From 50f2626ddc6410e576b62b8037b6e012663f0003 Mon Sep 17 00:00:00 2001
From: Qiyue Yao <39061776+qiyueyao@users.noreply.github.com>
Date: Tue, 23 Apr 2024 02:15:49 -0700
Subject: [PATCH] Fix Baseline Isolation E2E Test (#6218)

In current baseline isolation e2e test, the nsSelector expression is
missplaced as nodeSelector expression, yet the test case does not
detect the error based on current test factors.

This PR fixes the nsSelector expression issue, and also adds test
factors in the baseline isolation test case to increase coverage.

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
---
 test/e2e/antreapolicy_test.go | 43 +++++++++++++++++++++--------------
 1 file changed, 26 insertions(+), 17 deletions(-)

diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go
index 1cd2b10c49c..9d91bf7452a 100644
--- a/test/e2e/antreapolicy_test.go
+++ b/test/e2e/antreapolicy_test.go
@@ -1657,33 +1657,42 @@ func testBaselineNamespaceIsolation(t *testing.T) {
 		SetPriority(1.0).
 		SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("x")}}})
 	builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil,
-		nil, nil, []metav1.LabelSelectorRequirement{nsExpOtherThanX}, nil,
+		nil, nil, nil, []metav1.LabelSelectorRequirement{nsExpOtherThanX},
 		nil, nil, crdv1beta1.RuleActionDrop, "", "", nil)
 
-	// create a K8s NetworkPolicy for Pods in namespace x to allow ingress traffic from Pods in the same namespace,
-	// as well as from the y/a Pod. It should open up ingress from y/a since it's evaluated before the baseline tier.
+	reachability := NewReachability(allPods, Connected)
+	reachability.ExpectNamespaceIngressFromNamespace(getNS("x"), getNS("y"), Dropped)
+	reachability.ExpectNamespaceIngressFromNamespace(getNS("x"), getNS("z"), Dropped)
+
+	// create a K8s NetworkPolicy for the x/a Pod to allow ingress traffic from the y/a Pod.
+	// It should open up ingress from y/a and additionally deny ingress from x/b and x/c based on
+	// Kubernetes NetworkPolicy default isolation model, since it's evaluated before the baseline tier.
 	k8sNPBuilder := &NetworkPolicySpecBuilder{}
-	k8sNPBuilder = k8sNPBuilder.SetName(getNS("x"), "allow-ns-x-and-y-a").
+	k8sNPBuilder = k8sNPBuilder.SetName(getNS("x"), "allow-y-a-to-x-a").
+		SetPodSelector(map[string]string{"pod": "a"}).
 		SetTypeIngress().
-		AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil,
-			nil, map[string]string{"ns": getNS("x")}, nil, nil).
 		AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil,
 			map[string]string{"pod": "a"}, map[string]string{"ns": getNS("y")}, nil, nil)
 
-	reachability := NewReachability(allPods, Connected)
-	reachability.Expect(getPod("y", "b"), getPod("x", "a"), Dropped)
-	reachability.Expect(getPod("y", "c"), getPod("x", "a"), Dropped)
-	reachability.ExpectIngressFromNamespace(getPod("x", "a"), getNS("z"), Dropped)
-	reachability.Expect(getPod("y", "b"), getPod("x", "b"), Dropped)
-	reachability.Expect(getPod("y", "c"), getPod("x", "b"), Dropped)
-	reachability.ExpectIngressFromNamespace(getPod("x", "b"), getNS("z"), Dropped)
-	reachability.Expect(getPod("y", "b"), getPod("x", "c"), Dropped)
-	reachability.Expect(getPod("y", "c"), getPod("x", "c"), Dropped)
-	reachability.ExpectIngressFromNamespace(getPod("x", "c"), getNS("z"), Dropped)
+	reachabilityUpdated := NewReachability(allPods, Connected)
+	reachabilityUpdated.Expect(getPod("x", "b"), getPod("x", "a"), Dropped)
+	reachabilityUpdated.Expect(getPod("x", "c"), getPod("x", "a"), Dropped)
+	reachabilityUpdated.Expect(getPod("y", "a"), getPod("x", "b"), Dropped)
+	reachabilityUpdated.Expect(getPod("y", "a"), getPod("x", "c"), Dropped)
+	reachabilityUpdated.ExpectEgressToNamespace(getPod("y", "b"), getNS("x"), Dropped)
+	reachabilityUpdated.ExpectEgressToNamespace(getPod("y", "c"), getNS("x"), Dropped)
+	reachabilityUpdated.ExpectNamespaceIngressFromNamespace(getNS("x"), getNS("z"), Dropped)
 	testStep := []*TestStep{
 		{
-			Name:          "Port 80",
+			Name:          "Baseline ACNP",
 			Reachability:  reachability,
+			TestResources: []metav1.Object{builder.Get()},
+			Ports:         []int32{80},
+			Protocol:      ProtocolTCP,
+		},
+		{
+			Name:          "Baseline ACNP with KNP",
+			Reachability:  reachabilityUpdated,
 			TestResources: []metav1.Object{builder.Get(), k8sNPBuilder.Get()},
 			Ports:         []int32{80},
 			Protocol:      ProtocolTCP,