diff --git a/multicluster/test/e2e/antreapolicy_test.go b/multicluster/test/e2e/antreapolicy_test.go index 8f7b70040a7..bd0526b6478 100644 --- a/multicluster/test/e2e/antreapolicy_test.go +++ b/multicluster/test/e2e/antreapolicy_test.go @@ -33,7 +33,7 @@ const ( var ( allPodsPerCluster []antreae2e.Pod perNamespacePods []string - perClusterNamespaces map[string]string + perClusterNamespaces map[string]antreae2e.TestNamespaceMeta podsByNamespace map[string][]antreae2e.Pod clusterK8sUtilsMap map[string]*antreae2e.KubernetesUtils ) @@ -51,10 +51,11 @@ func failOnError(err error, t *testing.T) { // initializeForPolicyTest creates three Pods in three test Namespaces for each test cluster. func initializeForPolicyTest(t *testing.T, data *MCTestData) { perNamespacePods = []string{"a", "b", "c"} - perClusterNamespaces = make(map[string]string) - perClusterNamespaces["x"] = "x" - perClusterNamespaces["y"] = "y" - perClusterNamespaces["z"] = "z" + perClusterNamespaces = make(map[string]antreae2e.TestNamespaceMeta) + nss := []string{"x", "y", "z"} + for _, ns := range nss { + perClusterNamespaces[ns] = antreae2e.TestNamespaceMeta{Name: ns} + } allPodsPerCluster = []antreae2e.Pod{} podsByNamespace = make(map[string][]antreae2e.Pod) @@ -62,8 +63,8 @@ func initializeForPolicyTest(t *testing.T, data *MCTestData) { for _, podName := range perNamespacePods { for _, ns := range perClusterNamespaces { - allPodsPerCluster = append(allPodsPerCluster, antreae2e.NewPod(ns, podName)) - podsByNamespace[ns] = append(podsByNamespace[ns], antreae2e.NewPod(ns, podName)) + allPodsPerCluster = append(allPodsPerCluster, antreae2e.NewPod(ns.Name, podName)) + podsByNamespace[ns.Name] = append(podsByNamespace[ns.Name], antreae2e.NewPod(ns.Name, podName)) } } for clusterName := range data.clusterTestDataMap { diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy.go b/pkg/controller/networkpolicy/clusternetworkpolicy.go index a058831a267..cfb56766358 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy.go @@ -533,12 +533,14 @@ func (n *NetworkPolicyController) getNamespaceLabels(ns string) map[string]strin // groupNamespaceByLabelValue groups Namespaces if they have the same label value for all the // label keys listed. If a Namespace is missing at least one of the label keys, it will be // not be grouped. Example: +// // ns1: app=web, tier=test, tenant=t1 // ns2: app=web, tier=test, tenant=t2 // ns3: app=web, tier=production, tenant=t1 // ns4: app=web, tier=production, tenant=t2 // ns5: app=db, tenant=t1 -// labelKeys = [app, tier] +// labelKeys = [app, tier] +// // Result after grouping: // "web,test,": [ns1, ns2] // "web,production,": [ns3, ns4] diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go index 28855576d3b..4e7e68a6305 100644 --- a/test/e2e/antreapolicy_test.go +++ b/test/e2e/antreapolicy_test.go @@ -52,9 +52,10 @@ var ( k8sUtils *KubernetesUtils allTestList []*TestCase pods []string - namespaces map[string]string + namespaces map[string]TestNamespaceMeta podIPs map[string][]string p80, p81, p8080, p8081, p8082, p8085, p6443 int32 + selfNamespace *crdv1alpha1.PeerNamespaces ) const ( @@ -66,32 +67,13 @@ const ( // Verification of deleting/creating resources timed out. timeout = 10 * time.Second // audit log directory on Antrea Agent - logDir = "/var/log/antrea/networkpolicy/" - logfileName = "np.log" - defaultTierName = "application" + logDir = "/var/log/antrea/networkpolicy/" + logfileName = "np.log" + defaultTierName = "application" + formFactorNormal = "3by3PodWorkloads" + formFactorLarge = "extraNamespaces" ) -// TestAntreaPolicyStats is the top-level test which contains all subtests for -// AntreaPolicyStats related test cases so they can share setup, teardown. -func TestAntreaPolicyStats(t *testing.T) { - skipIfHasWindowsNodes(t) - skipIfAntreaPolicyDisabled(t) - skipIfNetworkPolicyStatsDisabled(t) - - data, err := setupTest(t) - if err != nil { - t.Fatalf("Error when setting up test: %v", err) - } - defer teardownTest(t, data) - - t.Run("testANPNetworkPolicyStatsWithDropAction", func(t *testing.T) { - testANPNetworkPolicyStatsWithDropAction(t, data) - }) - t.Run("testAntreaClusterNetworkPolicyStats", func(t *testing.T) { - testAntreaClusterNetworkPolicyStats(t, data) - }) -} - func failOnError(err error, t *testing.T) { if err != nil { log.Errorf("%+v", err) @@ -109,19 +91,82 @@ type podToAddrTestStep struct { expectedConnectivity PodConnectivityMark } -func initialize(t *testing.T, data *TestData) { +// Util function to get the runtime name of a test Namespace. +func getNS(ns string) string { + return namespaces[ns].Name +} + +// Util function to get the runtime Pod struct of a test Pod. +func getPod(ns, po string) Pod { + return Pod(namespaces[ns].Name + "/" + po) +} + +// Util function to get the runtime Pod name of a test Pod. +func getPodName(ns, po string) string { + return namespaces[ns].Name + "/" + po +} + +// initNamespaceMeta populates the test Namespaces metadata. +// There are two form factors for test workload Namespaces: +// +// Normal: three Namespaces x, y, z. +// Large: two "prod" Namespaces labeled purpose=test and tier=prod. +// two "dev" Namespaces labeled purpose=test and tier=dev. +// one "no-tier-label" Namespace labeled purpose=test. +// +// The large form factor workloads are used for testcases where advanced +// Namespace matching in policies are required. +func initNamespaceMeta(formFactor string) map[string]TestNamespaceMeta { + allNamespaceMeta := make(map[string]TestNamespaceMeta) + suffix := randName("") + if formFactor == formFactorLarge { + for i := 1; i < 3; i++ { + prodNS := TestNamespaceMeta{ + Name: "prod" + strconv.Itoa(i) + "-" + suffix, + Labels: map[string]string{ + "purpose": "test", + "tier": "prod", + }, + } + allNamespaceMeta["prod"+strconv.Itoa(i)] = prodNS + devNS := TestNamespaceMeta{ + Name: "dev" + strconv.Itoa(i) + "-" + suffix, + Labels: map[string]string{ + "purpose": "test", + "tier": "dev", + }, + } + allNamespaceMeta["dev"+strconv.Itoa(i)] = devNS + } + allNamespaceMeta["no-tier-label"] = TestNamespaceMeta{ + Name: "no-tier-label-" + suffix, + Labels: map[string]string{ + "purpose": "test", + }, + } + } else if formFactor == formFactorNormal { + nss := []string{"x", "y", "z"} + for _, ns := range nss { + allNamespaceMeta[ns] = TestNamespaceMeta{ + Name: ns + "-" + suffix, + } + } + } + return allNamespaceMeta +} + +func initialize(t *testing.T, data *TestData, formFactor string) { p80 = 80 p81 = 81 p8080 = 8080 p8081 = 8081 p8082 = 8082 p8085 = 8085 + selfNamespace = &crdv1alpha1.PeerNamespaces{ + Match: crdv1alpha1.NamespaceMatchSelf, + } pods = []string{"a", "b", "c"} - namespaces = make(map[string]string) - suffix := randName("") - namespaces["x"] = "x-" + suffix - namespaces["y"] = "y-" + suffix - namespaces["z"] = "z-" + suffix + namespaces = initNamespaceMeta(formFactor) // This function "initialize" will be used more than once, and variable "allPods" is global. // It should be empty every time when "initialize" is performed, otherwise there will be unexpected // results. @@ -130,8 +175,8 @@ func initialize(t *testing.T, data *TestData) { for _, podName := range pods { for _, ns := range namespaces { - allPods = append(allPods, NewPod(ns, podName)) - podsByNamespace[ns] = append(podsByNamespace[ns], NewPod(ns, podName)) + allPods = append(allPods, NewPod(ns.Name, podName)) + podsByNamespace[ns.Name] = append(podsByNamespace[ns.Name], NewPod(ns.Name, podName)) } } skipIfAntreaPolicyDisabled(t) @@ -149,13 +194,13 @@ func skipIfAntreaPolicyDisabled(tb testing.TB) { skipIfFeatureDisabled(tb, features.AntreaPolicy, true, true) } -func applyDefaultDenyToAllNamespaces(k8s *KubernetesUtils, namespaces map[string]string) error { +func applyDefaultDenyToAllNamespaces(k8s *KubernetesUtils, namespaces map[string]TestNamespaceMeta) error { if err := k8s.CleanNetworkPolicies(namespaces); err != nil { return err } for _, ns := range namespaces { builder := &NetworkPolicySpecBuilder{} - builder = builder.SetName(ns, "default-deny-namespace") + builder = builder.SetName(ns.Name, "default-deny-namespace") builder.SetTypeIngress() if _, err := k8s.CreateOrUpdateNetworkPolicy(builder.Get()); err != nil { return err @@ -171,7 +216,7 @@ func applyDefaultDenyToAllNamespaces(k8s *KubernetesUtils, namespaces map[string return nil } -func cleanupDefaultDenyNPs(k8s *KubernetesUtils, namespaces map[string]string) error { +func cleanupDefaultDenyNPs(k8s *KubernetesUtils, namespaces map[string]TestNamespaceMeta) error { if err := k8s.CleanNetworkPolicies(namespaces); err != nil { return err } @@ -192,7 +237,6 @@ func testMutateACNPNoTier(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}). SetPriority(10.0) acnp := builder.Get() - log.Debugf("creating ACNP %v", acnp.Name) acnp, err := k8sUtils.CreateOrUpdateACNP(acnp) if err != nil { failOnError(fmt.Errorf("ACNP create failed %v", err), t) @@ -206,11 +250,10 @@ func testMutateACNPNoTier(t *testing.T) { func testMutateANPNoTier(t *testing.T) { invalidNpErr := fmt.Errorf("ANP tier not mutated to default tier") builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-no-tier"). + builder = builder.SetName(getNS("x"), "anp-no-tier"). SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}). SetPriority(10.0) anp := builder.Get() - log.Debugf("creating ANP %v", anp.Name) anp, err := k8sUtils.CreateOrUpdateANP(anp) if err != nil { failOnError(fmt.Errorf("ANP create failed %v", err), t) @@ -222,15 +265,14 @@ func testMutateANPNoTier(t *testing.T) { } func testMutateACNPNoRuleName(t *testing.T) { - mutateErr := fmt.Errorf("ACNP Rule name not mutated automatically") + mutateErr := fmt.Errorf("ACNP Rule Name not mutated automatically") builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("acnp-no-rule-name"). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}). SetPriority(10.0). - AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "", nil) acnp := builder.Get() - log.Debugf("creating ACNP %v", acnp.Name) acnp, err := k8sUtils.CreateOrUpdateACNP(acnp) if err != nil { failOnError(fmt.Errorf("ACNP create failed %v", err), t) @@ -247,15 +289,14 @@ func testMutateACNPNoRuleName(t *testing.T) { } func testMutateANPNoRuleName(t *testing.T) { - mutateErr := fmt.Errorf("ANP Rule name not mutated automatically") + mutateErr := fmt.Errorf("ANP Rule Name not mutated automatically") builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-no-rule-name"). + builder = builder.SetName(getNS("x"), "anp-no-rule-name"). SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}). SetPriority(10.0). - AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, + AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") anp := builder.Get() - log.Debugf("creating ANP %v", anp.Name) anp, err := k8sUtils.CreateOrUpdateANP(anp) if err != nil { failOnError(fmt.Errorf("ANP create failed %v", err), t) @@ -277,7 +318,6 @@ func testInvalidACNPNoPriority(t *testing.T) { builder = builder.SetName("acnp-no-priority"). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) acnp := builder.Get() - log.Debugf("creating ACNP %v", acnp.Name) if _, err := k8sUtils.CreateOrUpdateACNP(acnp); err == nil { // Above creation of ACNP must fail as it is an invalid spec. failOnError(invalidNpErr, t) @@ -299,7 +339,6 @@ func testInvalidANPIngressPeerGroupSetWithPodSelector(t *testing.T) { builder = builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, nil, nil, nil, nil, nil, []ANPAppliedToSpec{ruleAppTo}, crdv1alpha1.RuleActionAllow, gA, "") anp := builder.Get() - log.Debugf("creating ANP %v", anp.Name) if _, err := k8sUtils.CreateOrUpdateANP(anp); err == nil { // Above creation of ANP must fail as it is an invalid spec. failOnError(invalidNpErr, t) @@ -321,7 +360,6 @@ func testInvalidANPIngressPeerGroupSetWithIPBlock(t *testing.T) { builder = builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, &cidr, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, gA, "") anp := builder.Get() - log.Debugf("creating ANP %v", anp.Name) if _, err := k8sUtils.CreateOrUpdateANP(anp); err == nil { // Above creation of ANP must fail as it is an invalid spec. failOnError(invalidNpErr, t) @@ -332,10 +370,9 @@ func testInvalidANPIngressPeerGroupSetWithIPBlock(t *testing.T) { func testInvalidANPNoPriority(t *testing.T) { invalidNpErr := fmt.Errorf("invalid Antrea NetworkPolicy without a priority accepted") builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-no-priority"). + builder = builder.SetName(getNS("x"), "anp-no-priority"). SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) anp := builder.Get() - log.Debugf("creating ANP %v", anp.Name) if _, err := k8sUtils.CreateOrUpdateANP(anp); err == nil { // Above creation of ANP must fail as it is an invalid spec. failOnError(invalidNpErr, t) @@ -345,14 +382,13 @@ func testInvalidANPNoPriority(t *testing.T) { func testInvalidANPRuleNameNotUnique(t *testing.T) { invalidNpErr := fmt.Errorf("invalid Antrea NetworkPolicy without unique rule names accepted") builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-rule-name-not-unique"). + builder = builder.SetName(getNS("x"), "anp-rule-Name-not-unique"). SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}). - AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, + AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "not-unique"). - AddIngress(ProtocolTCP, &p81, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": namespaces["x"]}, nil, + AddIngress(ProtocolTCP, &p81, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": getNS("x")}, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "not-unique") anp := builder.Get() - log.Debugf("creating ANP %v", anp.Name) if _, err := k8sUtils.CreateOrUpdateANP(anp); err == nil { // Above creation of ANP must fail as it is an invalid spec. failOnError(invalidNpErr, t) @@ -362,11 +398,10 @@ func testInvalidANPRuleNameNotUnique(t *testing.T) { func testInvalidANPTierDoesNotExist(t *testing.T) { invalidNpErr := fmt.Errorf("invalid Antrea NetworkPolicy without existing Tier accepted") builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-tier-not-exist"). + builder = builder.SetName(getNS("x"), "anp-tier-not-exist"). SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}). SetTier("i-dont-exist") anp := builder.Get() - log.Debugf("creating ANP %v", anp.Name) if _, err := k8sUtils.CreateOrUpdateANP(anp); err == nil { // Above creation of ANP must fail as it is an invalid spec. failOnError(invalidNpErr, t) @@ -376,14 +411,13 @@ func testInvalidANPTierDoesNotExist(t *testing.T) { func testInvalidANPPortRangePortUnset(t *testing.T) { invalidNpErr := fmt.Errorf("invalid Antrea NetworkPolicy egress rule with endPort but no port accepted") builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["y"], "anp-egress-port-range-port-unset"). + builder = builder.SetName(getNS("y"), "anp-egress-port-range-port-unset"). SetPriority(1.0). SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}}) - builder.AddEgress(ProtocolTCP, nil, nil, &p8085, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": namespaces["x"]}, nil, + builder.AddEgress(ProtocolTCP, nil, nil, &p8085, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": getNS("x")}, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "anp-port-range") anp := builder.Get() - log.Debugf("creating ANP %v", anp.Name) if _, err := k8sUtils.CreateOrUpdateANP(anp); err == nil { // Above creation of ANP must fail as it is an invalid spec. failOnError(invalidNpErr, t) @@ -393,14 +427,13 @@ func testInvalidANPPortRangePortUnset(t *testing.T) { func testInvalidANPPortRangeEndPortSmall(t *testing.T) { invalidNpErr := fmt.Errorf("invalid Antrea NetworkPolicy egress rule with endPort smaller than port accepted") builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["y"], "anp-egress-port-range-endport-small"). + builder = builder.SetName(getNS("y"), "anp-egress-port-range-endport-small"). SetPriority(1.0). SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}}) - builder.AddEgress(ProtocolTCP, &p8082, nil, &p8081, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": namespaces["x"]}, nil, + builder.AddEgress(ProtocolTCP, &p8082, nil, &p8081, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": getNS("x")}, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "anp-port-range") anp := builder.Get() - log.Debugf("creating ANP %v", anp.Name) if _, err := k8sUtils.CreateOrUpdateANP(anp); err == nil { // Above creation of ANP must fail as it is an invalid spec. failOnError(invalidNpErr, t) @@ -469,7 +502,6 @@ func testInvalidTierACNPRefDelete(t *testing.T) { SetTier("tier-acnp"). SetPriority(13.0) acnp := builder.Get() - log.Debugf("creating ACNP %v", acnp.Name) if _, err = k8sUtils.CreateOrUpdateACNP(acnp); err != nil { failOnError(fmt.Errorf("create ACNP failed for ACNP %s: %v", acnp.Name, err), t) } @@ -488,12 +520,11 @@ func testInvalidTierANPRefDelete(t *testing.T) { failOnError(fmt.Errorf("create Tier failed for tier tier-anp: %v", err), t) } builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-for-tier"). + builder = builder.SetName(getNS("x"), "anp-for-tier"). SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}). SetTier("tier-anp-ref"). SetPriority(13.0) anp := builder.Get() - log.Debugf("creating ANP %v", anp.Name) if _, err = k8sUtils.CreateOrUpdateANP(anp); err != nil { failOnError(fmt.Errorf("create ANP failed for ANP %s: %v", anp.Name, err), t) } @@ -542,13 +573,13 @@ func testACNPAllowXBtoA(t *testing.T) { builder = builder.SetName("acnp-allow-xb-to-a"). SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) - builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "", nil) reachability := NewReachability(allPods, Dropped) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["x"]+"/a"), Connected) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Connected) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["z"]+"/a"), Connected) + reachability.Expect(getPod("x", "b"), getPod("x", "a"), Connected) + reachability.Expect(getPod("x", "b"), getPod("y", "a"), Connected) + reachability.Expect(getPod("x", "b"), getPod("z", "a"), Connected) reachability.ExpectSelf(allPods, Connected) testStep := []*TestStep{ @@ -575,12 +606,12 @@ func testACNPAllowXBtoYA(t *testing.T) { builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("acnp-allow-xb-to-ya"). SetPriority(2.0). - SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["y"]}}}) - builder.AddIngress(ProtocolTCP, nil, &port81Name, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": getNS("y")}}}) + builder.AddIngress(ProtocolTCP, nil, &port81Name, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "", nil) reachability := NewReachability(allPods, Dropped) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Connected) + reachability.Expect(getPod("x", "b"), getPod("y", "a"), Connected) reachability.ExpectSelf(allPods, Connected) testStep := []*TestStep{ @@ -607,25 +638,25 @@ func testACNPPriorityOverrideDefaultDeny(t *testing.T) { builder1 := &ClusterNetworkPolicySpecBuilder{} builder1 = builder1.SetName("acnp-priority2"). SetPriority(2). - SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) - builder1.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("x")}}}) + builder1.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "", nil) builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("acnp-priority1"). SetPriority(1). - SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["x"]}}}) - builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": getNS("x")}}}) + builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) // Ingress from ns:z to x/a will be dropped since acnp-priority1 has higher precedence. reachabilityBothACNP := NewReachability(allPods, Dropped) - reachabilityBothACNP.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["x"]+"/b"), Connected) - reachabilityBothACNP.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["x"]+"/c"), Connected) - reachabilityBothACNP.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["x"]+"/b"), Connected) - reachabilityBothACNP.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["x"]+"/c"), Connected) - reachabilityBothACNP.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["x"]+"/b"), Connected) - reachabilityBothACNP.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["x"]+"/c"), Connected) + reachabilityBothACNP.Expect(getPod("z", "a"), getPod("x", "b"), Connected) + reachabilityBothACNP.Expect(getPod("z", "a"), getPod("x", "c"), Connected) + reachabilityBothACNP.Expect(getPod("z", "b"), getPod("x", "b"), Connected) + reachabilityBothACNP.Expect(getPod("z", "b"), getPod("x", "c"), Connected) + reachabilityBothACNP.Expect(getPod("z", "c"), getPod("x", "b"), Connected) + reachabilityBothACNP.Expect(getPod("z", "c"), getPod("x", "c"), Connected) reachabilityBothACNP.ExpectSelf(allPods, Connected) testStep := []*TestStep{ @@ -658,11 +689,11 @@ func testACNPAllowNoDefaultIsolation(t *testing.T, protocol AntreaPolicyProtocol builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("acnp-allow-x-ingress-y-egress-z"). SetPriority(1.1). - SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) - builder.AddIngress(protocol, &p81, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["y"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) - builder.AddEgress(protocol, &p81, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("x")}}}) + builder.AddIngress(protocol, &p81, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("y")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + builder.AddEgress(protocol, &p81, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "", nil) reachability := NewReachability(allPods, Connected) testStep := []*TestStep{ @@ -696,14 +727,14 @@ func testACNPDropEgress(t *testing.T, protocol AntreaPolicyProtocol) { builder = builder.SetName("acnp-deny-a-to-z-egress"). SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) - builder.AddEgress(protocol, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + builder.AddEgress(protocol, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) reachability := NewReachability(allPods, Connected) - reachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Dropped) - reachability.ExpectEgressToNamespace(Pod(namespaces["y"]+"/a"), namespaces["z"], Dropped) - reachability.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["z"]+"/b"), Dropped) - reachability.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["z"]+"/c"), Dropped) + reachability.ExpectEgressToNamespace(getPod("x", "a"), getNS("z"), Dropped) + reachability.ExpectEgressToNamespace(getPod("y", "a"), getNS("z"), Dropped) + reachability.Expect(getPod("z", "a"), getPod("z", "b"), Dropped) + reachability.Expect(getPod("z", "a"), getPod("z", "c"), Dropped) testStep := []*TestStep{ { "Port 80", @@ -728,14 +759,14 @@ func testACNPDropIngressInSelectedNamespace(t *testing.T) { builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("acnp-deny-ingress-to-x"). SetPriority(1.0). - SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) - builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, false, nil, + SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("x")}}}) + builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "drop-all-ingress", nil) reachability := NewReachability(allPods, Connected) - reachability.ExpectAllIngress(Pod(namespaces["x"]+"/a"), Dropped) - reachability.ExpectAllIngress(Pod(namespaces["x"]+"/b"), Dropped) - reachability.ExpectAllIngress(Pod(namespaces["x"]+"/c"), Dropped) + reachability.ExpectAllIngress(getPod("x", "a"), Dropped) + reachability.ExpectAllIngress(getPod("x", "b"), Dropped) + reachability.ExpectAllIngress(getPod("x", "c"), Dropped) reachability.ExpectSelf(allPods, Connected) testStep := []*TestStep{ { @@ -760,18 +791,18 @@ func testACNPNoEffectOnOtherProtocols(t *testing.T) { builder = builder.SetName("acnp-deny-a-to-z-ingress"). SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) - builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) reachability1 := NewReachability(allPods, Connected) - reachability1.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["x"]+"/a"), Dropped) - reachability1.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped) - reachability1.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["x"]+"/a"), Dropped) - reachability1.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["y"]+"/a"), Dropped) - reachability1.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped) - reachability1.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["y"]+"/a"), Dropped) - reachability1.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["z"]+"/a"), Dropped) - reachability1.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["z"]+"/a"), Dropped) + reachability1.Expect(getPod("z", "a"), getPod("x", "a"), Dropped) + reachability1.Expect(getPod("z", "b"), getPod("x", "a"), Dropped) + reachability1.Expect(getPod("z", "c"), getPod("x", "a"), Dropped) + reachability1.Expect(getPod("z", "a"), getPod("y", "a"), Dropped) + reachability1.Expect(getPod("z", "b"), getPod("y", "a"), Dropped) + reachability1.Expect(getPod("z", "c"), getPod("y", "a"), Dropped) + reachability1.Expect(getPod("z", "b"), getPod("z", "a"), Dropped) + reachability1.Expect(getPod("z", "c"), getPod("z", "a"), Dropped) reachability2 := NewReachability(allPods, Connected) @@ -806,18 +837,18 @@ func testACNPAppliedToDenyXBtoCGWithYA(t *testing.T) { cgName := "cg-pods-ya" cgBuilder := &ClusterGroupV1Alpha2SpecBuilder{} cgBuilder = cgBuilder.SetName(cgName). - SetNamespaceSelector(map[string]string{"ns": namespaces["y"]}, nil). + SetNamespaceSelector(map[string]string{"ns": getNS("y")}, nil). SetPodSelector(map[string]string{"pod": "a"}, nil) port81Name := "serve-81" builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("acnp-deny-cg-with-ya-from-xb"). SetPriority(2.0). SetAppliedToGroup([]ACNPAppliedToSpec{{Group: cgName}}) - builder.AddIngress(ProtocolTCP, nil, &port81Name, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + builder.AddIngress(ProtocolTCP, nil, &port81Name, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped) + reachability.Expect(getPod("x", "b"), getPod("y", "a"), Dropped) reachability.ExpectSelf(allPods, Connected) testStep := []*TestStep{ @@ -843,18 +874,18 @@ func testACNPIngressRuleDenyCGWithXBtoYA(t *testing.T) { cgName := "cg-pods-xb" cgBuilder := &ClusterGroupV1Alpha2SpecBuilder{} cgBuilder = cgBuilder.SetName(cgName). - SetNamespaceSelector(map[string]string{"ns": namespaces["x"]}, nil). + SetNamespaceSelector(map[string]string{"ns": getNS("x")}, nil). SetPodSelector(map[string]string{"pod": "b"}, nil) port81Name := "serve-81" builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("acnp-deny-cg-with-xb-to-ya"). SetPriority(2.0). - SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["y"]}}}) + SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": getNS("y")}}}) builder.AddIngress(ProtocolTCP, nil, &port81Name, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgName, "", nil) + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, cgName, "", nil) reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped) + reachability.Expect(getPod("x", "b"), getPod("y", "a"), Dropped) reachability.ExpectSelf(allPods, Connected) testStep := []*TestStep{ @@ -882,14 +913,14 @@ func testACNPAppliedToRuleCGWithPodsAToNsZ(t *testing.T) { builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("acnp-deny-cg-with-a-to-z"). SetPriority(1.0) - builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, []ACNPAppliedToSpec{{Group: cgName}}, crdv1alpha1.RuleActionDrop, "", "", nil) + builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, []ACNPAppliedToSpec{{Group: cgName}}, crdv1alpha1.RuleActionDrop, "", "", nil) reachability := NewReachability(allPods, Connected) - reachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Dropped) - reachability.ExpectEgressToNamespace(Pod(namespaces["y"]+"/a"), namespaces["z"], Dropped) - reachability.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["z"]+"/b"), Dropped) - reachability.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["z"]+"/c"), Dropped) + reachability.ExpectEgressToNamespace(getPod("x", "a"), getNS("z"), Dropped) + reachability.ExpectEgressToNamespace(getPod("y", "a"), getNS("z"), Dropped) + reachability.Expect(getPod("z", "a"), getPod("z", "b"), Dropped) + reachability.Expect(getPod("z", "a"), getPod("z", "c"), Dropped) testStep := []*TestStep{ { "Port 80", @@ -912,19 +943,19 @@ func testACNPAppliedToRuleCGWithPodsAToNsZ(t *testing.T) { func testACNPEgressRulePodsAToCGWithNsZ(t *testing.T) { cgName := "cg-ns-z" cgBuilder := &ClusterGroupV1Alpha3SpecBuilder{} - cgBuilder = cgBuilder.SetName(cgName).SetNamespaceSelector(map[string]string{"ns": namespaces["z"]}, nil) + cgBuilder = cgBuilder.SetName(cgName).SetNamespaceSelector(map[string]string{"ns": getNS("z")}, nil) builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("acnp-deny-a-to-cg-with-z-egress"). SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgName, "", nil) + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, cgName, "", nil) reachability := NewReachability(allPods, Connected) - reachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Dropped) - reachability.ExpectEgressToNamespace(Pod(namespaces["y"]+"/a"), namespaces["z"], Dropped) - reachability.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["z"]+"/b"), Dropped) - reachability.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["z"]+"/c"), Dropped) + reachability.ExpectEgressToNamespace(getPod("x", "a"), getNS("z"), Dropped) + reachability.ExpectEgressToNamespace(getPod("y", "a"), getNS("z"), Dropped) + reachability.Expect(getPod("z", "a"), getPod("z", "b"), Dropped) + reachability.Expect(getPod("z", "a"), getPod("z", "c"), Dropped) testStep := []*TestStep{ { "Port 80", @@ -954,20 +985,20 @@ func testACNPClusterGroupUpdateAppliedTo(t *testing.T) { builder = builder.SetName("acnp-deny-cg-with-a-to-z-egress"). SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{Group: cgName}}) - builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) reachability := NewReachability(allPods, Connected) - reachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Dropped) - reachability.ExpectEgressToNamespace(Pod(namespaces["y"]+"/a"), namespaces["z"], Dropped) - reachability.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["z"]+"/b"), Dropped) - reachability.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["z"]+"/c"), Dropped) + reachability.ExpectEgressToNamespace(getPod("x", "a"), getNS("z"), Dropped) + reachability.ExpectEgressToNamespace(getPod("y", "a"), getNS("z"), Dropped) + reachability.Expect(getPod("z", "a"), getPod("z", "b"), Dropped) + reachability.Expect(getPod("z", "a"), getPod("z", "c"), Dropped) updatedReachability := NewReachability(allPods, Connected) - updatedReachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/c"), namespaces["z"], Dropped) - updatedReachability.ExpectEgressToNamespace(Pod(namespaces["y"]+"/c"), namespaces["z"], Dropped) - updatedReachability.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["z"]+"/a"), Dropped) - updatedReachability.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["z"]+"/b"), Dropped) + updatedReachability.ExpectEgressToNamespace(getPod("x", "c"), getNS("z"), Dropped) + updatedReachability.ExpectEgressToNamespace(getPod("y", "c"), getNS("z"), Dropped) + updatedReachability.Expect(getPod("z", "c"), getPod("z", "a"), Dropped) + updatedReachability.Expect(getPod("z", "c"), getPod("z", "b"), Dropped) testStep := []*TestStep{ { "CG Pods A", @@ -997,28 +1028,28 @@ func testACNPClusterGroupUpdateAppliedTo(t *testing.T) { func testACNPClusterGroupUpdate(t *testing.T) { cgName := "cg-ns-z-then-y" cgBuilder := &ClusterGroupV1Alpha3SpecBuilder{} - cgBuilder = cgBuilder.SetName(cgName).SetNamespaceSelector(map[string]string{"ns": namespaces["z"]}, nil) + cgBuilder = cgBuilder.SetName(cgName).SetNamespaceSelector(map[string]string{"ns": getNS("z")}, nil) // Update CG NS selector to group Pods from Namespace Y updatedCgBuilder := &ClusterGroupV1Alpha3SpecBuilder{} - updatedCgBuilder = updatedCgBuilder.SetName(cgName).SetNamespaceSelector(map[string]string{"ns": namespaces["y"]}, nil) + updatedCgBuilder = updatedCgBuilder.SetName(cgName).SetNamespaceSelector(map[string]string{"ns": getNS("y")}, nil) builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("acnp-deny-a-to-cg-with-z-egress"). SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgName, "", nil) + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, cgName, "", nil) reachability := NewReachability(allPods, Connected) - reachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Dropped) - reachability.ExpectEgressToNamespace(Pod(namespaces["y"]+"/a"), namespaces["z"], Dropped) - reachability.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["z"]+"/b"), Dropped) - reachability.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["z"]+"/c"), Dropped) + reachability.ExpectEgressToNamespace(getPod("x", "a"), getNS("z"), Dropped) + reachability.ExpectEgressToNamespace(getPod("y", "a"), getNS("z"), Dropped) + reachability.Expect(getPod("z", "a"), getPod("z", "b"), Dropped) + reachability.Expect(getPod("z", "a"), getPod("z", "c"), Dropped) updatedReachability := NewReachability(allPods, Connected) - updatedReachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["y"], Dropped) - updatedReachability.ExpectEgressToNamespace(Pod(namespaces["z"]+"/a"), namespaces["y"], Dropped) - updatedReachability.Expect(Pod(namespaces["y"]+"/a"), Pod(namespaces["y"]+"/b"), Dropped) - updatedReachability.Expect(Pod(namespaces["y"]+"/a"), Pod(namespaces["y"]+"/c"), Dropped) + updatedReachability.ExpectEgressToNamespace(getPod("x", "a"), getNS("y"), Dropped) + updatedReachability.ExpectEgressToNamespace(getPod("z", "a"), getNS("y"), Dropped) + updatedReachability.Expect(getPod("y", "a"), getPod("y", "b"), Dropped) + updatedReachability.Expect(getPod("y", "a"), getPod("y", "c"), Dropped) testStep := []*TestStep{ { "Port 80", @@ -1049,22 +1080,22 @@ func testACNPClusterGroupAppliedToPodAdd(t *testing.T, data *TestData) { cgName := "cg-pod-custom-pod-zj" cgBuilder := &ClusterGroupV1Alpha3SpecBuilder{} cgBuilder = cgBuilder.SetName(cgName). - SetNamespaceSelector(map[string]string{"ns": namespaces["z"]}, nil). + SetNamespaceSelector(map[string]string{"ns": getNS("z")}, nil). SetPodSelector(map[string]string{"pod": "j"}, nil) builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("acnp-deny-cg-with-zj-to-xj-egress"). SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{Group: cgName}}) - builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "j"}, map[string]string{"ns": namespaces["x"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "j"}, map[string]string{"ns": getNS("x")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) cp := []*CustomProbe{ { SourcePod: CustomPod{ - Pod: NewPod(namespaces["z"], "j"), + Pod: NewPod(getNS("z"), "j"), Labels: map[string]string{"pod": "j"}, }, DestPod: CustomPod{ - Pod: NewPod(namespaces["x"], "j"), + Pod: NewPod(getNS("x"), "j"), Labels: map[string]string{"pod": "j"}, }, ExpectConnectivity: Dropped, @@ -1092,7 +1123,7 @@ func testACNPClusterGroupRefRulePodAdd(t *testing.T, data *TestData) { cgName := "cg-pod-custom-pod-zk" cgBuilder := &ClusterGroupV1Alpha3SpecBuilder{} cgBuilder = cgBuilder.SetName(cgName). - SetNamespaceSelector(map[string]string{"ns": namespaces["z"]}, nil). + SetNamespaceSelector(map[string]string{"ns": getNS("z")}, nil). SetPodSelector(map[string]string{"pod": "k"}, nil) builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("acnp-deny-xk-to-cg-with-zk-egress"). @@ -1100,19 +1131,19 @@ func testACNPClusterGroupRefRulePodAdd(t *testing.T, data *TestData) { SetAppliedToGroup([]ACNPAppliedToSpec{ { PodSelector: map[string]string{"pod": "k"}, - NSSelector: map[string]string{"ns": namespaces["x"]}, + NSSelector: map[string]string{"ns": getNS("x")}, }, }) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgName, "", nil) + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, cgName, "", nil) cp := []*CustomProbe{ { SourcePod: CustomPod{ - Pod: NewPod(namespaces["x"], "k"), + Pod: NewPod(getNS("x"), "k"), Labels: map[string]string{"pod": "k"}, }, DestPod: CustomPod{ - Pod: NewPod(namespaces["z"], "k"), + Pod: NewPod(getNS("z"), "k"), Labels: map[string]string{"pod": "k"}, }, ExpectConnectivity: Dropped, @@ -1138,10 +1169,10 @@ func testACNPClusterGroupRefRulePodAdd(t *testing.T, data *TestData) { } func testACNPClusterGroupRefRuleIPBlocks(t *testing.T) { - podXAIP, _ := podIPs[namespaces["x"]+"/a"] - podXBIP, _ := podIPs[namespaces["x"]+"/b"] - podXCIP, _ := podIPs[namespaces["x"]+"/c"] - podZAIP, _ := podIPs[namespaces["z"]+"/a"] + podXAIP, _ := podIPs[getPodName("x", "a")] + podXBIP, _ := podIPs[getPodName("x", "b")] + podXCIP, _ := podIPs[getPodName("x", "c")] + podZAIP, _ := podIPs[getPodName("z", "a")] // There are three situations of a Pod's IP(s): // 1. Only one IPv4 address. // 2. Only one IPv6 address. @@ -1177,19 +1208,19 @@ func testACNPClusterGroupRefRuleIPBlocks(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{ { PodSelector: map[string]string{"pod": "a"}, - NSSelector: map[string]string{"ns": namespaces["y"]}, + NSSelector: map[string]string{"ns": getNS("y")}, }, }) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgv1a3Name, "", nil) + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, cgv1a3Name, "", nil) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgv1a2Name, "", nil) + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, cgv1a2Name, "", nil) reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/a"), Pod(namespaces["y"]+"/a"), Dropped) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped) - reachability.Expect(Pod(namespaces["x"]+"/c"), Pod(namespaces["y"]+"/a"), Dropped) - reachability.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["y"]+"/a"), Dropped) + reachability.Expect(getPod("x", "a"), getPod("y", "a"), Dropped) + reachability.Expect(getPod("x", "b"), getPod("y", "a"), Dropped) + reachability.Expect(getPod("x", "c"), getPod("y", "a"), Dropped) + reachability.Expect(getPod("z", "a"), getPod("y", "a"), Dropped) testStep := []*TestStep{ { "Port 80", @@ -1211,16 +1242,16 @@ func testACNPClusterGroupRefRuleIPBlocks(t *testing.T) { func testANPEgressRulePodsAToGrpWithPodsC(t *testing.T) { grpName := "grp-xc" grpBuilder := &GroupSpecBuilder{} - grpBuilder = grpBuilder.SetName(grpName).SetNamespace(namespaces["x"]).SetPodSelector(map[string]string{"pod": "c"}, nil) + grpBuilder = grpBuilder.SetName(grpName).SetNamespace(getNS("x")).SetPodSelector(map[string]string{"pod": "c"}, nil) builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-deny-xa-to-grp-xc-egress"). + builder = builder.SetName(getNS("x"), "anp-deny-xa-to-grp-xc-egress"). SetPriority(1.0). SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, grpName, "") reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/a"), Pod(namespaces["x"]+"/c"), Dropped) + reachability.Expect(getPod("x", "a"), getPod("x", "c"), Dropped) testStep := []*TestStep{ { "Port 80", @@ -1243,17 +1274,17 @@ func testANPEgressRulePodsAToGrpWithPodsC(t *testing.T) { func testANPIngressRuleDenyGrpWithXCtoXA(t *testing.T) { grpName := "grp-pods-xb" grpBuilder := &GroupSpecBuilder{} - grpBuilder = grpBuilder.SetName(grpName).SetNamespace(namespaces["x"]).SetPodSelector(map[string]string{"pod": "b"}, nil) + grpBuilder = grpBuilder.SetName(grpName).SetNamespace(getNS("x")).SetPodSelector(map[string]string{"pod": "b"}, nil) port81Name := "serve-81" builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-deny-grp-with-xb-to-xa"). + builder = builder.SetName(getNS("x"), "anp-deny-grp-with-xb-to-xa"). SetPriority(2.0). SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddIngress(ProtocolTCP, nil, &port81Name, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, grpName, "") reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped) + reachability.Expect(getPod("x", "b"), getPod("x", "a"), Dropped) reachability.ExpectSelf(allPods, Connected) testStep := []*TestStep{ @@ -1276,22 +1307,22 @@ func testANPIngressRuleDenyGrpWithXCtoXA(t *testing.T) { func testANPGroupUpdate(t *testing.T) { grpName := "grp-pod-xc-then-pod-xb" grpBuilder := &GroupSpecBuilder{} - grpBuilder = grpBuilder.SetName(grpName).SetNamespace(namespaces["x"]).SetPodSelector(map[string]string{"pod": "c"}, nil) + grpBuilder = grpBuilder.SetName(grpName).SetNamespace(getNS("x")).SetPodSelector(map[string]string{"pod": "c"}, nil) // Update Group Pod selector from X/C to X/B updatedGrpBuilder := &GroupSpecBuilder{} - updatedGrpBuilder = updatedGrpBuilder.SetName(grpName).SetNamespace(namespaces["x"]).SetPodSelector(map[string]string{"pod": "b"}, nil) + updatedGrpBuilder = updatedGrpBuilder.SetName(grpName).SetNamespace(getNS("x")).SetPodSelector(map[string]string{"pod": "b"}, nil) builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-deny-xa-to-grp-with-xc-egress"). + builder = builder.SetName(getNS("x"), "anp-deny-xa-to-grp-with-xc-egress"). SetPriority(1.0). SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, grpName, "") reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/a"), Pod(namespaces["x"]+"/c"), Dropped) + reachability.Expect(getPod("x", "a"), getPod("x", "c"), Dropped) updatedReachability := NewReachability(allPods, Connected) - updatedReachability.Expect(Pod(namespaces["x"]+"/a"), Pod(namespaces["x"]+"/b"), Dropped) + updatedReachability.Expect(getPod("x", "a"), getPod("x", "b"), Dropped) testStep := []*TestStep{ { "Port 80", @@ -1322,17 +1353,17 @@ func testANPGroupUpdate(t *testing.T) { func testANPAppliedToDenyXBtoGrpWithXA(t *testing.T) { grpName := "grp-pods-ya" grpBuilder := &GroupSpecBuilder{} - grpBuilder = grpBuilder.SetName(grpName).SetNamespace(namespaces["x"]).SetPodSelector(map[string]string{"pod": "a"}, nil) + grpBuilder = grpBuilder.SetName(grpName).SetNamespace(getNS("x")).SetPodSelector(map[string]string{"pod": "a"}, nil) port81Name := "serve-81" builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-deny-grp-with-xa-from-xb"). + builder = builder.SetName(getNS("x"), "anp-deny-grp-with-xa-from-xb"). SetPriority(2.0). SetAppliedToGroup([]ANPAppliedToSpec{{Group: grpName}}) builder.AddIngress(ProtocolTCP, nil, &port81Name, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, nil, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped) + reachability.Expect(getPod("x", "b"), getPod("x", "a"), Dropped) reachability.ExpectSelf(allPods, Connected) testStep := []*TestStep{ @@ -1357,15 +1388,15 @@ func testANPAppliedToDenyXBtoGrpWithXA(t *testing.T) { func testANPAppliedToRuleGrpWithPodsAToPodsC(t *testing.T) { grpName := "grp-pods-a" grpBuilder := &GroupSpecBuilder{} - grpBuilder = grpBuilder.SetName(grpName).SetNamespace(namespaces["x"]).SetPodSelector(map[string]string{"pod": "a"}, nil) + grpBuilder = grpBuilder.SetName(grpName).SetNamespace(getNS("x")).SetPodSelector(map[string]string{"pod": "a"}, nil) builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-deny-grp-with-a-to-c"). + builder = builder.SetName(getNS("x"), "anp-deny-grp-with-a-to-c"). SetPriority(1.0) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, nil, nil, nil, nil, nil, []ANPAppliedToSpec{{Group: grpName}}, crdv1alpha1.RuleActionDrop, "", "") reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/a"), Pod(namespaces["x"]+"/c"), Dropped) + reachability.Expect(getPod("x", "a"), getPod("x", "c"), Dropped) testStep := []*TestStep{ { "Port 80", @@ -1387,22 +1418,22 @@ func testANPAppliedToRuleGrpWithPodsAToPodsC(t *testing.T) { func testANPGroupUpdateAppliedTo(t *testing.T) { grpName := "grp-pods-xa-then-xb" grpBuilder := &GroupSpecBuilder{} - grpBuilder = grpBuilder.SetName(grpName).SetNamespace(namespaces["x"]).SetPodSelector(map[string]string{"pod": "a"}, nil) + grpBuilder = grpBuilder.SetName(grpName).SetNamespace(getNS("x")).SetPodSelector(map[string]string{"pod": "a"}, nil) // Update GRP Pod selector to group Pods x/b updatedGrpBuilder := &GroupSpecBuilder{} - updatedGrpBuilder = updatedGrpBuilder.SetName(grpName).SetNamespace(namespaces["x"]).SetPodSelector(map[string]string{"pod": "b"}, nil) + updatedGrpBuilder = updatedGrpBuilder.SetName(grpName).SetNamespace(getNS("x")).SetPodSelector(map[string]string{"pod": "b"}, nil) builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-deny-grp-xc-to-xa-egress"). + builder = builder.SetName(getNS("x"), "anp-deny-grp-xc-to-xa-egress"). SetPriority(1.0). SetAppliedToGroup([]ANPAppliedToSpec{{Group: grpName}}) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, nil, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/a"), Pod(namespaces["x"]+"/c"), Dropped) + reachability.Expect(getPod("x", "a"), getPod("x", "c"), Dropped) updatedReachability := NewReachability(allPods, Connected) - updatedReachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["x"]+"/c"), Dropped) + updatedReachability.Expect(getPod("x", "b"), getPod("x", "c"), Dropped) testStep := []*TestStep{ { "GRP Pods X/C", @@ -1432,9 +1463,9 @@ func testANPGroupUpdateAppliedTo(t *testing.T) { func testANPGroupAppliedToPodAdd(t *testing.T, data *TestData) { grpName := "grp-pod-custom-pod-xj" grpBuilder := &GroupSpecBuilder{} - grpBuilder = grpBuilder.SetName(grpName).SetNamespace(namespaces["x"]).SetPodSelector(map[string]string{"pod": "j"}, nil) + grpBuilder = grpBuilder.SetName(grpName).SetNamespace(getNS("x")).SetPodSelector(map[string]string{"pod": "j"}, nil) builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-deny-grp-with-xj-to-xd-egress"). + builder = builder.SetName(getNS("x"), "anp-deny-grp-with-xj-to-xd-egress"). SetPriority(1.0). SetAppliedToGroup([]ANPAppliedToSpec{{Group: grpName}}) builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "d"}, nil, nil, @@ -1442,11 +1473,11 @@ func testANPGroupAppliedToPodAdd(t *testing.T, data *TestData) { cp := []*CustomProbe{ { SourcePod: CustomPod{ - Pod: NewPod(namespaces["x"], "j"), + Pod: NewPod(getNS("x"), "j"), Labels: map[string]string{"pod": "j"}, }, DestPod: CustomPod{ - Pod: NewPod(namespaces["x"], "d"), + Pod: NewPod(getNS("x"), "d"), Labels: map[string]string{"pod": "d"}, }, ExpectConnectivity: Dropped, @@ -1471,17 +1502,17 @@ func testANPGroupAppliedToPodAdd(t *testing.T, data *TestData) { } func testANPGroupServiceRefPodAdd(t *testing.T, data *TestData) { - svc1 := k8sUtils.BuildService("svc1", namespaces["x"], 80, 80, map[string]string{"app": "a"}, nil) - svc2 := k8sUtils.BuildService("svc2", namespaces["x"], 80, 80, map[string]string{"app": "b"}, nil) + svc1 := k8sUtils.BuildService("svc1", getNS("x"), 80, 80, map[string]string{"app": "a"}, nil) + svc2 := k8sUtils.BuildService("svc2", getNS("x"), 80, 80, map[string]string{"app": "b"}, nil) grp1Name, grp2Name := "grp-svc1", "grp-svc2" grpBuilder1 := &GroupSpecBuilder{} - grpBuilder1 = grpBuilder1.SetName(grp1Name).SetNamespace(namespaces["x"]).SetServiceReference(namespaces["x"], "svc1") + grpBuilder1 = grpBuilder1.SetName(grp1Name).SetNamespace(getNS("x")).SetServiceReference(getNS("x"), "svc1") grpBuilder2 := &GroupSpecBuilder{} - grpBuilder2 = grpBuilder2.SetName(grp2Name).SetNamespace(namespaces["x"]).SetServiceReference(namespaces["x"], "svc2") + grpBuilder2 = grpBuilder2.SetName(grp2Name).SetNamespace(getNS("x")).SetServiceReference(getNS("x"), "svc2") builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-grp-svc-ref").SetPriority(1.0).SetAppliedToGroup([]ANPAppliedToSpec{{Group: grp1Name}}) + builder = builder.SetName(getNS("x"), "anp-grp-svc-ref").SetPriority(1.0).SetAppliedToGroup([]ANPAppliedToSpec{{Group: grp1Name}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, grp2Name, "") @@ -1490,11 +1521,11 @@ func testANPGroupServiceRefPodAdd(t *testing.T, data *TestData) { cp := []*CustomProbe{ { SourcePod: CustomPod{ - Pod: NewPod(namespaces["x"], svc2PodName), + Pod: NewPod(getNS("x"), svc2PodName), Labels: map[string]string{"pod": svc2PodName, "app": "b"}, }, DestPod: CustomPod{ - Pod: NewPod(namespaces["x"], svc1PodName), + Pod: NewPod(getNS("x"), svc1PodName), Labels: map[string]string{"pod": svc1PodName, "app": "a"}, }, ExpectConnectivity: Dropped, @@ -1503,7 +1534,7 @@ func testANPGroupServiceRefPodAdd(t *testing.T, data *TestData) { } reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped) + reachability.Expect(getPod("x", "b"), getPod("x", "a"), Dropped) testStep := &TestStep{ "Port 80 updated", reachability, @@ -1522,8 +1553,8 @@ func testANPGroupServiceRefPodAdd(t *testing.T, data *TestData) { } func testANPGroupServiceRefDelete(t *testing.T) { - svc1 := k8sUtils.BuildService("svc1", namespaces["x"], 80, 80, map[string]string{"app": "a"}, nil) - svc2 := k8sUtils.BuildService("svc2", namespaces["x"], 80, 80, map[string]string{"app": "b"}, nil) + svc1 := k8sUtils.BuildService("svc1", getNS("x"), 80, 80, map[string]string{"app": "a"}, nil) + svc2 := k8sUtils.BuildService("svc2", getNS("x"), 80, 80, map[string]string{"app": "b"}, nil) k8sUtils.CreateOrUpdateService(svc1) failOnError(waitForResourceReady(t, timeout, svc1), t) k8sUtils.CreateOrUpdateService(svc2) @@ -1531,9 +1562,9 @@ func testANPGroupServiceRefDelete(t *testing.T) { grp1Name, grp2Name := "grp-svc1", "grp-svc2" grpBuilder1 := &GroupSpecBuilder{} - grpBuilder1 = grpBuilder1.SetName(grp1Name).SetNamespace(namespaces["x"]).SetServiceReference(namespaces["x"], "svc1") + grpBuilder1 = grpBuilder1.SetName(grp1Name).SetNamespace(getNS("x")).SetServiceReference(getNS("x"), "svc1") grpBuilder2 := &GroupSpecBuilder{} - grpBuilder2 = grpBuilder2.SetName(grp2Name).SetNamespace(namespaces["x"]).SetServiceReference(namespaces["x"], "svc2") + grpBuilder2 = grpBuilder2.SetName(grp2Name).SetNamespace(getNS("x")).SetServiceReference(getNS("x"), "svc2") grp1 := grpBuilder1.Get() k8sUtils.CreateOrUpdateV1Alpha3Group(grp1) failOnError(waitForResourceReady(t, timeout, grp1), t) @@ -1542,7 +1573,7 @@ func testANPGroupServiceRefDelete(t *testing.T) { failOnError(waitForResourceReady(t, timeout, grp2), t) builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-grp-svc-ref").SetPriority(1.0).SetAppliedToGroup([]ANPAppliedToSpec{{Group: grp1Name}}) + builder = builder.SetName(getNS("x"), "anp-grp-svc-ref").SetPriority(1.0).SetAppliedToGroup([]ANPAppliedToSpec{{Group: grp1Name}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, grp2Name, "") anp := builder.Get() @@ -1550,7 +1581,7 @@ func testANPGroupServiceRefDelete(t *testing.T) { failOnError(waitForResourceReady(t, timeout, anp), t) reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped) + reachability.Expect(getPod("x", "b"), getPod("x", "a"), Dropped) k8sUtils.Validate(allPods, reachability, []int32{80}, ProtocolTCP) _, wrong, _ := reachability.Summary() if wrong != 0 { @@ -1573,23 +1604,23 @@ func testANPGroupServiceRefDelete(t *testing.T) { } func testANPGroupServiceRefCreateAndUpdate(t *testing.T) { - svc1 := k8sUtils.BuildService("svc1", namespaces["x"], 80, 80, map[string]string{"app": "a"}, nil) - svc2 := k8sUtils.BuildService("svc2", namespaces["x"], 80, 80, map[string]string{"app": "b"}, nil) + svc1 := k8sUtils.BuildService("svc1", getNS("x"), 80, 80, map[string]string{"app": "a"}, nil) + svc2 := k8sUtils.BuildService("svc2", getNS("x"), 80, 80, map[string]string{"app": "b"}, nil) grp1Name, grp2Name := "grp-svc1", "grp-svc2" grpBuilder1 := &GroupSpecBuilder{} - grpBuilder1 = grpBuilder1.SetName(grp1Name).SetNamespace(namespaces["x"]).SetServiceReference(namespaces["x"], "svc1") + grpBuilder1 = grpBuilder1.SetName(grp1Name).SetNamespace(getNS("x")).SetServiceReference(getNS("x"), "svc1") grpBuilder2 := &GroupSpecBuilder{} - grpBuilder2 = grpBuilder2.SetName(grp2Name).SetNamespace(namespaces["x"]).SetServiceReference(namespaces["x"], "svc2") + grpBuilder2 = grpBuilder2.SetName(grp2Name).SetNamespace(getNS("x")).SetServiceReference(getNS("x"), "svc2") builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-grp-svc-ref").SetPriority(1.0).SetAppliedToGroup([]ANPAppliedToSpec{{Group: grp1Name}}) + builder = builder.SetName(getNS("x"), "anp-grp-svc-ref").SetPriority(1.0).SetAppliedToGroup([]ANPAppliedToSpec{{Group: grp1Name}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, grp2Name, "") // Pods backing svc1 (label pod=a) in Namespace x should not allow ingress from Pods backing svc2 (label pod=b) in Namespace x. reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped) + reachability.Expect(getPod("x", "b"), getPod("x", "a"), Dropped) testStep1 := &TestStep{ "Port 80", reachability, @@ -1601,13 +1632,13 @@ func testANPGroupServiceRefCreateAndUpdate(t *testing.T) { } // Test update selector of Service referred in grp-svc1, and update serviceReference of grp-svc2. - svc1Updated := k8sUtils.BuildService("svc1", namespaces["x"], 80, 80, map[string]string{"app": "b"}, nil) - svc3 := k8sUtils.BuildService("svc3", namespaces["x"], 80, 80, map[string]string{"app": "c"}, nil) - grpBuilder2Updated := grpBuilder2.SetNamespace(namespaces["x"]).SetServiceReference(namespaces["x"], "svc3") + svc1Updated := k8sUtils.BuildService("svc1", getNS("x"), 80, 80, map[string]string{"app": "b"}, nil) + svc3 := k8sUtils.BuildService("svc3", getNS("x"), 80, 80, map[string]string{"app": "c"}, nil) + grpBuilder2Updated := grpBuilder2.SetNamespace(getNS("x")).SetServiceReference(getNS("x"), "svc3") // Pods backing svc1 (label pod=b) in namespace x should not allow ingress from Pods backing svc3 (label pod=d) in namespace x. reachability2 := NewReachability(allPods, Connected) - reachability2.Expect(Pod(namespaces["x"]+"/c"), Pod(namespaces["x"]+"/b"), Dropped) + reachability2.Expect(getPod("x", "c"), getPod("x", "b"), Dropped) testStep2 := &TestStep{ "Port 80 updated", reachability2, @@ -1626,8 +1657,8 @@ func testANPGroupServiceRefCreateAndUpdate(t *testing.T) { } func testANPGroupRefRuleIPBlocks(t *testing.T) { - podXBIP, _ := podIPs[namespaces["x"]+"/b"] - podXCIP, _ := podIPs[namespaces["x"]+"/c"] + podXBIP, _ := podIPs[getPodName("x", "b")] + podXCIP, _ := podIPs[getPodName("x", "c")] // There are three situations of a Pod's IP(s): // 1. Only one IPv4 address. // 2. Only one IPv6 address. @@ -1647,18 +1678,18 @@ func testANPGroupRefRuleIPBlocks(t *testing.T) { grpName := "grp-ipblocks-pod-xb-xc" grpBuilder := &GroupSpecBuilder{} - grpBuilder = grpBuilder.SetName(grpName).SetNamespace(namespaces["x"]).SetIPBlocks(ipBlock) + grpBuilder = grpBuilder.SetName(grpName).SetNamespace(getNS("x")).SetIPBlocks(ipBlock) builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-deny-xb-xc-ips-ingress-for-xa"). + builder = builder.SetName(getNS("x"), "anp-deny-xb-xc-ips-ingress-for-xa"). SetPriority(1.0). SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, grpName, "") reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped) - reachability.Expect(Pod(namespaces["x"]+"/c"), Pod(namespaces["x"]+"/a"), Dropped) + reachability.Expect(getPod("x", "b"), getPod("x", "a"), Dropped) + reachability.Expect(getPod("x", "c"), getPod("x", "a"), Dropped) testStep := []*TestStep{ { "Port 80", @@ -1677,21 +1708,21 @@ func testANPGroupRefRuleIPBlocks(t *testing.T) { } func testANPNestedGroupCreateAndUpdate(t *testing.T, data *TestData) { - svc1 := k8sUtils.BuildService("svc1", namespaces["x"], 80, 80, map[string]string{"app": "a"}, nil) + svc1 := k8sUtils.BuildService("svc1", getNS("x"), 80, 80, map[string]string{"app": "a"}, nil) svc1PodName := randName("test-pod-svc1-") grp1Name, grp2Name, grp3Name := "grp-svc-x-a", "grp-select-x-b", "grp-select-x-c" grpBuilder1 := &GroupSpecBuilder{} - grpBuilder1 = grpBuilder1.SetName(grp1Name).SetNamespace(namespaces["x"]).SetServiceReference(namespaces["x"], "svc1") + grpBuilder1 = grpBuilder1.SetName(grp1Name).SetNamespace(getNS("x")).SetServiceReference(getNS("x"), "svc1") grpBuilder2 := &GroupSpecBuilder{} - grpBuilder2 = grpBuilder2.SetName(grp2Name).SetNamespace(namespaces["x"]).SetPodSelector(map[string]string{"pod": "b"}, nil) + grpBuilder2 = grpBuilder2.SetName(grp2Name).SetNamespace(getNS("x")).SetPodSelector(map[string]string{"pod": "b"}, nil) grpBuilder3 := &GroupSpecBuilder{} - grpBuilder3 = grpBuilder3.SetName(grp3Name).SetNamespace(namespaces["x"]).SetPodSelector(map[string]string{"pod": "c"}, nil) + grpBuilder3 = grpBuilder3.SetName(grp3Name).SetNamespace(getNS("x")).SetPodSelector(map[string]string{"pod": "c"}, nil) grpNestedName := "grp-nested" grpBuilderNested := &GroupSpecBuilder{} - grpBuilderNested = grpBuilderNested.SetName(grpNestedName).SetNamespace(namespaces["x"]).SetChildGroups([]string{grp1Name, grp3Name}) + grpBuilderNested = grpBuilderNested.SetName(grpNestedName).SetNamespace(getNS("x")).SetChildGroups([]string{grp1Name, grp3Name}) builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["x"], "anp-nested-grp").SetPriority(1.0). + builder = builder.SetName(getNS("x"), "anp-nested-grp").SetPriority(1.0). SetAppliedToGroup([]ANPAppliedToSpec{{}}). AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, grpNestedName, "") @@ -1700,7 +1731,7 @@ func testANPNestedGroupCreateAndUpdate(t *testing.T, data *TestData) { // Note that in this testStep grp3 will not be created yet, so even though grp-nested selects grp1 and // grp3 as childGroups, only members of grp1 will be included as this time. reachability := NewReachability(allPods, Connected) - reachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["x"], Dropped) + reachability.ExpectEgressToNamespace(getPod("x", "a"), getNS("x"), Dropped) reachability.ExpectSelf(allPods, Connected) testStep1 := &TestStep{ @@ -1718,18 +1749,18 @@ func testANPNestedGroupCreateAndUpdate(t *testing.T, data *TestData) { grpBuilderNested = grpBuilderNested.SetChildGroups([]string{grp1Name, grp2Name, grp3Name}) // In addition to x/a, all traffic from x/b to Namespace x should also be denied. reachability2 := NewReachability(allPods, Connected) - reachability2.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["x"], Dropped) - reachability2.ExpectEgressToNamespace(Pod(namespaces["x"]+"/b"), namespaces["x"], Dropped) + reachability2.ExpectEgressToNamespace(getPod("x", "a"), getNS("x"), Dropped) + reachability2.ExpectEgressToNamespace(getPod("x", "b"), getNS("x"), Dropped) reachability2.ExpectSelf(allPods, Connected) // New member in grp-svc-x-a should be reflected in grp-nested as well. cp := []*CustomProbe{ { SourcePod: CustomPod{ - Pod: NewPod(namespaces["x"], svc1PodName), + Pod: NewPod(getNS("x"), svc1PodName), Labels: map[string]string{"pod": svc1PodName, "app": "a"}, }, DestPod: CustomPod{ - Pod: NewPod(namespaces["x"], "test-add-pod-ns-x"), + Pod: NewPod(getNS("x"), "test-add-pod-ns-x"), Labels: map[string]string{"pod": "test-add-pod-ns-x"}, }, ExpectConnectivity: Dropped, @@ -1749,9 +1780,9 @@ func testANPNestedGroupCreateAndUpdate(t *testing.T, data *TestData) { // In this testStep grp3 is created. It's members should reflect in grp-nested // and as a result, all traffic from x/c to Namespace x should be denied as well. reachability3 := NewReachability(allPods, Connected) - reachability3.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["x"], Dropped) - reachability3.ExpectEgressToNamespace(Pod(namespaces["x"]+"/b"), namespaces["x"], Dropped) - reachability3.ExpectEgressToNamespace(Pod(namespaces["x"]+"/c"), namespaces["x"], Dropped) + reachability3.ExpectEgressToNamespace(getPod("x", "a"), getNS("x"), Dropped) + reachability3.ExpectEgressToNamespace(getPod("x", "b"), getNS("x"), Dropped) + reachability3.ExpectEgressToNamespace(getPod("x", "c"), getNS("x"), Dropped) reachability3.ExpectSelf(allPods, Connected) testStep3 := &TestStep{ "Port 80 updated", @@ -1777,36 +1808,36 @@ func testBaselineNamespaceIsolation(t *testing.T) { nsExpOtherThanX := metav1.LabelSelectorRequirement{ Key: "ns", Operator: metav1.LabelSelectorOpNotIn, - Values: []string{namespaces["x"]}, + Values: []string{getNS("x")}, } builder = builder.SetName("acnp-baseline-isolate-ns-x"). SetTier("baseline"). SetPriority(1.0). - SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) + SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("x")}}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, []metav1.LabelSelectorRequirement{nsExpOtherThanX}, false, + nil, []metav1.LabelSelectorRequirement{nsExpOtherThanX}, nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) // create a K8s NetworkPolicy for Pods in namespace x to allow ingress traffic from Pods in the same namespace, // as well as from the y/a Pod. It should open up ingress from y/a since it's evaluated before the baseline tier. k8sNPBuilder := &NetworkPolicySpecBuilder{} - k8sNPBuilder = k8sNPBuilder.SetName(namespaces["x"], "allow-ns-x-and-y-a"). + k8sNPBuilder = k8sNPBuilder.SetName(getNS("x"), "allow-ns-x-and-y-a"). SetTypeIngress(). AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, - nil, map[string]string{"ns": namespaces["x"]}, nil, nil). + nil, map[string]string{"ns": getNS("x")}, nil, nil). AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, - map[string]string{"pod": "a"}, map[string]string{"ns": namespaces["y"]}, nil, nil) + map[string]string{"pod": "a"}, map[string]string{"ns": getNS("y")}, nil, nil) reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["y"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped) - reachability.Expect(Pod(namespaces["y"]+"/c"), Pod(namespaces["x"]+"/a"), Dropped) - reachability.ExpectIngressFromNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Dropped) - reachability.Expect(Pod(namespaces["y"]+"/b"), Pod(namespaces["x"]+"/b"), Dropped) - reachability.Expect(Pod(namespaces["y"]+"/c"), Pod(namespaces["x"]+"/b"), Dropped) - reachability.ExpectIngressFromNamespace(Pod(namespaces["x"]+"/b"), namespaces["z"], Dropped) - reachability.Expect(Pod(namespaces["y"]+"/b"), Pod(namespaces["x"]+"/c"), Dropped) - reachability.Expect(Pod(namespaces["y"]+"/c"), Pod(namespaces["x"]+"/c"), Dropped) - reachability.ExpectIngressFromNamespace(Pod(namespaces["x"]+"/c"), namespaces["z"], Dropped) + reachability.Expect(getPod("y", "b"), getPod("x", "a"), Dropped) + reachability.Expect(getPod("y", "c"), getPod("x", "a"), Dropped) + reachability.ExpectIngressFromNamespace(getPod("x", "a"), getNS("z"), Dropped) + reachability.Expect(getPod("y", "b"), getPod("x", "b"), Dropped) + reachability.Expect(getPod("y", "c"), getPod("x", "b"), Dropped) + reachability.ExpectIngressFromNamespace(getPod("x", "b"), getNS("z"), Dropped) + reachability.Expect(getPod("y", "b"), getPod("x", "c"), Dropped) + reachability.Expect(getPod("y", "c"), getPod("x", "c"), Dropped) + reachability.ExpectIngressFromNamespace(getPod("x", "c"), getNS("z"), Dropped) testStep := []*TestStep{ { "Port 80", @@ -1823,7 +1854,7 @@ func testBaselineNamespaceIsolation(t *testing.T) { } executeTests(t, testCase) // Cleanup the K8s NetworkPolicy created for this test. - failOnError(k8sUtils.CleanNetworkPolicies(map[string]string{"x": namespaces["x"]}), t) + failOnError(k8sUtils.CleanNetworkPolicies(map[string]TestNamespaceMeta{"x": {Name: getNS("x")}}), t) time.Sleep(networkPolicyDelay) } @@ -1833,43 +1864,43 @@ func testACNPPriorityOverride(t *testing.T) { builder1 := &ClusterNetworkPolicySpecBuilder{} builder1 = builder1.SetName("acnp-priority1"). SetPriority(1.001). - SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["x"]}}}) + SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": getNS("x")}}}) // Highest priority. Drops traffic from z/b to x/a. - builder1.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + builder1.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("acnp-priority2"). SetPriority(1.002). - SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["x"]}}}) + SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": getNS("x")}}}) // Medium priority. Allows traffic from z to x/a. - builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "", nil) builder3 := &ClusterNetworkPolicySpecBuilder{} builder3 = builder3.SetName("acnp-priority3"). SetPriority(1.003). - SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) + SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("x")}}}) // Lowest priority. Drops traffic from z to x. - builder3.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + builder3.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) reachabilityTwoACNPs := NewReachability(allPods, Connected) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["x"]+"/b"), Dropped) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["x"]+"/c"), Dropped) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["x"]+"/b"), Dropped) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["x"]+"/c"), Dropped) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["x"]+"/b"), Dropped) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["x"]+"/c"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "a"), getPod("x", "b"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "a"), getPod("x", "c"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "b"), getPod("x", "b"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "b"), getPod("x", "c"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "c"), getPod("x", "b"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "c"), getPod("x", "c"), Dropped) reachabilityAllACNPs := NewReachability(allPods, Connected) - reachabilityAllACNPs.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["x"]+"/b"), Dropped) - reachabilityAllACNPs.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["x"]+"/c"), Dropped) - reachabilityAllACNPs.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped) - reachabilityAllACNPs.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["x"]+"/b"), Dropped) - reachabilityAllACNPs.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["x"]+"/c"), Dropped) - reachabilityAllACNPs.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["x"]+"/b"), Dropped) - reachabilityAllACNPs.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["x"]+"/c"), Dropped) + reachabilityAllACNPs.Expect(getPod("z", "a"), getPod("x", "b"), Dropped) + reachabilityAllACNPs.Expect(getPod("z", "a"), getPod("x", "c"), Dropped) + reachabilityAllACNPs.Expect(getPod("z", "b"), getPod("x", "a"), Dropped) + reachabilityAllACNPs.Expect(getPod("z", "b"), getPod("x", "b"), Dropped) + reachabilityAllACNPs.Expect(getPod("z", "b"), getPod("x", "c"), Dropped) + reachabilityAllACNPs.Expect(getPod("z", "c"), getPod("x", "b"), Dropped) + reachabilityAllACNPs.Expect(getPod("z", "c"), getPod("x", "c"), Dropped) testStepTwoACNP := []*TestStep{ { @@ -1908,45 +1939,45 @@ func testACNPTierOverride(t *testing.T) { builder1 = builder1.SetName("acnp-tier-emergency"). SetTier("emergency"). SetPriority(100). - SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["x"]}}}) + SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": getNS("x")}}}) // Highest priority tier. Drops traffic from z/b to x/a. - builder1.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + builder1.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("acnp-tier-securityops"). SetTier("securityops"). SetPriority(10). - SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["x"]}}}) + SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": getNS("x")}}}) // Medium priority tier. Allows traffic from z to x/a. - builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "", nil) builder3 := &ClusterNetworkPolicySpecBuilder{} builder3 = builder3.SetName("acnp-tier-application"). SetTier("application"). SetPriority(1). - SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) + SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("x")}}}) // Lowest priority tier. Drops traffic from z to x. - builder3.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + builder3.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) reachabilityTwoACNPs := NewReachability(allPods, Connected) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["x"]+"/b"), Dropped) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["x"]+"/c"), Dropped) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["x"]+"/b"), Dropped) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["x"]+"/c"), Dropped) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["x"]+"/b"), Dropped) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["x"]+"/c"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "a"), getPod("x", "b"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "a"), getPod("x", "c"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "b"), getPod("x", "b"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "b"), getPod("x", "c"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "c"), getPod("x", "b"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "c"), getPod("x", "c"), Dropped) reachabilityAllACNPs := NewReachability(allPods, Connected) - reachabilityAllACNPs.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["x"]+"/b"), Dropped) - reachabilityAllACNPs.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["x"]+"/c"), Dropped) - reachabilityAllACNPs.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped) - reachabilityAllACNPs.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["x"]+"/b"), Dropped) - reachabilityAllACNPs.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["x"]+"/c"), Dropped) - reachabilityAllACNPs.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["x"]+"/b"), Dropped) - reachabilityAllACNPs.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["x"]+"/c"), Dropped) + reachabilityAllACNPs.Expect(getPod("z", "a"), getPod("x", "b"), Dropped) + reachabilityAllACNPs.Expect(getPod("z", "a"), getPod("x", "c"), Dropped) + reachabilityAllACNPs.Expect(getPod("z", "b"), getPod("x", "a"), Dropped) + reachabilityAllACNPs.Expect(getPod("z", "b"), getPod("x", "b"), Dropped) + reachabilityAllACNPs.Expect(getPod("z", "b"), getPod("x", "c"), Dropped) + reachabilityAllACNPs.Expect(getPod("z", "c"), getPod("x", "b"), Dropped) + reachabilityAllACNPs.Expect(getPod("z", "c"), getPod("x", "c"), Dropped) testStepTwoACNP := []*TestStep{ { @@ -1992,27 +2023,27 @@ func testACNPCustomTiers(t *testing.T) { builder1 = builder1.SetName("acnp-tier-high"). SetTier("high-priority"). SetPriority(100). - SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["x"]}}}) + SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": getNS("x")}}}) // Medium priority tier. Allows traffic from z to x/a. - builder1.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + builder1.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "", nil) builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("acnp-tier-low"). SetTier("low-priority"). SetPriority(1). - SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) + SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("x")}}}) // Lowest priority tier. Drops traffic from z to x. - builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) reachabilityTwoACNPs := NewReachability(allPods, Connected) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["x"]+"/b"), Dropped) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["x"]+"/c"), Dropped) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["x"]+"/b"), Dropped) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["x"]+"/c"), Dropped) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["x"]+"/b"), Dropped) - reachabilityTwoACNPs.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["x"]+"/c"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "a"), getPod("x", "b"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "a"), getPod("x", "c"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "b"), getPod("x", "b"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "b"), getPod("x", "c"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "c"), getPod("x", "b"), Dropped) + reachabilityTwoACNPs.Expect(getPod("z", "c"), getPod("x", "c"), Dropped) testStepTwoACNP := []*TestStep{ { "Two Policies in different tiers", @@ -2041,23 +2072,23 @@ func testACNPPriorityConflictingRule(t *testing.T) { builder1 := &ClusterNetworkPolicySpecBuilder{} builder1 = builder1.SetName("acnp-drop"). SetPriority(1). - SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) - builder1.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("x")}}}) + builder1.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("acnp-allow"). SetPriority(2). - SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) + SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("x")}}}) // The following ingress rule will take no effect as it is exactly the same as ingress rule of cnp-drop, // but cnp-allow has lower priority. - builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "", nil) reachabilityBothACNP := NewReachability(allPods, Connected) - reachabilityBothACNP.ExpectEgressToNamespace(Pod(namespaces["z"]+"/a"), namespaces["x"], Dropped) - reachabilityBothACNP.ExpectEgressToNamespace(Pod(namespaces["z"]+"/b"), namespaces["x"], Dropped) - reachabilityBothACNP.ExpectEgressToNamespace(Pod(namespaces["z"]+"/c"), namespaces["x"], Dropped) + reachabilityBothACNP.ExpectEgressToNamespace(getPod("z", "a"), getNS("x"), Dropped) + reachabilityBothACNP.ExpectEgressToNamespace(getPod("z", "b"), getNS("x"), Dropped) + reachabilityBothACNP.ExpectEgressToNamespace(getPod("z", "c"), getNS("x"), Dropped) testStep := []*TestStep{ { "Both ACNP", @@ -2082,29 +2113,29 @@ func testACNPRulePriority(t *testing.T) { // acnp-deny will apply to all pods in namespace x builder1 = builder1.SetName("acnp-deny"). SetPriority(5). - SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) - builder1.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["y"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("x")}}}) + builder1.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("y")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) // This rule should take no effect as it will be overridden by the first rule of cnp-allow - builder1.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + builder1.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) builder2 := &ClusterNetworkPolicySpecBuilder{} // acnp-allow will also apply to all pods in namespace x builder2 = builder2.SetName("acnp-allow"). SetPriority(5). - SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}) - builder2.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("x")}}}) + builder2.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "", nil) // This rule should take no effect as it will be overridden by the first rule of cnp-drop - builder2.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["y"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + builder2.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("y")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "", nil) // Only egress from pods in namespace x to namespace y should be denied reachabilityBothACNP := NewReachability(allPods, Connected) - reachabilityBothACNP.ExpectIngressFromNamespace(Pod(namespaces["y"]+"/a"), namespaces["x"], Dropped) - reachabilityBothACNP.ExpectIngressFromNamespace(Pod(namespaces["y"]+"/b"), namespaces["x"], Dropped) - reachabilityBothACNP.ExpectIngressFromNamespace(Pod(namespaces["y"]+"/c"), namespaces["x"], Dropped) + reachabilityBothACNP.ExpectIngressFromNamespace(getPod("y", "a"), getNS("x"), Dropped) + reachabilityBothACNP.ExpectIngressFromNamespace(getPod("y", "b"), getNS("x"), Dropped) + reachabilityBothACNP.ExpectIngressFromNamespace(getPod("y", "c"), getNS("x"), Dropped) testStep := []*TestStep{ { "Both ACNP", @@ -2128,14 +2159,14 @@ func testACNPPortRange(t *testing.T) { builder = builder.SetName("acnp-deny-a-to-z-egress-port-range"). SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) - builder.AddEgress(ProtocolTCP, &p8080, nil, &p8082, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "acnp-port-range", nil) + builder.AddEgress(ProtocolTCP, &p8080, nil, &p8082, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "acnp-port-range", nil) reachability := NewReachability(allPods, Connected) - reachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Dropped) - reachability.ExpectEgressToNamespace(Pod(namespaces["y"]+"/a"), namespaces["z"], Dropped) - reachability.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["z"]+"/b"), Dropped) - reachability.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["z"]+"/c"), Dropped) + reachability.ExpectEgressToNamespace(getPod("x", "a"), getNS("z"), Dropped) + reachability.ExpectEgressToNamespace(getPod("y", "a"), getNS("z"), Dropped) + reachability.Expect(getPod("z", "a"), getPod("z", "b"), Dropped) + reachability.Expect(getPod("z", "a"), getPod("z", "c"), Dropped) testSteps := []*TestStep{ { fmt.Sprintf("ACNP Drop Ports 8080:8082"), @@ -2160,14 +2191,14 @@ func testACNPRejectEgress(t *testing.T) { builder = builder.SetName("acnp-reject-a-to-z-egress"). SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) - builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionReject, "", "", nil) reachability := NewReachability(allPods, Connected) - reachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Rejected) - reachability.ExpectEgressToNamespace(Pod(namespaces["y"]+"/a"), namespaces["z"], Rejected) - reachability.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["z"]+"/b"), Rejected) - reachability.Expect(Pod(namespaces["z"]+"/a"), Pod(namespaces["z"]+"/c"), Rejected) + reachability.ExpectEgressToNamespace(getPod("x", "a"), getNS("z"), Rejected) + reachability.ExpectEgressToNamespace(getPod("y", "a"), getNS("z"), Rejected) + reachability.Expect(getPod("z", "a"), getPod("z", "b"), Rejected) + reachability.Expect(getPod("z", "a"), getPod("z", "c"), Rejected) testStep := []*TestStep{ { "Port 80", @@ -2191,14 +2222,14 @@ func testACNPRejectIngress(t *testing.T, protocol AntreaPolicyProtocol) { builder = builder.SetName("acnp-reject-a-from-z-ingress"). SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) - builder.AddIngress(protocol, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + builder.AddIngress(protocol, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionReject, "", "", nil) reachability := NewReachability(allPods, Connected) - reachability.ExpectIngressFromNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Rejected) - reachability.ExpectIngressFromNamespace(Pod(namespaces["y"]+"/a"), namespaces["z"], Rejected) - reachability.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["z"]+"/a"), Rejected) - reachability.Expect(Pod(namespaces["z"]+"/c"), Pod(namespaces["z"]+"/a"), Rejected) + reachability.ExpectIngressFromNamespace(getPod("x", "a"), getNS("z"), Rejected) + reachability.ExpectIngressFromNamespace(getPod("y", "a"), getNS("z"), Rejected) + reachability.Expect(getPod("z", "b"), getPod("z", "a"), Rejected) + reachability.Expect(getPod("z", "c"), getPod("z", "a"), Rejected) testStep := []*TestStep{ { "Port 80", @@ -2250,9 +2281,9 @@ func testRejectServiceTraffic(t *testing.T, data *TestData) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": "agnhost-client"}}}) builder1.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": "s1"}, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, nil, nil, crdv1alpha1.RuleActionReject, "", "", nil) builder1.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": "s2"}, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, nil, nil, crdv1alpha1.RuleActionReject, "", "", nil) acnpEgress := builder1.Get() k8sUtils.CreateOrUpdateACNP(acnpEgress) @@ -2277,7 +2308,7 @@ func testRejectServiceTraffic(t *testing.T, data *TestData) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": "s1"}}, {PodSelector: map[string]string{"antrea-e2e": "s2"}}}) builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": "agnhost-client"}, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, nil, nil, crdv1alpha1.RuleActionReject, "", "", nil) acnpIngress := builder2.Get() k8sUtils.CreateOrUpdateACNP(acnpIngress) @@ -2368,9 +2399,9 @@ func testRejectNoInfiniteLoop(t *testing.T, data *TestData) { builder1 = builder1.SetName("acnp-reject-ingress-double-dir"). SetPriority(1.0) builder1.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"app": "nginx"}, nil, - nil, nil, false, []ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": clientName}}}, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, nil, []ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": clientName}}}, crdv1alpha1.RuleActionReject, "", "", nil) builder1.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": clientName}, nil, - nil, nil, false, []ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, nil, []ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}, crdv1alpha1.RuleActionReject, "", "", nil) runTestsWithACNP(builder1.Get(), testcases) @@ -2379,9 +2410,9 @@ func testRejectNoInfiniteLoop(t *testing.T, data *TestData) { builder2 = builder2.SetName("acnp-reject-egress-double-dir"). SetPriority(1.0) builder2.AddEgress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"app": "nginx"}, nil, - nil, nil, false, []ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": clientName}}}, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, nil, []ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": clientName}}}, crdv1alpha1.RuleActionReject, "", "", nil) builder2.AddEgress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": clientName}, nil, - nil, nil, false, []ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, nil, []ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}, crdv1alpha1.RuleActionReject, "", "", nil) runTestsWithACNP(builder2.Get(), testcases) @@ -2391,9 +2422,9 @@ func testRejectNoInfiniteLoop(t *testing.T, data *TestData) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}) builder3.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": clientName}, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, nil, nil, crdv1alpha1.RuleActionReject, "", "", nil) builder3.AddEgress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": clientName}, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, nil, nil, crdv1alpha1.RuleActionReject, "", "", nil) runTestsWithACNP(builder3.Get(), testcases) @@ -2403,9 +2434,9 @@ func testRejectNoInfiniteLoop(t *testing.T, data *TestData) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": clientName}}}) builder4.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"app": "nginx"}, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, nil, nil, crdv1alpha1.RuleActionReject, "", "", nil) builder4.AddEgress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"app": "nginx"}, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, nil, nil, crdv1alpha1.RuleActionReject, "", "", nil) runTestsWithACNP(builder4.Get(), testcases) } @@ -2413,14 +2444,14 @@ func testRejectNoInfiniteLoop(t *testing.T, data *TestData) { // testANPPortRange tests the port range in a ANP can work. func testANPPortRange(t *testing.T) { builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["y"], "anp-deny-yb-to-xc-egress-port-range"). + builder = builder.SetName(getNS("y"), "anp-deny-yb-to-xc-egress-port-range"). SetPriority(1.0). SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}}) - builder.AddEgress(ProtocolTCP, &p8080, nil, &p8082, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": namespaces["x"]}, nil, + builder.AddEgress(ProtocolTCP, &p8080, nil, &p8082, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": getNS("x")}, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "anp-port-range") reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["y"]+"/b"), Pod(namespaces["x"]+"/c"), Dropped) + reachability.Expect(getPod("y", "b"), getPod("x", "c"), Dropped) var testSteps []*TestStep testSteps = append(testSteps, &TestStep{ @@ -2443,14 +2474,14 @@ func testANPPortRange(t *testing.T) { // that specifies that. Also it tests that a K8s NetworkPolicy with same appliedTo will not affect its behavior. func testANPBasic(t *testing.T) { builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["y"], "np-same-name"). + builder = builder.SetName(getNS("y"), "np-same-name"). SetPriority(1.0). SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) - builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, + builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped) + reachability.Expect(getPod("x", "b"), getPod("y", "a"), Dropped) testStep := []*TestStep{ { "Port 80", @@ -2464,7 +2495,7 @@ func testANPBasic(t *testing.T) { } // build a K8s NetworkPolicy that has the same appliedTo but allows all traffic. k8sNPBuilder := &NetworkPolicySpecBuilder{} - k8sNPBuilder = k8sNPBuilder.SetName(namespaces["y"], "np-same-name"). + k8sNPBuilder = k8sNPBuilder.SetName(getNS("y"), "np-same-name"). SetPodSelector(map[string]string{"pod": "a"}) k8sNPBuilder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil) @@ -2481,7 +2512,7 @@ func testANPBasic(t *testing.T) { } testCase := []*TestCase{ {"ANP Drop X/B to Y/A", testStep}, - {"With K8s NetworkPolicy of the same name", testStep2}, + {"With K8s NetworkPolicy of the same Name", testStep2}, } executeTests(t, testCase) } @@ -2492,22 +2523,22 @@ func testANPBasic(t *testing.T) { func testANPMultipleAppliedTo(t *testing.T, data *TestData, singleRule bool) { tempLabel := randName("temp-") builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["y"], "np-multiple-appliedto").SetPriority(1.0) + builder = builder.SetName(getNS("y"), "np-multiple-appliedto").SetPriority(1.0) // Make it apply to an extra dummy AppliedTo to ensure it handles multiple AppliedToGroups correctly. // See https://github.com/antrea-io/antrea/issues/2083. if singleRule { builder.SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}, {PodSelector: map[string]string{tempLabel: ""}}}) - builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, + builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") } else { - builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, + builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil, nil, nil, nil, []ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}, crdv1alpha1.RuleActionDrop, "", "") - builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, + builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil, nil, nil, nil, []ANPAppliedToSpec{{PodSelector: map[string]string{tempLabel: ""}}}, crdv1alpha1.RuleActionDrop, "", "") } reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped) + reachability.Expect(getPod("x", "b"), getPod("y", "a"), Dropped) anp, err := k8sUtils.CreateOrUpdateANP(builder.Get()) failOnError(err, t) @@ -2520,7 +2551,7 @@ func testANPMultipleAppliedTo(t *testing.T, data *TestData, singleRule bool) { } t.Logf("Making the Policy apply to y/c by labeling it with the temporary label that matches the dummy AppliedTo") - podYC, err := k8sUtils.GetPodByLabel(namespaces["y"], "c") + podYC, err := k8sUtils.GetPodByLabel(getNS("y"), "c") if err != nil { t.Errorf("Failed to get Pod in Namespace y with label 'pod=c': %v", err) } @@ -2528,8 +2559,8 @@ func testANPMultipleAppliedTo(t *testing.T, data *TestData, singleRule bool) { podYC, err = k8sUtils.clientset.CoreV1().Pods(podYC.Namespace).Update(context.TODO(), podYC, metav1.UpdateOptions{}) assert.NoError(t, err) reachability = NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/c"), Dropped) + reachability.Expect(getPod("x", "b"), getPod("y", "a"), Dropped) + reachability.Expect(getPod("x", "b"), getPod("y", "c"), Dropped) time.Sleep(networkPolicyDelay) k8sUtils.Validate(allPods, reachability, []int32{80}, ProtocolTCP) _, wrong, _ = reachability.Summary() @@ -2543,7 +2574,7 @@ func testANPMultipleAppliedTo(t *testing.T, data *TestData, singleRule bool) { _, err = k8sUtils.clientset.CoreV1().Pods(podYC.Namespace).Update(context.TODO(), podYC, metav1.UpdateOptions{}) assert.NoError(t, err) reachability = NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped) + reachability.Expect(getPod("x", "b"), getPod("y", "a"), Dropped) time.Sleep(networkPolicyDelay) k8sUtils.Validate(allPods, reachability, []int32{80}, ProtocolTCP) _, wrong, _ = reachability.Summary() @@ -2562,9 +2593,9 @@ func testAuditLoggingBasic(t *testing.T, data *TestData) { builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName(npRef). SetPriority(1.0). - SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["x"]}}}) - builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", ruleName, nil) + SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": getNS("x")}}}) + builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": getNS("z")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", ruleName, nil) builder.AddEgressLogging() acnp, err := k8sUtils.CreateOrUpdateACNP(builder.Get()) @@ -2580,12 +2611,12 @@ func testAuditLoggingBasic(t *testing.T, data *TestData) { k8sUtils.Probe(ns1, pod1, ns2, pod2, p80, ProtocolTCP) }() } - oneProbe(namespaces["x"], "a", namespaces["z"], "a") - oneProbe(namespaces["x"], "a", namespaces["z"], "b") - oneProbe(namespaces["x"], "a", namespaces["z"], "c") + oneProbe(getNS("x"), "a", getNS("z"), "a") + oneProbe(getNS("x"), "a", getNS("z"), "b") + oneProbe(getNS("x"), "a", getNS("z"), "c") wg.Wait() - podXA, err := k8sUtils.GetPodByLabel(namespaces["x"], "a") + podXA, err := k8sUtils.GetPodByLabel(getNS("x"), "a") if err != nil { t.Errorf("Failed to get Pod in Namespace x with label 'pod=a': %v", err) } @@ -2609,8 +2640,8 @@ func testAuditLoggingBasic(t *testing.T, data *TestData) { return false, nil } - destinations := []string{namespaces["z"] + "/a", namespaces["z"] + "/b", namespaces["z"] + "/c"} - srcIPs, _ := podIPs[namespaces["x"]+"/a"] + destinations := []string{getNS("z") + "/a", getNS("z") + "/b", getNS("z") + "/c"} + srcIPs, _ := podIPs[getPodName("x", "a")] var expectedNumEntries, actualNumEntries int for _, d := range destinations { dstIPs, _ := podIPs[d] @@ -2648,12 +2679,12 @@ func testAuditLoggingBasic(t *testing.T, data *TestData) { // testAuditLoggingEnableNP tests that audit logs are generated when K8s NP is applied // tests both Allow traffic by K8s NP and Drop traffic by implicit K8s policy drop func testAuditLoggingEnableNP(t *testing.T, data *TestData) { - failOnError(data.updateNamespaceWithAnnotations(namespaces["x"], map[string]string{networkpolicy.EnableNPLoggingAnnotationKey: "true"}), t) + failOnError(data.updateNamespaceWithAnnotations(getNS("x"), map[string]string{networkpolicy.EnableNPLoggingAnnotationKey: "true"}), t) // Add a K8s namespaced NetworkPolicy in ns x that allow ingress traffic from // Pod x/b to x/a which default denies other ingress including from Pod x/c to x/a npRef := "allow-x-b-to-x-a" k8sNPBuilder := &NetworkPolicySpecBuilder{} - k8sNPBuilder = k8sNPBuilder.SetName(namespaces["x"], npRef). + k8sNPBuilder = k8sNPBuilder.SetName(getNS("x"), npRef). SetPodSelector(map[string]string{"pod": "a"}). SetTypeIngress(). AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, @@ -2672,11 +2703,11 @@ func testAuditLoggingEnableNP(t *testing.T, data *TestData) { k8sUtils.Probe(ns1, pod1, ns2, pod2, p80, ProtocolTCP) }() } - oneProbe(namespaces["x"], "b", namespaces["x"], "a") - oneProbe(namespaces["x"], "c", namespaces["x"], "a") + oneProbe(getNS("x"), "b", getNS("x"), "a") + oneProbe(getNS("x"), "c", getNS("x"), "a") wg.Wait() - podXA, err := k8sUtils.GetPodByLabel(namespaces["x"], "a") + podXA, err := k8sUtils.GetPodByLabel(getNS("x"), "a") if err != nil { t.Errorf("Failed to get Pod in Namespace x with label 'pod=a': %v", err) } @@ -2701,9 +2732,9 @@ func testAuditLoggingEnableNP(t *testing.T, data *TestData) { } var expectedNumEntries, actualNumEntries int - srcPods := []string{namespaces["x"] + "/b", namespaces["x"] + "/c"} + srcPods := []string{getNS("x") + "/b", getNS("x") + "/c"} expectedLogPrefix := []string{npRef + " Allow [0-9]+ ", "K8sNetworkPolicy Drop "} - destIPs, _ := podIPs[namespaces["x"]+"/a"] + destIPs, _ := podIPs[getPodName("x", "a")] for i := 0; i < len(srcPods); i++ { srcIPs, _ := podIPs[srcPods[i]] for _, srcIP := range srcIPs { @@ -2733,25 +2764,25 @@ func testAuditLoggingEnableNP(t *testing.T, data *TestData) { }); err != nil { t.Errorf("Error when polling audit log files for required entries: %v", err) } - failOnError(k8sUtils.DeleteNetworkPolicy(namespaces["x"], "allow-x-b-to-x-a"), t) - failOnError(data.UpdateNamespace(namespaces["x"], func(namespace *v1.Namespace) { + failOnError(k8sUtils.DeleteNetworkPolicy(getNS("x"), "allow-x-b-to-x-a"), t) + failOnError(data.UpdateNamespace(getNS("x"), func(namespace *v1.Namespace) { delete(namespace.Annotations, networkpolicy.EnableNPLoggingAnnotationKey) }), t) } func testAppliedToPerRule(t *testing.T) { builder := &AntreaNetworkPolicySpecBuilder{} - builder = builder.SetName(namespaces["y"], "np1").SetPriority(1.0) + builder = builder.SetName(getNS("y"), "np1").SetPriority(1.0) anpATGrp1 := ANPAppliedToSpec{PodSelector: map[string]string{"pod": "a"}, PodSelectorMatchExp: nil} anpATGrp2 := ANPAppliedToSpec{PodSelector: map[string]string{"pod": "b"}, PodSelectorMatchExp: nil} - builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, + builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil, nil, nil, nil, []ANPAppliedToSpec{anpATGrp1}, crdv1alpha1.RuleActionDrop, "", "") - builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["z"]}, nil, + builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("z")}, nil, nil, nil, nil, []ANPAppliedToSpec{anpATGrp2}, crdv1alpha1.RuleActionDrop, "", "") reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped) - reachability.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["y"]+"/b"), Dropped) + reachability.Expect(getPod("x", "b"), getPod("y", "a"), Dropped) + reachability.Expect(getPod("z", "b"), getPod("y", "b"), Dropped) testStep := []*TestStep{ { "Port 80", @@ -2768,18 +2799,18 @@ func testAppliedToPerRule(t *testing.T) { builder2 = builder2.SetName("cnp1").SetPriority(1.0) cnpATGrp1 := ACNPAppliedToSpec{PodSelector: map[string]string{"pod": "a"}, PodSelectorMatchExp: nil} cnpATGrp2 := ACNPAppliedToSpec{ - PodSelector: map[string]string{"pod": "b"}, NSSelector: map[string]string{"ns": namespaces["y"]}, + PodSelector: map[string]string{"pod": "b"}, NSSelector: map[string]string{"ns": getNS("y")}, PodSelectorMatchExp: nil, NSSelectorMatchExp: nil} - builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, - nil, nil, false, []ACNPAppliedToSpec{cnpATGrp1}, crdv1alpha1.RuleActionDrop, "", "", nil) - builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["z"]}, - nil, nil, false, []ACNPAppliedToSpec{cnpATGrp2}, crdv1alpha1.RuleActionDrop, "", "", nil) + builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, + nil, nil, nil, []ACNPAppliedToSpec{cnpATGrp1}, crdv1alpha1.RuleActionDrop, "", "", nil) + builder2.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("z")}, + nil, nil, nil, []ACNPAppliedToSpec{cnpATGrp2}, crdv1alpha1.RuleActionDrop, "", "", nil) reachability2 := NewReachability(allPods, Connected) - reachability2.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped) - reachability2.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped) - reachability2.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["z"]+"/a"), Dropped) - reachability2.Expect(Pod(namespaces["z"]+"/b"), Pod(namespaces["y"]+"/b"), Dropped) + reachability2.Expect(getPod("x", "b"), getPod("x", "a"), Dropped) + reachability2.Expect(getPod("x", "b"), getPod("y", "a"), Dropped) + reachability2.Expect(getPod("x", "b"), getPod("z", "a"), Dropped) + reachability2.Expect(getPod("z", "b"), getPod("y", "b"), Dropped) testStep2 := []*TestStep{ { "Port 80", @@ -2800,23 +2831,23 @@ func testAppliedToPerRule(t *testing.T) { } func testACNPClusterGroupServiceRefCreateAndUpdate(t *testing.T, data *TestData) { - svc1 := k8sUtils.BuildService("svc1", namespaces["x"], 80, 80, map[string]string{"app": "a"}, nil) - svc2 := k8sUtils.BuildService("svc2", namespaces["y"], 80, 80, map[string]string{"app": "b"}, nil) + svc1 := k8sUtils.BuildService("svc1", getNS("x"), 80, 80, map[string]string{"app": "a"}, nil) + svc2 := k8sUtils.BuildService("svc2", getNS("y"), 80, 80, map[string]string{"app": "b"}, nil) cg1Name, cg2Name := "cg-svc1", "cg-svc2" cgBuilder1 := &ClusterGroupV1Alpha3SpecBuilder{} - cgBuilder1 = cgBuilder1.SetName(cg1Name).SetServiceReference(namespaces["x"], "svc1") + cgBuilder1 = cgBuilder1.SetName(cg1Name).SetServiceReference(getNS("x"), "svc1") cgBuilder2 := &ClusterGroupV1Alpha3SpecBuilder{} - cgBuilder2 = cgBuilder2.SetName(cg2Name).SetServiceReference(namespaces["y"], "svc2") + cgBuilder2 = cgBuilder2.SetName(cg2Name).SetServiceReference(getNS("y"), "svc2") builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("cnp-cg-svc-ref").SetPriority(1.0).SetAppliedToGroup([]ACNPAppliedToSpec{{Group: cg1Name}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, - false, nil, crdv1alpha1.RuleActionDrop, cg2Name, "", nil) + nil, nil, crdv1alpha1.RuleActionDrop, cg2Name, "", nil) // Pods backing svc1 (label pod=a) in Namespace x should not allow ingress from Pods backing svc2 (label pod=b) in Namespace y. reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["y"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped) + reachability.Expect(getPod("y", "b"), getPod("x", "a"), Dropped) testStep1 := &TestStep{ "Port 80", reachability, @@ -2828,19 +2859,19 @@ func testACNPClusterGroupServiceRefCreateAndUpdate(t *testing.T, data *TestData) } // Test update selector of Service referred in cg-svc1, and update serviceReference of cg-svc2. - svc1Updated := k8sUtils.BuildService("svc1", namespaces["x"], 80, 80, map[string]string{"app": "b"}, nil) - svc3 := k8sUtils.BuildService("svc3", namespaces["y"], 80, 80, map[string]string{"app": "a"}, nil) + svc1Updated := k8sUtils.BuildService("svc1", getNS("x"), 80, 80, map[string]string{"app": "b"}, nil) + svc3 := k8sUtils.BuildService("svc3", getNS("y"), 80, 80, map[string]string{"app": "a"}, nil) svc1PodName := randName("test-pod-svc1-") svc3PodName := randName("test-pod-svc3-") - cgBuilder2Updated := cgBuilder2.SetServiceReference(namespaces["y"], "svc3") + cgBuilder2Updated := cgBuilder2.SetServiceReference(getNS("y"), "svc3") cp := []*CustomProbe{ { SourcePod: CustomPod{ - Pod: NewPod(namespaces["y"], svc3PodName), + Pod: NewPod(getNS("y"), svc3PodName), Labels: map[string]string{"pod": svc3PodName, "app": "a"}, }, DestPod: CustomPod{ - Pod: NewPod(namespaces["x"], svc1PodName), + Pod: NewPod(getNS("x"), svc1PodName), Labels: map[string]string{"pod": svc1PodName, "app": "b"}, }, ExpectConnectivity: Dropped, @@ -2850,7 +2881,7 @@ func testACNPClusterGroupServiceRefCreateAndUpdate(t *testing.T, data *TestData) // Pods backing svc1 (label pod=b) in namespace x should not allow ingress from Pods backing svc3 (label pod=a) in namespace y. reachability2 := NewReachability(allPods, Connected) - reachability2.Expect(Pod(namespaces["y"]+"/a"), Pod(namespaces["x"]+"/b"), Dropped) + reachability2.Expect(getPod("y", "a"), getPod("x", "b"), Dropped) testStep2 := &TestStep{ "Port 80 updated", reachability2, @@ -2863,9 +2894,9 @@ func testACNPClusterGroupServiceRefCreateAndUpdate(t *testing.T, data *TestData) builderUpdated := &ClusterNetworkPolicySpecBuilder{} builderUpdated = builderUpdated.SetName("cnp-cg-svc-ref").SetPriority(1.0) - builderUpdated.SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["x"]}}}) - builderUpdated.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["y"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + builderUpdated.SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": getNS("x")}}}) + builderUpdated.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("y")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) // Pod x/a should not allow ingress from y/b per the updated ACNP spec. testStep3 := &TestStep{ @@ -2886,18 +2917,18 @@ func testACNPClusterGroupServiceRefCreateAndUpdate(t *testing.T, data *TestData) } func testACNPNestedClusterGroupCreateAndUpdate(t *testing.T, data *TestData) { - svc1 := k8sUtils.BuildService("svc1", namespaces["x"], 80, 80, map[string]string{"app": "a"}, nil) + svc1 := k8sUtils.BuildService("svc1", getNS("x"), 80, 80, map[string]string{"app": "a"}, nil) svc1PodName := randName("test-pod-svc1-") cg1Name, cg2Name, cg3Name := "cg-svc-x-a", "cg-select-y-b", "cg-select-y-c" cgBuilder1 := &ClusterGroupV1Alpha3SpecBuilder{} - cgBuilder1 = cgBuilder1.SetName(cg1Name).SetServiceReference(namespaces["x"], "svc1") + cgBuilder1 = cgBuilder1.SetName(cg1Name).SetServiceReference(getNS("x"), "svc1") cgBuilder2 := &ClusterGroupV1Alpha3SpecBuilder{} cgBuilder2 = cgBuilder2.SetName(cg2Name). - SetNamespaceSelector(map[string]string{"ns": namespaces["y"]}, nil). + SetNamespaceSelector(map[string]string{"ns": getNS("y")}, nil). SetPodSelector(map[string]string{"pod": "b"}, nil) cgBuilder3 := &ClusterGroupV1Alpha3SpecBuilder{} cgBuilder3 = cgBuilder3.SetName(cg3Name). - SetNamespaceSelector(map[string]string{"ns": namespaces["y"]}, nil). + SetNamespaceSelector(map[string]string{"ns": getNS("y")}, nil). SetPodSelector(map[string]string{"pod": "c"}, nil) cgNestedName := "cg-nested" cgBuilderNested := &ClusterGroupV1Alpha3SpecBuilder{} @@ -2905,15 +2936,15 @@ func testACNPNestedClusterGroupCreateAndUpdate(t *testing.T, data *TestData) { builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("cnp-nested-cg").SetPriority(1.0). - SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["z"]}}}). + SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("z")}}}). AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, - false, nil, crdv1alpha1.RuleActionDrop, cgNestedName, "", nil) + nil, nil, crdv1alpha1.RuleActionDrop, cgNestedName, "", nil) // Pods in Namespace z should not allow traffic from Pods backing svc1 (label pod=a) in Namespace x. // Note that in this testStep cg3 will not be created yet, so even though cg-nested selects cg1 and // cg3 as childGroups, only members of cg1 will be included as this time. reachability := NewReachability(allPods, Connected) - reachability.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Dropped) + reachability.ExpectEgressToNamespace(getPod("x", "a"), getNS("z"), Dropped) testStep1 := &TestStep{ "Port 80", @@ -2930,17 +2961,17 @@ func testACNPNestedClusterGroupCreateAndUpdate(t *testing.T, data *TestData) { cgBuilderNested = cgBuilderNested.SetChildGroups([]string{cg1Name, cg2Name, cg3Name}) // In addition to x/a, all traffic from y/b to Namespace z should also be denied. reachability2 := NewReachability(allPods, Connected) - reachability2.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Dropped) - reachability2.ExpectEgressToNamespace(Pod(namespaces["y"]+"/b"), namespaces["z"], Dropped) + reachability2.ExpectEgressToNamespace(getPod("x", "a"), getNS("z"), Dropped) + reachability2.ExpectEgressToNamespace(getPod("y", "b"), getNS("z"), Dropped) // New member in cg-svc-x-a should be reflected in cg-nested as well. cp := []*CustomProbe{ { SourcePod: CustomPod{ - Pod: NewPod(namespaces["x"], svc1PodName), + Pod: NewPod(getNS("x"), svc1PodName), Labels: map[string]string{"pod": svc1PodName, "app": "a"}, }, DestPod: CustomPod{ - Pod: NewPod(namespaces["z"], "test-add-pod-ns-z"), + Pod: NewPod(getNS("z"), "test-add-pod-ns-z"), Labels: map[string]string{"pod": "test-add-pod-ns-z"}, }, ExpectConnectivity: Dropped, @@ -2960,9 +2991,9 @@ func testACNPNestedClusterGroupCreateAndUpdate(t *testing.T, data *TestData) { // In this testStep cg3 is created. It's members should reflect in cg-nested // and as a result, all traffic from y/c to Namespace z should be denied as well. reachability3 := NewReachability(allPods, Connected) - reachability3.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Dropped) - reachability3.ExpectEgressToNamespace(Pod(namespaces["y"]+"/b"), namespaces["z"], Dropped) - reachability3.ExpectEgressToNamespace(Pod(namespaces["y"]+"/c"), namespaces["z"], Dropped) + reachability3.ExpectEgressToNamespace(getPod("x", "a"), getNS("z"), Dropped) + reachability3.ExpectEgressToNamespace(getPod("y", "b"), getNS("z"), Dropped) + reachability3.ExpectEgressToNamespace(getPod("y", "c"), getNS("z"), Dropped) testStep3 := &TestStep{ "Port 80 updated", reachability3, @@ -2981,8 +3012,8 @@ func testACNPNestedClusterGroupCreateAndUpdate(t *testing.T, data *TestData) { } func testACNPNestedIPBlockClusterGroupCreateAndUpdate(t *testing.T) { - podXAIP, _ := podIPs[namespaces["x"]+"/a"] - podXBIP, _ := podIPs[namespaces["x"]+"/b"] + podXAIP, _ := podIPs[getPodName("x", "a")] + podXBIP, _ := podIPs[getPodName("x", "b")] genCIDR := func(ip string) string { if strings.Contains(ip, ".") { return ip + "/32" @@ -3009,15 +3040,15 @@ func testACNPNestedIPBlockClusterGroupCreateAndUpdate(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{ { PodSelector: map[string]string{"pod": "a"}, - NSSelector: map[string]string{"ns": namespaces["y"]}, + NSSelector: map[string]string{"ns": getNS("y")}, }, }) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgParentName, "", nil) + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, cgParentName, "", nil) reachability := NewReachability(allPods, Connected) - reachability.Expect(Pod(namespaces["x"]+"/a"), Pod(namespaces["y"]+"/a"), Dropped) - reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped) + reachability.Expect(getPod("x", "a"), getPod("y", "a"), Dropped) + reachability.Expect(getPod("x", "b"), getPod("y", "a"), Dropped) testStep := &TestStep{ "Port 80", reachability, @@ -3030,14 +3061,14 @@ func testACNPNestedIPBlockClusterGroupCreateAndUpdate(t *testing.T) { cgBuilder3 := &ClusterGroupV1Alpha3SpecBuilder{} cgBuilder3 = cgBuilder3.SetName(cg3Name). - SetNamespaceSelector(map[string]string{"ns": namespaces["x"]}, nil). + SetNamespaceSelector(map[string]string{"ns": getNS("x")}, nil). SetPodSelector(map[string]string{"pod": "c"}, nil) updatedCGParent := &ClusterGroupV1Alpha3SpecBuilder{} updatedCGParent = updatedCGParent.SetName(cgParentName).SetChildGroups([]string{cg1Name, cg3Name}) reachability2 := NewReachability(allPods, Connected) - reachability2.Expect(Pod(namespaces["x"]+"/a"), Pod(namespaces["y"]+"/a"), Dropped) - reachability2.Expect(Pod(namespaces["x"]+"/c"), Pod(namespaces["y"]+"/a"), Dropped) + reachability2.Expect(getPod("x", "a"), getPod("y", "a"), Dropped) + reachability2.Expect(getPod("x", "c"), getPod("y", "a"), Dropped) testStep2 := &TestStep{ "Port 80, updated", reachability2, @@ -3062,9 +3093,9 @@ func testACNPNamespaceIsolation(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{}}}) // deny ingress traffic except from own namespace, which is always allowed. builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, - true, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + selfNamespace, nil, crdv1alpha1.RuleActionAllow, "", "", nil) builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{}, nil, nil, - false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) reachability := NewReachability(allPods, Dropped) reachability.ExpectAllSelfNamespace(Connected) @@ -3083,17 +3114,17 @@ func testACNPNamespaceIsolation(t *testing.T) { SetTier("baseline"). SetPriority(1.0) builder2.AddEgress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, - true, []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}, crdv1alpha1.RuleActionAllow, "", "", nil) + selfNamespace, []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("x")}}}, crdv1alpha1.RuleActionAllow, "", "", nil) builder2.AddEgress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{}, nil, nil, - false, []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("x")}}}, crdv1alpha1.RuleActionDrop, "", "", nil) reachability2 := NewReachability(allPods, Connected) - reachability2.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["y"], Dropped) - reachability2.ExpectEgressToNamespace(Pod(namespaces["x"]+"/a"), namespaces["z"], Dropped) - reachability2.ExpectEgressToNamespace(Pod(namespaces["x"]+"/b"), namespaces["y"], Dropped) - reachability2.ExpectEgressToNamespace(Pod(namespaces["x"]+"/b"), namespaces["z"], Dropped) - reachability2.ExpectEgressToNamespace(Pod(namespaces["x"]+"/c"), namespaces["y"], Dropped) - reachability2.ExpectEgressToNamespace(Pod(namespaces["x"]+"/c"), namespaces["z"], Dropped) + reachability2.ExpectEgressToNamespace(getPod("x", "a"), getNS("y"), Dropped) + reachability2.ExpectEgressToNamespace(getPod("x", "a"), getNS("z"), Dropped) + reachability2.ExpectEgressToNamespace(getPod("x", "b"), getNS("y"), Dropped) + reachability2.ExpectEgressToNamespace(getPod("x", "b"), getNS("z"), Dropped) + reachability2.ExpectEgressToNamespace(getPod("x", "c"), getNS("y"), Dropped) + reachability2.ExpectEgressToNamespace(getPod("x", "c"), getNS("z"), Dropped) testStep2 := &TestStep{ "Port 80", reachability2, @@ -3118,9 +3149,9 @@ func testACNPStrictNamespacesIsolation(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{}}}) builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, - true, nil, crdv1alpha1.RuleActionPass, "", "", nil) + selfNamespace, nil, crdv1alpha1.RuleActionPass, "", "", nil) builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{}, nil, nil, - false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) // deny ingress traffic except from own namespace, which is delegated to Namespace owners (who can create K8s // NetworkPolicies to regulate intra-Namespace traffic) reachability := NewReachability(allPods, Dropped) @@ -3137,11 +3168,11 @@ func testACNPStrictNamespacesIsolation(t *testing.T) { // Add a K8s namespaced NetworkPolicy in ns x that isolates all Pods in that namespace. builder2 := &NetworkPolicySpecBuilder{} - builder2 = builder2.SetName(namespaces["x"], "default-deny-in-namespace-x") + builder2 = builder2.SetName(getNS("x"), "default-deny-in-namespace-x") builder2.SetTypeIngress() reachability2 := NewReachability(allPods, Dropped) reachability2.ExpectAllSelfNamespace(Connected) - reachability2.ExpectSelfNamespace(namespaces["x"], Dropped) + reachability2.ExpectSelfNamespace(getNS("x"), Dropped) reachability2.ExpectSelf(allPods, Connected) testStep2 := &TestStep{ "Namespace isolation with K8s NP, Port 80", @@ -3184,25 +3215,25 @@ func testFQDNPolicy(t *testing.T) { testcases := []podToAddrTestStep{ { - Pod(namespaces["x"] + "/a"), + Pod(getNS("x") + "/a"), "docs.github.com", 80, Rejected, }, { - Pod(namespaces["x"] + "/b"), + Pod(getNS("x") + "/b"), "api.github.com", 80, Rejected, }, { - Pod(namespaces["y"] + "/a"), + Pod(getNS("y") + "/a"), "wayfair.com", 80, Dropped, }, { - Pod(namespaces["y"] + "/b"), + Pod(getNS("y") + "/b"), "facebook.com", 80, Connected, @@ -3230,7 +3261,7 @@ func testFQDNPolicy(t *testing.T) { // policies, to avoid having a dependency on external connectivity. The reason we // use headless Service is that FQDN will use the IP from DNS A/AAAA records to // implement flows in the egress policy table. For a non-headless Service, the DNS -// name resolves to the ClusterIP for the Service. But when traffic arrives to the +// Name resolves to the ClusterIP for the Service. But when traffic arrives to the // egress table, the dstIP has already been DNATed to the Endpoints IP by // AntreaProxy Service Load-Balancing, and the policies are not enforced correctly. // For a headless Service, the Endpoints IP will be directly returned by the DNS @@ -3241,13 +3272,13 @@ func testFQDNPolicyInClusterService(t *testing.T) { defer log.SetLevel(logLevel) var services []*v1.Service if clusterInfo.podV4NetworkCIDR != "" { - ipv4Svc := k8sUtils.BuildService("ipv4-svc", namespaces["x"], 80, 80, map[string]string{"pod": "a"}, nil) + ipv4Svc := k8sUtils.BuildService("ipv4-svc", getNS("x"), 80, 80, map[string]string{"pod": "a"}, nil) ipv4Svc.Spec.ClusterIP = "None" ipv4Svc.Spec.IPFamilies = []v1.IPFamily{v1.IPv4Protocol} services = append(services, ipv4Svc) } if clusterInfo.podV6NetworkCIDR != "" { - ipv6Svc := k8sUtils.BuildService("ipv6-svc", namespaces["x"], 80, 80, map[string]string{"pod": "b"}, nil) + ipv6Svc := k8sUtils.BuildService("ipv6-svc", getNS("x"), 80, 80, map[string]string{"pod": "b"}, nil) ipv6Svc.Spec.ClusterIP = "None" ipv6Svc.Spec.IPFamilies = []v1.IPFamily{v1.IPv6Protocol} services = append(services, ipv6Svc) @@ -3267,8 +3298,8 @@ func testFQDNPolicyInClusterService(t *testing.T) { SetTier("application"). SetPriority(1.0) for idx, service := range services { - builder.AddFQDNRule(svcDNSName(service), ProtocolTCP, nil, nil, nil, fmt.Sprintf("r%d", idx*2), []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["y"]}, PodSelector: map[string]string{"pod": "b"}}}, crdv1alpha1.RuleActionReject) - builder.AddFQDNRule(svcDNSName(service), ProtocolTCP, nil, nil, nil, fmt.Sprintf("r%d", idx*2+1), []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["z"]}, PodSelector: map[string]string{"pod": "c"}}}, crdv1alpha1.RuleActionDrop) + builder.AddFQDNRule(svcDNSName(service), ProtocolTCP, nil, nil, nil, fmt.Sprintf("r%d", idx*2), []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("y")}, PodSelector: map[string]string{"pod": "b"}}}, crdv1alpha1.RuleActionReject) + builder.AddFQDNRule(svcDNSName(service), ProtocolTCP, nil, nil, nil, fmt.Sprintf("r%d", idx*2+1), []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("z")}, PodSelector: map[string]string{"pod": "c"}}}, crdv1alpha1.RuleActionDrop) } acnp := builder.Get() k8sUtils.CreateOrUpdateACNP(acnp) @@ -3278,8 +3309,8 @@ func testFQDNPolicyInClusterService(t *testing.T) { for _, service := range services { eachServiceCases := []podToAddrTestStep{ { - Pod(namespaces["y"] + "/b"), - // To indicate the server name is a FQDN, end it with a dot. Then DNS resolver won't attempt to append + Pod(getNS("y") + "/b"), + // To indicate the server Name is a FQDN, end it with a dot. Then DNS resolver won't attempt to append // domain names (e.g. svc.cluster.local, cluster.local) when resolving it, making it get resolution // result more quickly. svcDNSName(service) + ".", @@ -3287,13 +3318,13 @@ func testFQDNPolicyInClusterService(t *testing.T) { Rejected, }, { - Pod(namespaces["z"] + "/c"), + Pod(getNS("z") + "/c"), svcDNSName(service) + ".", 80, Dropped, }, { - Pod(namespaces["x"] + "/c"), + Pod(getNS("x") + "/c"), svcDNSName(service) + ".", 80, Connected, @@ -3324,12 +3355,12 @@ func testToServices(t *testing.T) { skipIfProxyDisabled(t) var services []*v1.Service if clusterInfo.podV4NetworkCIDR != "" { - ipv4Svc := k8sUtils.BuildService("ipv4-svc", namespaces["x"], 81, 81, map[string]string{"pod": "a"}, nil) + ipv4Svc := k8sUtils.BuildService("ipv4-svc", getNS("x"), 81, 81, map[string]string{"pod": "a"}, nil) ipv4Svc.Spec.IPFamilies = []v1.IPFamily{v1.IPv4Protocol} services = append(services, ipv4Svc) } if clusterInfo.podV6NetworkCIDR != "" { - ipv6Svc := k8sUtils.BuildService("ipv6-svc", namespaces["x"], 80, 80, map[string]string{"pod": "b"}, nil) + ipv6Svc := k8sUtils.BuildService("ipv6-svc", getNS("x"), 80, 80, map[string]string{"pod": "b"}, nil) ipv6Svc.Spec.IPFamilies = []v1.IPFamily{v1.IPv6Protocol} services = append(services, ipv6Svc) } @@ -3350,7 +3381,7 @@ func testToServices(t *testing.T) { builder = builder.SetName("test-acnp-to-services"). SetTier("application"). SetPriority(1.0) - builder.AddToServicesRule(svcRefs, "svc", []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["y"]}}}, crdv1alpha1.RuleActionDrop) + builder.AddToServicesRule(svcRefs, "svc", []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("y")}}}, crdv1alpha1.RuleActionDrop) time.Sleep(networkPolicyDelay) acnp := builder.Get() @@ -3361,13 +3392,13 @@ func testToServices(t *testing.T) { for _, service := range builtSvcs { eachServiceCases := []podToAddrTestStep{ { - Pod(namespaces["y"] + "/b"), + Pod(getNS("y") + "/b"), service.Spec.ClusterIP, service.Spec.Ports[0].Port, Dropped, }, { - Pod(namespaces["z"] + "/c"), + Pod(getNS("z") + "/c"), service.Spec.ClusterIP, service.Spec.Ports[0].Port, Connected, @@ -3395,21 +3426,21 @@ func testToServices(t *testing.T) { } func testServiceAccountSelector(t *testing.T, data *TestData) { - k8sUtils.CreateOrUpdateServiceAccount(k8sUtils.BuildServiceAccount("test-sa", namespaces["x"], nil)) - defer k8sUtils.DeleteServiceAccount(namespaces["x"], "test-sa") + k8sUtils.CreateOrUpdateServiceAccount(k8sUtils.BuildServiceAccount("test-sa", getNS("x"), nil)) + defer k8sUtils.DeleteServiceAccount(getNS("x"), "test-sa") serverName, serverIP, cleanupFunc := createAndWaitForPod(t, data, data.createNginxPodOnNode, "server", controlPlaneNodeName(), data.testNamespace, false) defer cleanupFunc() - client0Name, _, cleanupFunc := createAndWaitForPodWithServiceAccount(t, data, data.createAgnhostPodWithSAOnNode, "client", controlPlaneNodeName(), namespaces["x"], false, "test-sa") + client0Name, _, cleanupFunc := createAndWaitForPodWithServiceAccount(t, data, data.createAgnhostPodWithSAOnNode, "client", controlPlaneNodeName(), getNS("x"), false, "test-sa") defer cleanupFunc() - client1Name, _, cleanupFunc := createAndWaitForPodWithServiceAccount(t, data, data.createAgnhostPodWithSAOnNode, "client", controlPlaneNodeName(), namespaces["x"], false, "default") + client1Name, _, cleanupFunc := createAndWaitForPodWithServiceAccount(t, data, data.createAgnhostPodWithSAOnNode, "client", controlPlaneNodeName(), getNS("x"), false, "default") defer cleanupFunc() sa := &crdv1alpha1.NamespacedName{ Name: "test-sa", - Namespace: namespaces["x"], + Namespace: getNS("x"), } builder := &ClusterNetworkPolicySpecBuilder{} @@ -3417,7 +3448,7 @@ func testServiceAccountSelector(t *testing.T, data *TestData) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": serverName}}}) builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", sa) + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "", sa) acnp := builder.Get() _, err := k8sUtils.CreateOrUpdateACNP(acnp) @@ -3430,13 +3461,13 @@ func testServiceAccountSelector(t *testing.T, data *TestData) { if clusterInfo.podV4NetworkCIDR != "" { ipv4Testcases := []podToAddrTestStep{ { - Pod(namespaces["x"] + "/" + client0Name), + Pod(getNS("x") + "/" + client0Name), serverIP.ipv4.String(), 80, Dropped, }, { - Pod(namespaces["x"] + "/" + client1Name), + Pod(getNS("x") + "/" + client1Name), serverIP.ipv4.String(), 80, Connected, @@ -3448,13 +3479,13 @@ func testServiceAccountSelector(t *testing.T, data *TestData) { if clusterInfo.podV6NetworkCIDR != "" { ipv6Testcases := []podToAddrTestStep{ { - Pod(namespaces["x"] + "/" + client0Name), + Pod(getNS("x") + "/" + client0Name), serverIP.ipv6.String(), 80, Dropped, }, { - Pod(namespaces["x"] + "/" + client1Name), + Pod(getNS("x") + "/" + client1Name), serverIP.ipv6.String(), 80, Connected, @@ -3483,20 +3514,20 @@ func testACNPNodeSelectorEgress(t *testing.T) { SetPriority(1.0) nodeSelector := metav1.LabelSelector{MatchLabels: map[string]string{"kubernetes.io/hostname": controlPlaneNodeName()}} builder.AddNodeSelectorRule(&nodeSelector, ProtocolTCP, &p6443, "egress-control-plane-drop", - []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}, PodSelector: map[string]string{"pod": "a"}}}, + []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("x")}, PodSelector: map[string]string{"pod": "a"}}}, crdv1alpha1.RuleActionDrop, true) var testcases []podToAddrTestStep if clusterInfo.podV4NetworkCIDR != "" { ipv4Testcases := []podToAddrTestStep{ { - Pod(namespaces["x"] + "/a"), + Pod(getNS("x") + "/a"), controlPlaneNodeIPv4(), 6443, Dropped, }, { - Pod(namespaces["x"] + "/b"), + Pod(getNS("x") + "/b"), controlPlaneNodeIPv4(), 6443, Connected, @@ -3508,13 +3539,13 @@ func testACNPNodeSelectorEgress(t *testing.T) { if clusterInfo.podV6NetworkCIDR != "" { ipv6Testcases := []podToAddrTestStep{ { - Pod(namespaces["x"] + "/a"), + Pod(getNS("x") + "/a"), controlPlaneNodeIPv6(), 6443, Dropped, }, { - Pod(namespaces["x"] + "/b"), + Pod(getNS("x") + "/b"), controlPlaneNodeIPv6(), 6443, Connected, @@ -3541,16 +3572,16 @@ func testACNPNodeSelectorEgress(t *testing.T) { } func testACNPNodeSelectorIngress(t *testing.T, data *TestData) { - _, serverIP0, cleanupFunc := createAndWaitForPod(t, data, data.createNginxPodOnNode, "server0", nodeName(1), namespaces["x"], false) + _, serverIP0, cleanupFunc := createAndWaitForPod(t, data, data.createNginxPodOnNode, "server0", nodeName(1), getNS("x"), false) defer cleanupFunc() - _, serverIP1, cleanupFunc := createAndWaitForPod(t, data, data.createNginxPodOnNode, "server1", nodeName(1), namespaces["y"], false) + _, serverIP1, cleanupFunc := createAndWaitForPod(t, data, data.createNginxPodOnNode, "server1", nodeName(1), getNS("y"), false) defer cleanupFunc() clientName := "agnhost-client" - require.NoError(t, data.createAgnhostPodOnNode(clientName, namespaces["z"], controlPlaneNodeName(), true)) - defer data.deletePodAndWait(defaultTimeout, clientName, namespaces["z"]) - _, err := data.podWaitForIPs(defaultTimeout, clientName, namespaces["z"]) + require.NoError(t, data.createAgnhostPodOnNode(clientName, getNS("z"), controlPlaneNodeName(), true)) + defer data.deletePodAndWait(defaultTimeout, clientName, getNS("z")) + _, err := data.podWaitForIPs(defaultTimeout, clientName, getNS("z")) require.NoError(t, err) builder := &ClusterNetworkPolicySpecBuilder{} @@ -3558,20 +3589,20 @@ func testACNPNodeSelectorIngress(t *testing.T, data *TestData) { SetPriority(1.0) nodeSelector := metav1.LabelSelector{MatchLabels: map[string]string{"kubernetes.io/hostname": controlPlaneNodeName()}} builder.AddNodeSelectorRule(&nodeSelector, ProtocolTCP, &p80, "ingress-control-plane-drop", - []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["x"]}}}, + []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": getNS("x")}}}, crdv1alpha1.RuleActionDrop, false) testcases := []podToAddrTestStep{} if clusterInfo.podV4NetworkCIDR != "" { ipv4TestCases := []podToAddrTestStep{ { - Pod(namespaces["z"] + "/" + clientName), + Pod(getNS("z") + "/" + clientName), serverIP0.ipv4.String(), 80, Dropped, }, { - Pod(namespaces["z"] + "/" + clientName), + Pod(getNS("z") + "/" + clientName), serverIP1.ipv4.String(), 80, Connected, @@ -3582,13 +3613,13 @@ func testACNPNodeSelectorIngress(t *testing.T, data *TestData) { if clusterInfo.podV6NetworkCIDR != "" { ipv6TestCases := []podToAddrTestStep{ { - Pod(namespaces["z"] + "/" + clientName), + Pod(getNS("z") + "/" + clientName), serverIP0.ipv6.String(), 80, Dropped, }, { - Pod(namespaces["z"] + "/" + clientName), + Pod(getNS("z") + "/" + clientName), serverIP1.ipv6.String(), 80, Connected, @@ -3631,9 +3662,9 @@ func testACNPICMPSupport(t *testing.T, data *TestData) { builder = builder.SetName("test-acnp-icmp"). SetPriority(1.0).SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": clientName}}}) builder.AddEgress(ProtocolICMP, nil, nil, nil, &icmpType, &icmpCode, nil, nil, nil, map[string]string{"antrea-e2e": server0Name}, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, nil, nil, crdv1alpha1.RuleActionReject, "", "", nil) builder.AddEgress(ProtocolICMP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": server1Name}, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil) + nil, nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil) testcases := []podToAddrTestStep{} if clusterInfo.podV4NetworkCIDR != "" { @@ -3744,7 +3775,7 @@ sleep 3600 }, }) builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, &cidr, nil, nil, - nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "", nil) + nil, nil, nil, nil, crdv1alpha1.RuleActionReject, "", "", nil) acnp, err := k8sUtils.CreateOrUpdateACNP(builder.Get()) failOnError(err, t) @@ -3837,7 +3868,7 @@ func testACNPIGMPQuery(t *testing.T, data *TestData, acnpName, caseName, groupAd // create acnp with ingress rule for IGMP query igmpType := crdv1alpha1.IGMPQuery builder.AddIngress(ProtocolIGMP, nil, nil, nil, nil, nil, &igmpType, &queryGroupAddress, nil, nil, nil, - nil, nil, false, nil, action, "", "", nil) + nil, nil, nil, nil, action, "", "", nil) acnp := builder.Get() _, err = k8sUtils.CreateOrUpdateACNP(acnp) defer data.crdClient.CrdV1alpha1().ClusterNetworkPolicies().Delete(context.TODO(), acnp.Name, metav1.DeleteOptions{}) @@ -3919,7 +3950,7 @@ func testACNPMulticastEgress(t *testing.T, data *TestData, acnpName, caseName, g SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": label}}}) cidr := mc.group.String() + "/32" builder.AddEgress(ProtocolUDP, nil, nil, nil, nil, nil, nil, nil, &cidr, nil, nil, - nil, nil, false, nil, action, "", "", nil) + nil, nil, nil, nil, action, "", "", nil) acnp := builder.Get() _, err = k8sUtils.CreateOrUpdateACNP(acnp) if err != nil { @@ -4182,7 +4213,7 @@ func waitForResourcesReady(t *testing.T, timeout time.Duration, objs ...metav1.O } // TestAntreaPolicy is the top-level test which contains all subtests for -// AntreaPolicy related test cases so they can share setup, teardown. +// AntreaPolicy related test cases so that they can share setup and teardown. func TestAntreaPolicy(t *testing.T) { skipIfHasWindowsNodes(t) skipIfAntreaPolicyDisabled(t) @@ -4193,7 +4224,7 @@ func TestAntreaPolicy(t *testing.T) { } defer teardownTest(t, data) - initialize(t, data) + initialize(t, data, formFactorNormal) t.Run("TestGroupValidateAntreaNativePolicies", func(t *testing.T) { t.Run("Case=ACNPNoPriority", func(t *testing.T) { testInvalidACNPNoPriority(t) }) @@ -4331,7 +4362,7 @@ func TestAntreaPolicyStatus(t *testing.T) { anpBuilder = anpBuilder.SetName(data.testNamespace, "anp-applied-to-two-nodes"). SetPriority(1.0). SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}) - anpBuilder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, + anpBuilder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil, nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") anp := anpBuilder.Get() log.Debugf("creating ANP %v", anp.Name) @@ -4343,8 +4374,8 @@ func TestAntreaPolicyStatus(t *testing.T) { acnpBuilder = acnpBuilder.SetName("acnp-applied-to-two-nodes"). SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}) - acnpBuilder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, - nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "", nil) + acnpBuilder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, + nil, nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "", nil) acnp := acnpBuilder.Get() log.Debugf("creating ACNP %v", acnp.Name) _, err = data.crdClient.CrdV1alpha1().ClusterNetworkPolicies().Create(context.TODO(), acnp, metav1.CreateOptions{}) @@ -4380,9 +4411,9 @@ func TestAntreaPolicyStatusWithAppliedToPerRule(t *testing.T) { anpBuilder := &AntreaNetworkPolicySpecBuilder{} anpBuilder = anpBuilder.SetName(data.testNamespace, "anp-applied-to-per-rule"). SetPriority(1.0) - anpBuilder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, + anpBuilder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil, nil, nil, nil, []ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": server0Name}}}, crdv1alpha1.RuleActionAllow, "", "") - anpBuilder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil, + anpBuilder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil, nil, nil, nil, []ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": server1Name}}}, crdv1alpha1.RuleActionAllow, "", "") anp := anpBuilder.Get() log.Debugf("creating ANP %v", anp.Name) @@ -4421,15 +4452,15 @@ func TestAntreaPolicyStatusWithAppliedToUnsupportedGroup(t *testing.T) { } defer teardownTest(t, data) - initialize(t, data) + initialize(t, data, formFactorNormal) - testNamespace := namespaces["x"] + testNamespace := getNS("x") // Build a Group with namespaceSelector selecting namespaces outside testNamespace. grpName := "grp-with-ns-selector" grpBuilder := &GroupSpecBuilder{} grpBuilder = grpBuilder.SetName(grpName).SetNamespace(testNamespace). SetPodSelector(map[string]string{"pod": "b"}, nil). - SetNamespaceSelector(map[string]string{"ns": namespaces["y"]}, nil) + SetNamespaceSelector(map[string]string{"ns": getNS("y")}, nil) grp, err := k8sUtils.CreateOrUpdateV1Alpha3Group(grpBuilder.Get()) failOnError(err, t) failOnError(waitForResourceReady(t, timeout, grp), t) @@ -4540,6 +4571,27 @@ func (data *TestData) waitForACNPRealized(t *testing.T, name string, timeout tim return nil } +// TestAntreaPolicyStats is the top-level test which contains all subtests for +// AntreaPolicyStats related test cases so that they can share setup and teardown. +func TestAntreaPolicyStats(t *testing.T) { + skipIfHasWindowsNodes(t) + skipIfAntreaPolicyDisabled(t) + skipIfNetworkPolicyStatsDisabled(t) + + data, err := setupTest(t) + if err != nil { + t.Fatalf("Error when setting up test: %v", err) + } + defer teardownTest(t, data) + + t.Run("testANPNetworkPolicyStatsWithDropAction", func(t *testing.T) { + testANPNetworkPolicyStatsWithDropAction(t, data) + }) + t.Run("testAntreaClusterNetworkPolicyStats", func(t *testing.T) { + testAntreaClusterNetworkPolicyStats(t, data) + }) +} + // testANPNetworkPolicyStatsWithDropAction tests antreanetworkpolicystats can correctly collect dropped packets stats from ANP if // networkpolicystats feature is enabled func testANPNetworkPolicyStatsWithDropAction(t *testing.T, data *TestData) { diff --git a/test/e2e/clustergroup_test.go b/test/e2e/clustergroup_test.go index ab37691c789..6a2312c69bb 100644 --- a/test/e2e/clustergroup_test.go +++ b/test/e2e/clustergroup_test.go @@ -52,7 +52,7 @@ func testInvalidCGIPBlockWithPodSelector(t *testing.T) { func testInvalidCGIPBlockWithNSSelector(t *testing.T) { invalidErr := fmt.Errorf("clustergroup created with ipblock and namespaceSelector") cgName := "ipb-ns" - nSel := &metav1.LabelSelector{MatchLabels: map[string]string{"ns": namespaces["y"]}} + nSel := &metav1.LabelSelector{MatchLabels: map[string]string{"ns": getNS("y")}} cidr := "10.0.0.10/32" ipb := []crdv1alpha1.IPBlock{{CIDR: cidr}} cg := &crdv1alpha3.ClusterGroup{ @@ -97,7 +97,7 @@ func testInvalidCGServiceRefWithPodSelector(t *testing.T) { cgName := "svcref-pod-selector" pSel := &metav1.LabelSelector{MatchLabels: map[string]string{"pod": "x"}} svcRef := &crdv1alpha1.NamespacedName{ - Namespace: namespaces["y"], + Namespace: getNS("y"), Name: "test-svc", } cg := &crdv1alpha3.ClusterGroup{ @@ -118,9 +118,9 @@ func testInvalidCGServiceRefWithPodSelector(t *testing.T) { func testInvalidCGServiceRefWithNSSelector(t *testing.T) { invalidErr := fmt.Errorf("clustergroup created with serviceReference and namespaceSelector") cgName := "svcref-ns-selector" - nSel := &metav1.LabelSelector{MatchLabels: map[string]string{"ns": namespaces["y"]}} + nSel := &metav1.LabelSelector{MatchLabels: map[string]string{"ns": getNS("y")}} svcRef := &crdv1alpha1.NamespacedName{ - Namespace: namespaces["y"], + Namespace: getNS("y"), Name: "test-svc", } cg := &crdv1alpha3.ClusterGroup{ @@ -144,7 +144,7 @@ func testInvalidCGServiceRefWithIPBlock(t *testing.T) { cidr := "10.0.0.10/32" ipb := []crdv1alpha1.IPBlock{{CIDR: cidr}} svcRef := &crdv1alpha1.NamespacedName{ - Namespace: namespaces["y"], + Namespace: getNS("y"), Name: "test-svc", } cg := &crdv1alpha3.ClusterGroup{ @@ -207,7 +207,7 @@ func testInvalidCGChildGroupWithServiceReference(t *testing.T) { invalidErr := fmt.Errorf("clustergroup created with childGroups and ServiceReference") cgName := "child-group-svcref" svcRef := &crdv1alpha1.NamespacedName{ - Namespace: namespaces["y"], + Namespace: getNS("y"), Name: "test-svc", } cg := &crdv1alpha3.ClusterGroup{ @@ -390,7 +390,7 @@ func TestClusterGroup(t *testing.T) { } defer teardownTest(t, data) - initialize(t, data) + initialize(t, data, formFactorNormal) t.Run("TestGroupClusterGroupValidate", func(t *testing.T) { t.Run("Case=IPBlockWithPodSelectorDenied", func(t *testing.T) { testInvalidCGIPBlockWithPodSelector(t) }) diff --git a/test/e2e/group_test.go b/test/e2e/group_test.go index f92cf903bc9..c7cd04729f2 100644 --- a/test/e2e/group_test.go +++ b/test/e2e/group_test.go @@ -33,7 +33,7 @@ func testInvalidGroupIPBlockWithPodSelector(t *testing.T) { g := &crdv1alpha3.Group{ ObjectMeta: metav1.ObjectMeta{ Name: gName, - Namespace: namespaces["x"], + Namespace: getNS("x"), }, Spec: crdv1alpha3.GroupSpec{ PodSelector: pSel, @@ -49,13 +49,13 @@ func testInvalidGroupIPBlockWithPodSelector(t *testing.T) { func testInvalidGroupIPBlockWithNSSelector(t *testing.T) { invalidErr := fmt.Errorf("group created with ipblock and namespaceSelector") gName := "ipb-ns" - nSel := &metav1.LabelSelector{MatchLabels: map[string]string{"ns": namespaces["y"]}} + nSel := &metav1.LabelSelector{MatchLabels: map[string]string{"ns": getNS("y")}} cidr := "10.0.0.10/32" ipb := []crdv1alpha1.IPBlock{{CIDR: cidr}} g := &crdv1alpha3.Group{ ObjectMeta: metav1.ObjectMeta{ Name: gName, - Namespace: namespaces["x"], + Namespace: getNS("x"), }, Spec: crdv1alpha3.GroupSpec{ NamespaceSelector: nSel, @@ -73,13 +73,13 @@ func testInvalidGroupServiceRefWithPodSelector(t *testing.T) { gName := "svcref-pod-selector" pSel := &metav1.LabelSelector{MatchLabels: map[string]string{"pod": "x"}} svcRef := &crdv1alpha1.NamespacedName{ - Namespace: namespaces["y"], + Namespace: getNS("y"), Name: "test-svc", } g := &crdv1alpha3.Group{ ObjectMeta: metav1.ObjectMeta{ Name: gName, - Namespace: namespaces["y"], + Namespace: getNS("y"), }, Spec: crdv1alpha3.GroupSpec{ PodSelector: pSel, @@ -95,15 +95,15 @@ func testInvalidGroupServiceRefWithPodSelector(t *testing.T) { func testInvalidGroupServiceRefWithNSSelector(t *testing.T) { invalidErr := fmt.Errorf("group created with serviceReference and namespaceSelector") gName := "svcref-ns-selector" - nSel := &metav1.LabelSelector{MatchLabels: map[string]string{"ns": namespaces["y"]}} + nSel := &metav1.LabelSelector{MatchLabels: map[string]string{"ns": getNS("y")}} svcRef := &crdv1alpha1.NamespacedName{ - Namespace: namespaces["y"], + Namespace: getNS("y"), Name: "test-svc", } g := &crdv1alpha3.Group{ ObjectMeta: metav1.ObjectMeta{ Name: gName, - Namespace: namespaces["y"], + Namespace: getNS("y"), }, Spec: crdv1alpha3.GroupSpec{ NamespaceSelector: nSel, @@ -122,13 +122,13 @@ func testInvalidGroupServiceRefWithIPBlock(t *testing.T) { cidr := "10.0.0.10/32" ipb := []crdv1alpha1.IPBlock{{CIDR: cidr}} svcRef := &crdv1alpha1.NamespacedName{ - Namespace: namespaces["y"], + Namespace: getNS("y"), Name: "test-svc", } g := &crdv1alpha3.Group{ ObjectMeta: metav1.ObjectMeta{ Name: gName, - Namespace: namespaces["y"], + Namespace: getNS("y"), }, Spec: crdv1alpha3.GroupSpec{ ServiceReference: svcRef, @@ -150,7 +150,7 @@ func createChildGroupForTest(t *testing.T) { g := &crdv1alpha3.Group{ ObjectMeta: metav1.ObjectMeta{ Name: testChildGroupName, - Namespace: namespaces[testChildGroupNamespace], + Namespace: getNS(testChildGroupNamespace), }, Spec: crdv1alpha3.GroupSpec{ PodSelector: &metav1.LabelSelector{}, @@ -162,7 +162,7 @@ func createChildGroupForTest(t *testing.T) { } func cleanupChildGroupForTest(t *testing.T) { - if err := k8sUtils.DeleteV1Alpha3Group(namespaces[testChildGroupNamespace], testChildGroupName); err != nil { + if err := k8sUtils.DeleteV1Alpha3Group(getNS(testChildGroupNamespace), testChildGroupName); err != nil { failOnError(err, t) } } @@ -174,7 +174,7 @@ func testInvalidGroupChildGroupWithPodSelector(t *testing.T) { g := &crdv1alpha3.Group{ ObjectMeta: metav1.ObjectMeta{ Name: gName, - Namespace: namespaces[testChildGroupNamespace], + Namespace: getNS(testChildGroupNamespace), }, Spec: crdv1alpha3.GroupSpec{ PodSelector: pSel, @@ -192,12 +192,12 @@ func testInvalidGroupChildGroupWithServiceReference(t *testing.T) { gName := "child-group-svcref" svcRef := &crdv1alpha1.NamespacedName{ Name: "test-svc", - Namespace: namespaces[testChildGroupNamespace], + Namespace: getNS(testChildGroupNamespace), } g := &crdv1alpha3.Group{ ObjectMeta: metav1.ObjectMeta{ Name: gName, - Namespace: namespaces[testChildGroupNamespace], + Namespace: getNS(testChildGroupNamespace), }, Spec: crdv1alpha3.GroupSpec{ ServiceReference: svcRef, @@ -214,13 +214,13 @@ func testInvalidGroupMaxNestedLevel(t *testing.T) { invalidErr := fmt.Errorf("group created with childGroup which has childGroups itself") gName1, gName2 := "g-nested-1", "g-nested-2" g1 := &crdv1alpha3.Group{ - ObjectMeta: metav1.ObjectMeta{Namespace: namespaces[testChildGroupNamespace], Name: gName1}, + ObjectMeta: metav1.ObjectMeta{Namespace: getNS(testChildGroupNamespace), Name: gName1}, Spec: crdv1alpha3.GroupSpec{ ChildGroups: []crdv1alpha3.ClusterGroupReference{crdv1alpha3.ClusterGroupReference(testChildGroupName)}, }, } g2 := &crdv1alpha3.Group{ - ObjectMeta: metav1.ObjectMeta{Namespace: namespaces[testChildGroupNamespace], Name: gName2}, + ObjectMeta: metav1.ObjectMeta{Namespace: getNS(testChildGroupNamespace), Name: gName2}, Spec: crdv1alpha3.GroupSpec{ ChildGroups: []crdv1alpha3.ClusterGroupReference{crdv1alpha3.ClusterGroupReference(gName1)}, }, @@ -236,7 +236,7 @@ func testInvalidGroupMaxNestedLevel(t *testing.T) { failOnError(invalidErr, t) } // cleanup g-nested-1 - if err := k8sUtils.DeleteV1Alpha3Group(namespaces[testChildGroupNamespace], gName1); err != nil { + if err := k8sUtils.DeleteV1Alpha3Group(getNS(testChildGroupNamespace), gName1); err != nil { failOnError(err, t) } // Try to create g-nested-2 first and then g-nested-1. @@ -250,7 +250,7 @@ func testInvalidGroupMaxNestedLevel(t *testing.T) { failOnError(invalidErr, t) } // cleanup g-nested-2 - if err := k8sUtils.DeleteV1Alpha3Group(namespaces[testChildGroupNamespace], gName2); err != nil { + if err := k8sUtils.DeleteV1Alpha3Group(getNS(testChildGroupNamespace), gName2); err != nil { failOnError(err, t) } } @@ -264,7 +264,7 @@ func TestGroup(t *testing.T) { t.Fatalf("Error when setting up test: %v", err) } defer teardownTest(t, data) - initialize(t, data) + initialize(t, data, formFactorNormal) t.Run("TestGroupNamespacedGroupValidate", func(t *testing.T) { t.Run("Case=IPBlockWithPodSelectorDenied", func(t *testing.T) { testInvalidGroupIPBlockWithPodSelector(t) }) diff --git a/test/e2e/k8s_util.go b/test/e2e/k8s_util.go index edfb4ad32bf..9ca6c50a22b 100644 --- a/test/e2e/k8s_util.go +++ b/test/e2e/k8s_util.go @@ -79,6 +79,12 @@ type CustomProbe struct { ExpectConnectivity PodConnectivityMark } +// TestNamespaceMeta holds the relevant metadata of a test Namespace during initialization. +type TestNamespaceMeta struct { + Name string + Labels map[string]string +} + // GetPodByLabel returns a Pod with the matching Namespace and "pod" label. func (k *KubernetesUtils) GetPodByLabel(ns string, name string) (*v1.Pod, error) { pods, err := k.getPodsUncached(ns, "pod", name) @@ -586,9 +592,9 @@ func (data *TestData) DeleteNetworkPolicy(ns, name string) error { } // CleanNetworkPolicies is a convenience function for deleting NetworkPolicies in the provided namespaces. -func (data *TestData) CleanNetworkPolicies(namespaces map[string]string) error { +func (data *TestData) CleanNetworkPolicies(namespaces map[string]TestNamespaceMeta) error { for _, ns := range namespaces { - l, err := data.clientset.NetworkingV1().NetworkPolicies(ns).List(context.TODO(), metav1.ListOptions{}) + l, err := data.clientset.NetworkingV1().NetworkPolicies(ns.Name).List(context.TODO(), metav1.ListOptions{}) if err != nil { return errors.Wrapf(err, "unable to list NetworkPolicy in Namespace '%s'", ns) } @@ -749,7 +755,7 @@ func (k *KubernetesUtils) GetCG(name string) (*crdv1alpha2.ClusterGroup, error) return res, nil } -// CreateGroup is a convenience function for creating an Antrea Group by namespace, name and selector. +// CreateGroup is a convenience function for creating an Antrea Group by namespace, name and selector. func (k *KubernetesUtils) CreateGroup(namespace, name string, pSelector, nSelector *metav1.LabelSelector, ipBlocks []crdv1alpha1.IPBlock) (*crdv1alpha3.Group, error) { log.Infof("Creating group %s/%s", namespace, name) _, err := k.crdClient.CrdV1alpha3().Groups(namespace).Get(context.TODO(), name, metav1.GetOptions{}) @@ -1077,16 +1083,21 @@ func (k *KubernetesUtils) Validate(allPods []Pod, reachability *Reachability, po } } -func (k *KubernetesUtils) Bootstrap(namespaces map[string]string, pods []string) (*map[string][]string, error) { +func (k *KubernetesUtils) Bootstrap(namespaces map[string]TestNamespaceMeta, pods []string) (*map[string][]string, error) { for _, ns := range namespaces { - _, err := k.CreateOrUpdateNamespace(ns, map[string]string{"ns": ns}) + if ns.Labels == nil { + ns.Labels = make(map[string]string) + } + // convenience label for testing + ns.Labels["ns"] = ns.Name + _, err := k.CreateOrUpdateNamespace(ns.Name, ns.Labels) if err != nil { return nil, errors.WithMessagef(err, "unable to create/update ns %s", ns) } for _, pod := range pods { log.Infof("Creating/updating Pod '%s/%s'", ns, pod) - deployment := ns + pod - _, err := k.CreateOrUpdateDeployment(ns, deployment, 1, map[string]string{"pod": pod, "app": pod}) + deployment := ns.Name + pod + _, err := k.CreateOrUpdateDeployment(ns.Name, deployment, 1, map[string]string{"pod": pod, "app": pod}) if err != nil { return nil, errors.WithMessagef(err, "unable to create/update Deployment '%s/%s'", ns, pod) } @@ -1096,7 +1107,7 @@ func (k *KubernetesUtils) Bootstrap(namespaces map[string]string, pods []string) podIPs := make(map[string][]string, len(pods)*len(namespaces)) for _, podName := range pods { for _, ns := range namespaces { - allPods = append(allPods, NewPod(ns, podName)) + allPods = append(allPods, NewPod(ns.Name, podName)) } } for _, pod := range allPods { @@ -1116,7 +1127,7 @@ func (k *KubernetesUtils) Bootstrap(namespaces map[string]string, pods []string) return &podIPs, nil } -func (k *KubernetesUtils) Cleanup(namespaces map[string]string) { +func (k *KubernetesUtils) Cleanup(namespaces map[string]TestNamespaceMeta) { // Cleanup any cluster-scoped resources. if err := k.CleanACNPs(); err != nil { log.Errorf("Error when cleaning up ACNPs: %v", err) @@ -1127,7 +1138,7 @@ func (k *KubernetesUtils) Cleanup(namespaces map[string]string) { for _, ns := range namespaces { log.Infof("Deleting test Namespace %s", ns) - if err := k.DeleteNamespace(ns, defaultTimeout); err != nil { + if err := k.DeleteNamespace(ns.Name, defaultTimeout); err != nil { log.Errorf("Error when deleting Namespace '%s': %v", ns, err) } } diff --git a/test/e2e/utils/cnp_spec_builder.go b/test/e2e/utils/cnp_spec_builder.go index 761e2f9e0c4..0726d2cb767 100644 --- a/test/e2e/utils/cnp_spec_builder.go +++ b/test/e2e/utils/cnp_spec_builder.go @@ -111,14 +111,12 @@ func (b *ClusterNetworkPolicySpecBuilder) GetAppliedToPeer(podSelector map[strin func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol, port *int32, portName *string, endPort, icmpType, icmpCode, igmpType *int32, groupAddress, cidr *string, podSelector map[string]string, nsSelector map[string]string, - podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement, selfNS bool, + podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement, namespaces *crdv1alpha1.PeerNamespaces, ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1alpha1.RuleAction, ruleClusterGroup, name string, serviceAccount *crdv1alpha1.NamespacedName) *ClusterNetworkPolicySpecBuilder { var pSel *metav1.LabelSelector var nSel *metav1.LabelSelector - var ns *crdv1alpha1.PeerNamespaces var appliedTos []crdv1alpha1.AppliedTo - matchSelf := crdv1alpha1.NamespaceMatchSelf if b.Spec.Ingress == nil { b.Spec.Ingress = []crdv1alpha1.Rule{} @@ -136,11 +134,6 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol MatchExpressions: nsSelectorMatchExp, } } - if selfNS == true { - ns = &crdv1alpha1.PeerNamespaces{ - Match: matchSelf, - } - } var ipBlock *crdv1alpha1.IPBlock if cidr != nil { ipBlock = &crdv1alpha1.IPBlock{ @@ -152,11 +145,11 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol } // An empty From/To in ACNP rules evaluates to match all addresses. policyPeer := make([]crdv1alpha1.NetworkPolicyPeer, 0) - if pSel != nil || nSel != nil || ns != nil || ipBlock != nil || ruleClusterGroup != "" || serviceAccount != nil { + if pSel != nil || nSel != nil || namespaces != nil || ipBlock != nil || ruleClusterGroup != "" || serviceAccount != nil { policyPeer = []crdv1alpha1.NetworkPolicyPeer{{ PodSelector: pSel, NamespaceSelector: nSel, - Namespaces: ns, + Namespaces: namespaces, IPBlock: ipBlock, Group: ruleClusterGroup, ServiceAccount: serviceAccount, @@ -178,14 +171,14 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol func (b *ClusterNetworkPolicySpecBuilder) AddEgress(protoc AntreaPolicyProtocol, port *int32, portName *string, endPort, icmpType, icmpCode, igmpType *int32, groupAddress, cidr *string, podSelector map[string]string, nsSelector map[string]string, - podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement, selfNS bool, + podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement, namespaces *crdv1alpha1.PeerNamespaces, ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1alpha1.RuleAction, ruleClusterGroup, name string, serviceAccount *crdv1alpha1.NamespacedName) *ClusterNetworkPolicySpecBuilder { // For simplicity, we just reuse the Ingress code here. The underlying data model for ingress/egress is identical // With the exception of calling the rule `To` vs. `From`. c := &ClusterNetworkPolicySpecBuilder{} c.AddIngress(protoc, port, portName, endPort, icmpType, icmpCode, igmpType, groupAddress, cidr, podSelector, nsSelector, - podSelectorMatchExp, nsSelectorMatchExp, selfNS, ruleAppliedToSpecs, action, ruleClusterGroup, name, serviceAccount) + podSelectorMatchExp, nsSelectorMatchExp, namespaces, ruleAppliedToSpecs, action, ruleClusterGroup, name, serviceAccount) theRule := c.Get().Spec.Ingress[0] b.Spec.Egress = append(b.Spec.Egress, crdv1alpha1.Rule{