Skip to content

Commit

Permalink
Address comments
Browse files Browse the repository at this point in the history
Signed-off-by: Qiyue Yao <[email protected]>
  • Loading branch information
qiyueyao committed May 5, 2024
1 parent d8f5306 commit 21d9468
Show file tree
Hide file tree
Showing 3 changed files with 114 additions and 87 deletions.
2 changes: 0 additions & 2 deletions test/e2e/antctl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ import (
"testing"
"time"

log "github.com/sirupsen/logrus"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
corev1 "k8s.io/api/core/v1"
Expand Down Expand Up @@ -380,7 +379,6 @@ func createAntctlServiceAccount(t *testing.T, data *TestData, name string) {
Name: name,
},
}
log.Infof("Creating ServiceAccount '%s/%s' for antctl test Pods", data.testNamespace, name)
_, err := data.clientset.CoreV1().ServiceAccounts(data.testNamespace).Create(context.TODO(), serviceAccount, metav1.CreateOptions{})
require.NoErrorf(t, err, "failed to create ServiceAccount '%s/%s' for antctl test Pods", data.testNamespace, name)

Expand Down
168 changes: 95 additions & 73 deletions test/e2e/antreapolicy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -557,10 +557,10 @@ func testACNPPriorityOverrideDefaultDeny(t *testing.T, data *TestData) {
reachabilityBothACNP.Expect(getPod("z", "c"), getPod("x", "c"), Connected)
reachabilityBothACNP.ExpectSelf(allPods, Connected)

evaluationBothACNPs := NewNPEvaluation(allPods)
evaluationBothACNPs.Expect(getPod("y", "a"), getPod("x", "a"), defaultDenyKNPName, NPEvalIsolate)
evaluationBothACNPs.Expect(getPod("z", "b"), getPod("x", "a"), builder2.Name, NPEvalDrop)
evaluationBothACNPs.Expect(getPod("z", "b"), getPod("x", "b"), builder1.Name, NPEvalAllow)
evaluationBothACNPs := NewNPEvaluation(allPods).
Expect(getPod("y", "a"), getPod("x", "a"), defaultDenyKNPName, NPEvalIsolate).
Expect(getPod("z", "b"), getPod("x", "a"), builder2.Name, NPEvalDrop).
Expect(getPod("z", "b"), getPod("x", "b"), builder1.Name, NPEvalAllow)

testStep := []*TestStep{
{
Expand Down Expand Up @@ -1662,12 +1662,12 @@ func testBaselineNamespaceIsolation(t *testing.T, data *TestData) {
reachability.ExpectNamespaceIngressFromNamespace(getNS("x"), getNS("y"), Dropped)
reachability.ExpectNamespaceIngressFromNamespace(getNS("x"), getNS("z"), Dropped)

evaluation := NewNPEvaluation(allPods)
evaluation.Expect(getPod("y", "a"), getPod("x", "a"), builder.Name, NPEvalDrop)
evaluation.Expect(getPod("y", "b"), getPod("x", "a"), builder.Name, NPEvalDrop)
evaluation.Expect(getPod("z", "a"), getPod("x", "a"), builder.Name, NPEvalDrop)
evaluation.Expect(getPod("x", "b"), getPod("x", "a"), NPEvalNONE, NPEvalNONE)
evaluation.Expect(getPod("z", "b"), getPod("y", "b"), NPEvalNONE, NPEvalNONE)
evaluation := NewNPEvaluation(allPods).
Expect(getPod("y", "a"), getPod("x", "a"), builder.Name, NPEvalDrop).
Expect(getPod("y", "b"), getPod("x", "a"), builder.Name, NPEvalDrop).
Expect(getPod("z", "a"), getPod("x", "a"), builder.Name, NPEvalDrop).
ExpectNone(getPod("x", "b"), getPod("x", "a")).
ExpectNone(getPod("z", "b"), getPod("y", "b"))

// create a K8s NetworkPolicy for the x/a Pod to allow ingress traffic from the y/a Pod.
// It should open up ingress from y/a and additionally deny ingress from x/b and x/c based on
Expand All @@ -1688,12 +1688,12 @@ func testBaselineNamespaceIsolation(t *testing.T, data *TestData) {
reachabilityUpdated.ExpectEgressToNamespace(getPod("y", "c"), getNS("x"), Dropped)
reachabilityUpdated.ExpectNamespaceIngressFromNamespace(getNS("x"), getNS("z"), Dropped)

evaluationUpdated := NewNPEvaluation(allPods)
evaluationUpdated.Expect(getPod("y", "a"), getPod("x", "a"), k8sNPBuilder.Name, NPEvalAllow)
evaluationUpdated.Expect(getPod("y", "b"), getPod("x", "a"), k8sNPBuilder.Name, NPEvalIsolate)
evaluationUpdated.Expect(getPod("z", "a"), getPod("x", "a"), k8sNPBuilder.Name, NPEvalIsolate)
evaluationUpdated.Expect(getPod("x", "b"), getPod("x", "a"), k8sNPBuilder.Name, NPEvalIsolate)
evaluationUpdated.Expect(getPod("z", "b"), getPod("y", "b"), NPEvalNONE, NPEvalNONE)
evaluationUpdated := NewNPEvaluation(allPods).
Expect(getPod("y", "a"), getPod("x", "a"), k8sNPBuilder.Name, NPEvalAllow).
Expect(getPod("y", "b"), getPod("x", "a"), k8sNPBuilder.Name, NPEvalIsolate).
Expect(getPod("z", "a"), getPod("x", "a"), k8sNPBuilder.Name, NPEvalIsolate).
Expect(getPod("x", "b"), getPod("x", "a"), k8sNPBuilder.Name, NPEvalIsolate).
ExpectNone(getPod("z", "b"), getPod("y", "b"))

testStep := []*TestStep{
{
Expand Down Expand Up @@ -1767,16 +1767,16 @@ func testACNPPriorityOverride(t *testing.T, data *TestData) {
reachabilityAllACNPs.Expect(getPod("z", "c"), getPod("x", "b"), Dropped)
reachabilityAllACNPs.Expect(getPod("z", "c"), getPod("x", "c"), Dropped)

evaluationTwoACNPs := NewNPEvaluation(allPods)
evaluationTwoACNPs.Expect(getPod("y", "a"), getPod("x", "a"), NPEvalNONE, NPEvalNONE)
evaluationTwoACNPs.Expect(getPod("z", "b"), getPod("x", "a"), builder2.Name, NPEvalAllow)
evaluationTwoACNPs.Expect(getPod("z", "b"), getPod("x", "b"), builder3.Name, NPEvalDrop)
evaluationTwoACNPs := NewNPEvaluation(allPods).
ExpectNone(getPod("y", "a"), getPod("x", "a")).
Expect(getPod("z", "b"), getPod("x", "a"), builder2.Name, NPEvalAllow).
Expect(getPod("z", "b"), getPod("x", "b"), builder3.Name, NPEvalDrop)

evaluationAllACNPs := NewNPEvaluation(allPods)
evaluationAllACNPs.Expect(getPod("y", "a"), getPod("x", "a"), NPEvalNONE, NPEvalNONE)
evaluationAllACNPs.Expect(getPod("z", "a"), getPod("x", "a"), builder2.Name, NPEvalAllow)
evaluationAllACNPs.Expect(getPod("z", "a"), getPod("x", "b"), builder3.Name, NPEvalDrop)
evaluationAllACNPs.Expect(getPod("z", "b"), getPod("x", "a"), builder1.Name, NPEvalDrop)
evaluationAllACNPs := NewNPEvaluation(allPods).
ExpectNone(getPod("y", "a"), getPod("x", "a")).
Expect(getPod("z", "a"), getPod("x", "a"), builder2.Name, NPEvalAllow).
Expect(getPod("z", "a"), getPod("x", "b"), builder3.Name, NPEvalDrop).
Expect(getPod("z", "b"), getPod("x", "a"), builder1.Name, NPEvalDrop)

testStepTwoACNP := []*TestStep{
{
Expand Down Expand Up @@ -1854,16 +1854,16 @@ func testACNPTierOverride(t *testing.T, data *TestData) {
reachabilityAllACNPs.Expect(getPod("z", "c"), getPod("x", "b"), Dropped)
reachabilityAllACNPs.Expect(getPod("z", "c"), getPod("x", "c"), Dropped)

evaluationTwoACNPs := NewNPEvaluation(allPods)
evaluationTwoACNPs.Expect(getPod("y", "a"), getPod("x", "a"), NPEvalNONE, NPEvalNONE)
evaluationTwoACNPs.Expect(getPod("z", "b"), getPod("x", "a"), builder2.Name, NPEvalAllow)
evaluationTwoACNPs.Expect(getPod("z", "b"), getPod("x", "b"), builder3.Name, NPEvalDrop)
evaluationTwoACNPs := NewNPEvaluation(allPods).
ExpectNone(getPod("y", "a"), getPod("x", "a")).
Expect(getPod("z", "b"), getPod("x", "a"), builder2.Name, NPEvalAllow).
Expect(getPod("z", "b"), getPod("x", "b"), builder3.Name, NPEvalDrop)

evaluationAllACNPs := NewNPEvaluation(allPods)
evaluationAllACNPs.Expect(getPod("y", "a"), getPod("x", "a"), NPEvalNONE, NPEvalNONE)
evaluationAllACNPs.Expect(getPod("z", "a"), getPod("x", "a"), builder2.Name, NPEvalAllow)
evaluationAllACNPs.Expect(getPod("z", "a"), getPod("x", "b"), builder3.Name, NPEvalDrop)
evaluationAllACNPs.Expect(getPod("z", "b"), getPod("x", "a"), builder1.Name, NPEvalDrop)
evaluationAllACNPs := NewNPEvaluation(allPods).
ExpectNone(getPod("y", "a"), getPod("x", "a")).
Expect(getPod("z", "a"), getPod("x", "a"), builder2.Name, NPEvalAllow).
Expect(getPod("z", "a"), getPod("x", "b"), builder3.Name, NPEvalDrop).
Expect(getPod("z", "b"), getPod("x", "a"), builder1.Name, NPEvalDrop)

testStepTwoACNP := []*TestStep{
{
Expand Down Expand Up @@ -1930,10 +1930,10 @@ func testACNPCustomTiers(t *testing.T, data *TestData) {
reachabilityTwoACNPs.Expect(getPod("z", "c"), getPod("x", "b"), Dropped)
reachabilityTwoACNPs.Expect(getPod("z", "c"), getPod("x", "c"), Dropped)

evaluationTwoACNPs := NewNPEvaluation(allPods)
evaluationTwoACNPs.Expect(getPod("y", "a"), getPod("x", "a"), NPEvalNONE, NPEvalNONE)
evaluationTwoACNPs.Expect(getPod("z", "b"), getPod("x", "a"), builder1.Name, NPEvalAllow)
evaluationTwoACNPs.Expect(getPod("z", "b"), getPod("x", "b"), builder2.Name, NPEvalDrop)
evaluationTwoACNPs := NewNPEvaluation(allPods).
ExpectNone(getPod("y", "a"), getPod("x", "a")).
Expect(getPod("z", "b"), getPod("x", "a"), builder1.Name, NPEvalAllow).
Expect(getPod("z", "b"), getPod("x", "b"), builder2.Name, NPEvalDrop)

testStepTwoACNP := []*TestStep{
{
Expand Down Expand Up @@ -1980,9 +1980,9 @@ func testACNPPriorityConflictingRule(t *testing.T, data *TestData) {
reachabilityBothACNP.ExpectEgressToNamespace(getPod("z", "b"), getNS("x"), Dropped)
reachabilityBothACNP.ExpectEgressToNamespace(getPod("z", "c"), getNS("x"), Dropped)

evaluationBothACNPs := NewNPEvaluation(allPods)
evaluationBothACNPs.Expect(getPod("y", "a"), getPod("x", "a"), NPEvalNONE, NPEvalNONE)
evaluationBothACNPs.Expect(getPod("z", "a"), getPod("x", "a"), builder1.Name, NPEvalDrop)
evaluationBothACNPs := NewNPEvaluation(allPods).
ExpectNone(getPod("y", "a"), getPod("x", "a")).
Expect(getPod("z", "a"), getPod("x", "a"), builder1.Name, NPEvalDrop)

testStep := []*TestStep{
{
Expand Down Expand Up @@ -2032,10 +2032,10 @@ func testACNPRulePriority(t *testing.T, data *TestData) {
reachabilityBothACNP.ExpectIngressFromNamespace(getPod("y", "b"), getNS("x"), Dropped)
reachabilityBothACNP.ExpectIngressFromNamespace(getPod("y", "c"), getNS("x"), Dropped)

evaluationBothACNPs := NewNPEvaluation(allPods)
evaluationBothACNPs.Expect(getPod("x", "b"), getPod("x", "a"), NPEvalNONE, NPEvalNONE)
evaluationBothACNPs.Expect(getPod("x", "a"), getPod("y", "a"), builder1.Name, NPEvalDrop)
evaluationBothACNPs.Expect(getPod("x", "a"), getPod("z", "a"), builder2.Name, NPEvalAllow)
evaluationBothACNPs := NewNPEvaluation(allPods).
ExpectNone(getPod("x", "b"), getPod("x", "a")).
Expect(getPod("x", "a"), getPod("y", "a"), builder1.Name, NPEvalDrop).
Expect(getPod("x", "a"), getPod("z", "a"), builder2.Name, NPEvalAllow)

testStep := []*TestStep{
{
Expand Down Expand Up @@ -2099,14 +2099,15 @@ func testACNPRejectEgress(t *testing.T, data *TestData) {
reachability.Expect(getPod("z", "a"), getPod("z", "b"), Rejected)
reachability.Expect(getPod("z", "a"), getPod("z", "c"), Rejected)

evaluation := NewNPEvaluation(allPods)
evaluation.Expect(getPod("x", "b"), getPod("z", "a"), NPEvalNONE, NPEvalNONE)
evaluation.Expect(getPod("x", "a"), getPod("z", "a"), builder.Name, NPEvalReject)
evaluation := NewNPEvaluation(allPods).
ExpectNone(getPod("x", "b"), getPod("z", "a")).
Expect(getPod("x", "a"), getPod("z", "a"), builder.Name, NPEvalReject)

testStep := []*TestStep{
{
Name: "Port 80",
Reachability: reachability,
NPEvaluation: evaluation,
TestResources: []metav1.Object{builder.Get()},
Ports: []int32{80},
Protocol: ProtocolTCP,
Expand Down Expand Up @@ -2424,9 +2425,9 @@ func testANNPUpdate(t *testing.T, data *TestData) {

reachability := NewReachability(allPods, Connected)
reachability.Expect(getPod("x", "b"), getPod("y", "a"), Dropped)
evaluation := NewNPEvaluation(allPods)
evaluation.Expect(getPod("x", "a"), getPod("y", "a"), NPEvalNONE, NPEvalNONE)
evaluation.Expect(getPod("x", "b"), getPod("y", "a"), builder.Name, NPEvalDrop)
evaluation := NewNPEvaluation(allPods).
ExpectNone(getPod("x", "a"), getPod("y", "a")).
Expect(getPod("x", "b"), getPod("y", "a"), builder.Name, NPEvalDrop)
annp, err := k8sUtils.CreateOrUpdateANNP(builder.Get())
failOnError(err, t)
failOnError(data.waitForANNPRealized(t, annp.Namespace, annp.Name, policyRealizedTimeout), t)
Expand All @@ -2436,7 +2437,9 @@ func testANNPUpdate(t *testing.T, data *TestData) {
t.Errorf("Failure -- %d wrong results", wrong)
reachability.PrintSummary(true, true, true)
}
doEvaluation(t, data, evaluation)
if testOptions.npEvaluation {
doEvaluation(t, data, evaluation)
}

updatedBuilder := &AntreaNetworkPolicySpecBuilder{}
updatedBuilder = updatedBuilder.SetName(getNS("y"), "np-update").
Expand All @@ -2445,9 +2448,9 @@ func testANNPUpdate(t *testing.T, data *TestData) {
updatedBuilder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil,
nil, nil, nil, nil, crdv1beta1.RuleActionAllow, "", "")
updatedReachability := NewReachability(allPods, Connected)
updatedEvaluation := NewNPEvaluation(allPods)
updatedEvaluation.Expect(getPod("x", "a"), getPod("y", "a"), NPEvalNONE, NPEvalNONE)
updatedEvaluation.Expect(getPod("x", "b"), getPod("y", "a"), builder.Name, NPEvalAllow)
updatedEvaluation := NewNPEvaluation(allPods).
Expect(getPod("x", "a"), getPod("y", "a"), "", "").
Expect(getPod("x", "b"), getPod("y", "a"), builder.Name, NPEvalAllow)
annp, err = k8sUtils.CreateOrUpdateANNP(updatedBuilder.Get())
failOnError(err, t)
failOnError(data.waitForANNPRealized(t, annp.Namespace, annp.Name, policyRealizedTimeout), t)
Expand All @@ -2457,7 +2460,9 @@ func testANNPUpdate(t *testing.T, data *TestData) {
t.Errorf("Failure -- %d wrong results", wrong)
reachability.PrintSummary(true, true, true)
}
doEvaluation(t, data, updatedEvaluation)
if testOptions.npEvaluation {
doEvaluation(t, data, updatedEvaluation)
}

failOnError(k8sUtils.DeleteANNP(annp.Namespace, annp.Name), t)
}
Expand Down Expand Up @@ -2485,9 +2490,9 @@ func testANNPMultipleAppliedTo(t *testing.T, data *TestData, singleRule bool) {

reachability := NewReachability(allPods, Connected)
reachability.Expect(getPod("x", "b"), getPod("y", "a"), Dropped)
evaluation := NewNPEvaluation(allPods)
evaluation.Expect(getPod("x", "b"), getPod("y", "c"), NPEvalNONE, NPEvalNONE)
evaluation.Expect(getPod("x", "b"), getPod("y", "a"), builder.Name, NPEvalDrop)
evaluation := NewNPEvaluation(allPods).
ExpectNone(getPod("x", "b"), getPod("y", "c")).
Expect(getPod("x", "b"), getPod("y", "a"), builder.Name, NPEvalDrop)

annp, err := k8sUtils.CreateOrUpdateANNP(builder.Get())
failOnError(err, t)
Expand All @@ -2498,7 +2503,9 @@ func testANNPMultipleAppliedTo(t *testing.T, data *TestData, singleRule bool) {
t.Errorf("Failure -- %d wrong results", wrong)
reachability.PrintSummary(true, true, true)
}
doEvaluation(t, data, evaluation)
if testOptions.npEvaluation {
doEvaluation(t, data, evaluation)
}

t.Logf("Making the Policy apply to y/c by labeling it with the temporary label that matches the dummy AppliedTo")
podYC, err := k8sUtils.GetPodByLabel(getNS("y"), "c")
Expand All @@ -2511,17 +2518,19 @@ func testANNPMultipleAppliedTo(t *testing.T, data *TestData, singleRule bool) {
reachability = NewReachability(allPods, Connected)
reachability.Expect(getPod("x", "b"), getPod("y", "a"), Dropped)
reachability.Expect(getPod("x", "b"), getPod("y", "c"), Dropped)
updatedEvaluation := NewNPEvaluation(allPods)
updatedEvaluation.Expect(getPod("x", "b"), getPod("y", "c"), builder.Name, NPEvalDrop)
updatedEvaluation.Expect(getPod("x", "b"), getPod("y", "a"), builder.Name, NPEvalDrop)
updatedEvaluation := NewNPEvaluation(allPods).
Expect(getPod("x", "b"), getPod("y", "c"), builder.Name, NPEvalDrop).
Expect(getPod("x", "b"), getPod("y", "a"), builder.Name, NPEvalDrop)
time.Sleep(networkPolicyDelay)
k8sUtils.Validate(allPods, reachability, []int32{80}, ProtocolTCP)
_, wrong, _ = reachability.Summary()
if wrong != 0 {
t.Errorf("Failure -- %d wrong results", wrong)
reachability.PrintSummary(true, true, true)
}
doEvaluation(t, data, updatedEvaluation)
if testOptions.npEvaluation {
doEvaluation(t, data, updatedEvaluation)
}

t.Logf("Making the Policy not apply to y/c by removing the temporary label")
delete(podYC.Labels, tempLabel)
Expand All @@ -2536,7 +2545,9 @@ func testANNPMultipleAppliedTo(t *testing.T, data *TestData, singleRule bool) {
t.Errorf("Failure -- %d wrong results", wrong)
reachability.PrintSummary(true, true, true)
}
doEvaluation(t, data, evaluation)
if testOptions.npEvaluation {
doEvaluation(t, data, evaluation)
}

failOnError(k8sUtils.DeleteANNP(builder.Namespace, builder.Name), t)
}
Expand Down Expand Up @@ -4252,7 +4263,9 @@ func executeTestsWithData(t *testing.T, testList []*TestCase, data *TestData) {
if data == nil {
t.Errorf("test case %s with networkpolicyevaluation must set test data", testCase.Name)
}
doEvaluation(t, data, step.NPEvaluation)
if testOptions.npEvaluation {
doEvaluation(t, data, step.NPEvaluation)
}
}
}
log.Debug("Cleaning-up all policies and groups created by this Testcase")
Expand All @@ -4279,9 +4292,6 @@ func doProbe(t *testing.T, data *TestData, p *CustomProbe, protocol AntreaPolicy
}

func doEvaluation(t *testing.T, data *TestData, npEvaluation *NPEvaluation) {
if !testOptions.npEvaluation {
return
}
log.Infof("running networkpolicyevaluation tests")
antreaController, err := data.getAntreaController()
if err != nil {
Expand All @@ -4295,14 +4305,26 @@ func doEvaluation(t *testing.T, data *TestData, npEvaluation *NPEvaluation) {
}
return realizedPod.Namespace + "/" + realizedPod.Name
}
processResponse := func(stdout string) map[string]string {
response := make(map[string]string, 6)
// Split and organize table output from antctl response.
items := regexp.MustCompile("[^0-9A-Za-z-]+").Split(stdout, -1)
for i := 0; i < 6; i++ {
response[items[i]] = items[i+6]
}
return response
}

for _, eval := range npEvaluation.Truth {
for _, eval := range npEvaluation.Assertions {
cmds := append(antctlArgs, "-S", getRealizedPod(eval.Source), "-D", getRealizedPod(eval.Destination))
log.Tracef("Running command: %s", strings.Join(cmds, " "))
stdout, stderr, err := data.RunCommandFromPod(antreaNamespace, antreaController.Name, "antrea-controller", cmds)
assert.NoError(t, err, "Failure -- Command was not successful:\n%s", antctlOutput(stdout, stderr))
assert.Containsf(t, stdout, eval.NPName, "Failure -- wrong results for evaluation: NetworkPolicy: %s, expected: %s", stdout, eval.NPName)
assert.Contains(t, stdout, eval.Action, "Failure -- wrong results for evaluation: Action: %s, expected: %s", stdout, eval.Action)
if !assert.NoError(t, err, "Failure -- Command was not successful:\n%s", antctlOutput(stdout, stderr)) {
continue
}
gotEval := processResponse(stdout)
assert.Equal(t, eval.NPName, gotEval["NAME"], "Failure -- wrong results for evaluation: NetworkPolicy: %s, expected: %s", gotEval["NAME"], eval.NPName)
assert.EqualValues(t, eval.Action, gotEval["ACTION"], "Failure -- wrong results for evaluation: Action: %s, expected: %s", gotEval["ACTION"], eval.Action)
}
}

Expand Down
Loading

0 comments on commit 21d9468

Please sign in to comment.