${kubewait_timeout}
+	[ "$status" -eq  "0" ]
+}
+
+@test "check generated iptables rules" {
+	# wait for sync
+	sleep 3
+        run kubectl -n test-ipblock exec pod-server -it -- sh -c "iptables-save | grep MULTI-0-INGRESS"
+	[ "$status" -eq  "0" ]
+        run kubectl -n test-ipblock exec pod-client-a -it -- sh -c "iptables-save | grep MULTI-0-INGRESS"
+	[ "$status" -eq  "1" ]
+        run kubectl -n test-ipblock exec pod-client-b -it -- sh -c "iptables-save | grep MULTI-0-INGRESS"
+	[ "$status" -eq  "1" ]
+        run kubectl -n test-ipblock exec pod-client-c -it -- sh -c "iptables-save | grep MULTI-0-INGRESS"
+	[ "$status" -eq  "1" ]
+}
+
+@test "test-ipblock check client-a" {
+	run kubectl -n test-ipblock exec pod-client-a -- sh -c "echo x | nc -w 1 ${server_net1} 5555"
+	[ "$status" -eq  "0" ]
+}
+
+@test "test-ipblock check client-b" {
+	run kubectl -n test-ipblock exec pod-client-b -- sh -c "echo x | nc -w 1 ${server_net1} 5555"
+	[ "$status" -eq  "0" ]
+}
+
+@test "test-ipblock check client-c" {
+	run kubectl -n test-ipblock exec pod-client-c -- sh -c "echo x | nc -w 1 ${server_net1} 5555"
+	[ "$status" -eq  "1" ]
+}
+
+@test "cleanup environments" {
+	kubectl delete -f ipblock.yml
+	run kubectl -n test-ipblock wait --for=delete -l app=test-ipblock pod --timeout=${kubewait_timeout}
+	[ "$status" -eq  "0" ]
+}