Skip to content

Commit

Permalink
Fix Baseline Isolation E2E Test
Browse files Browse the repository at this point in the history
In current baseline isolation e2e test, the nsSelector expression is
missplaced as nodeSelector expression, yet the test case does not
detect the error based on current test factors.

This PR fixes the nsSelector expression issue, and also adds test
factors in the baseline isolation test case to increase coverage.

Signed-off-by: Qiyue Yao <[email protected]>
  • Loading branch information
qiyueyao committed Apr 18, 2024
1 parent ab234c5 commit c032804
Showing 1 changed file with 26 additions and 17 deletions.
43 changes: 26 additions & 17 deletions test/e2e/antreapolicy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1657,33 +1657,42 @@ func testBaselineNamespaceIsolation(t *testing.T) {
SetPriority(1.0).
SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("x")}}})
builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil,
nil, nil, []metav1.LabelSelectorRequirement{nsExpOtherThanX}, nil,
nil, nil, nil, []metav1.LabelSelectorRequirement{nsExpOtherThanX},
nil, nil, crdv1beta1.RuleActionDrop, "", "", nil)

// create a K8s NetworkPolicy for Pods in namespace x to allow ingress traffic from Pods in the same namespace,
// as well as from the y/a Pod. It should open up ingress from y/a since it's evaluated before the baseline tier.
reachability := NewReachability(allPods, Connected)
reachability.ExpectNamespaceIngressFromNamespace(getNS("x"), getNS("y"), Dropped)
reachability.ExpectNamespaceIngressFromNamespace(getNS("x"), getNS("z"), Dropped)

// create a K8s NetworkPolicy for the x/a Pod to allow ingress traffic the y/a Pod. It should
// open up ingress from y/a and additionally deny ingress from x/b x/c based on Kubernetes
// NetworkPolicy default isolation model, since it's evaluated before the baseline tier.
k8sNPBuilder := &NetworkPolicySpecBuilder{}
k8sNPBuilder = k8sNPBuilder.SetName(getNS("x"), "allow-ns-x-and-y-a").
k8sNPBuilder = k8sNPBuilder.SetName(getNS("x"), "allow-y-a-to-x-a").
SetPodSelector(map[string]string{"pod": "a"}).
SetTypeIngress().
AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil,
nil, map[string]string{"ns": getNS("x")}, nil, nil).
AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil,
map[string]string{"pod": "a"}, map[string]string{"ns": getNS("y")}, nil, nil)

reachability := NewReachability(allPods, Connected)
reachability.Expect(getPod("y", "b"), getPod("x", "a"), Dropped)
reachability.Expect(getPod("y", "c"), getPod("x", "a"), Dropped)
reachability.ExpectIngressFromNamespace(getPod("x", "a"), getNS("z"), Dropped)
reachability.Expect(getPod("y", "b"), getPod("x", "b"), Dropped)
reachability.Expect(getPod("y", "c"), getPod("x", "b"), Dropped)
reachability.ExpectIngressFromNamespace(getPod("x", "b"), getNS("z"), Dropped)
reachability.Expect(getPod("y", "b"), getPod("x", "c"), Dropped)
reachability.Expect(getPod("y", "c"), getPod("x", "c"), Dropped)
reachability.ExpectIngressFromNamespace(getPod("x", "c"), getNS("z"), Dropped)
reachabilityUpdated := NewReachability(allPods, Connected)
reachabilityUpdated.Expect(getPod("x", "b"), getPod("x", "a"), Dropped)
reachabilityUpdated.Expect(getPod("x", "c"), getPod("x", "a"), Dropped)
reachabilityUpdated.Expect(getPod("y", "a"), getPod("x", "b"), Dropped)
reachabilityUpdated.Expect(getPod("y", "a"), getPod("x", "c"), Dropped)
reachabilityUpdated.ExpectEgressToNamespace(getPod("y", "b"), getNS("x"), Dropped)
reachabilityUpdated.ExpectEgressToNamespace(getPod("y", "c"), getNS("x"), Dropped)
reachabilityUpdated.ExpectNamespaceIngressFromNamespace(getNS("x"), getNS("z"), Dropped)
testStep := []*TestStep{
{
Name: "Port 80",
Name: "Baseline ACNP",
Reachability: reachability,
TestResources: []metav1.Object{builder.Get()},
Ports: []int32{80},
Protocol: ProtocolTCP,
},
{
Name: "Baseline ACNP with KNP",
Reachability: reachabilityUpdated,
TestResources: []metav1.Object{builder.Get(), k8sNPBuilder.Get()},
Ports: []int32{80},
Protocol: ProtocolTCP,
Expand Down

0 comments on commit c032804

Please sign in to comment.