Add E2E tests for ipBlocks in CG

antrea-io · Mar 25, 2021 · 9f981e0 · 9f981e0
1 parent 37f5404
commit 9f981e0
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 10 deletions.
diff --git a/pkg/apis/core/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/core/v1alpha2/zz_generated.deepcopy.go
diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go
@@ -1105,9 +1105,9 @@ func testACNPClusterGroupUpdate(t *testing.T) {
 func testACNPClusterGroupAppliedToPodAdd(t *testing.T, data *TestData) {
 	cgName := "cg-pod-custom-pod-zj"
 	cgBuilder := &ClusterGroupSpecBuilder{}
-	cgBuilder = cgBuilder.SetName(cgName)
-	cgBuilder = cgBuilder.SetNamespaceSelector(map[string]string{"ns": "z"}, nil)
-	cgBuilder = cgBuilder.SetPodSelector(map[string]string{"pod": "j"}, nil)
+	cgBuilder = cgBuilder.SetName(cgName).
+		SetNamespaceSelector(map[string]string{"ns": "z"}, nil).
+		SetPodSelector(map[string]string{"pod": "j"}, nil)
 	builder := &ClusterNetworkPolicySpecBuilder{}
 	builder = builder.SetName("acnp-deny-cg-with-zj-to-xj-egress").
 		SetPriority(1.0).
@@ -1149,14 +1149,18 @@ func testACNPClusterGroupAppliedToPodAdd(t *testing.T, data *TestData) {
 func testACNPClusterGroupRefRulePodAdd(t *testing.T, data *TestData) {
 	cgName := "cg-pod-custom-pod-zk"
 	cgBuilder := &ClusterGroupSpecBuilder{}
-	cgBuilder = cgBuilder.SetName(cgName)
-	cgBuilder = cgBuilder.SetNamespaceSelector(map[string]string{"ns": "z"}, nil)
-	cgBuilder = cgBuilder.SetPodSelector(map[string]string{"pod": "k"}, nil)
+	cgBuilder = cgBuilder.SetName(cgName).
+		SetNamespaceSelector(map[string]string{"ns": "z"}, nil).
+		SetPodSelector(map[string]string{"pod": "k"}, nil)
 	builder := &ClusterNetworkPolicySpecBuilder{}
 	builder = builder.SetName("acnp-deny-xk-to-cg-with-zk-egress").
 		SetPriority(1.0).
-		SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "k"},
-			NSSelector: map[string]string{"ns": "x"}}})
+		SetAppliedToGroup([]ACNPAppliedToSpec{
+			{
+				PodSelector: map[string]string{"pod": "k"},
+				NSSelector:  map[string]string{"ns": "x"},
+			},
+		})
 	builder.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, nil,
 		nil, nil, nil, secv1alpha1.RuleActionDrop, cgName, "")
 	cp := []*CustomProbe{
@@ -1191,6 +1195,49 @@ func testACNPClusterGroupRefRulePodAdd(t *testing.T, data *TestData) {
 	executeTestsWithData(t, testCase, data)
 }
 
+func testACNPClusterGroupRefRuleIPBlocks(t *testing.T) {
+	podXAIP, _ := podIPs["x/a"]
+	podXBIP, _ := podIPs["x/b"]
+	podXCIP, _ := podIPs["x/c"]
+	cidrXA, cidrXB, cidrXC := podXAIP+"/32", podXBIP+"/32", podXCIP+"/32"
+	cgName := "cg-ipblock-pod-in-ns-x"
+	cgBuilder := &ClusterGroupSpecBuilder{}
+	cgBuilder = cgBuilder.SetName(cgName).
+		SetIPBlocks([]secv1alpha1.IPBlock{{CIDR: cidrXA}, {CIDR: cidrXB}, {CIDR: cidrXC}})
+
+	builder := &ClusterNetworkPolicySpecBuilder{}
+	builder = builder.SetName("acnp-deny-ya-to-x-ips-ingress").
+		SetPriority(1.0).
+		SetAppliedToGroup([]ACNPAppliedToSpec{
+			{
+				PodSelector: map[string]string{"pod": "a"},
+				NSSelector:  map[string]string{"ns": "y"},
+			},
+		})
+	builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, nil,
+		nil, nil, nil, secv1alpha1.RuleActionDrop, cgName, "")
+	reachability := NewReachability(allPods, Connected)
+	reachability.Expect(Pod("x/a"), Pod("y/a"), Dropped)
+	reachability.Expect(Pod("x/b"), Pod("y/a"), Dropped)
+	reachability.Expect(Pod("x/c"), Pod("y/a"), Dropped)
+	testStep := []*TestStep{
+		{
+			"Port 80",
+			reachability,
+			[]metav1.Object{builder.Get()},
+			[]metav1.Object{cgBuilder.Get()},
+			[]int32{80},
+			v1.ProtocolTCP,
+			0,
+			nil,
+		},
+	}
+	testCase := []*TestCase{
+		{"ACNP Drop Ingress From Pod: y/a to ClusterGroup with ipBlocks of Pods IPs in NS x", testStep},
+	}
+	executeTests(t, testCase)
+}
+
 // testBaselineNamespaceIsolation tests that a ACNP in the baseline Tier is able to enforce default namespace isolation,
 // which can be later overridden by developer K8s NetworkPolicies.
 func testBaselineNamespaceIsolation(t *testing.T) {
@@ -2339,6 +2386,7 @@ func TestAntreaPolicy(t *testing.T) {
 		t.Run("Case=ACNPClusterGroupUpdateAppliedTo", func(t *testing.T) { testACNPClusterGroupUpdateAppliedTo(t) })
 		t.Run("Case=ACNPClusterGroupAppliedToPodAdd", func(t *testing.T) { testACNPClusterGroupAppliedToPodAdd(t, data) })
 		t.Run("Case=ACNPClusterGroupRefRulePodAdd", func(t *testing.T) { testACNPClusterGroupRefRulePodAdd(t, data) })
+		t.Run("Case=ACNPClusterGroupRefRuleIPBlocks", func(t *testing.T) { testACNPClusterGroupRefRuleIPBlocks(t) })
 		t.Run("Case=ACNPClusterGroupIngressRuleDenyCGWithXBtoYA", func(t *testing.T) { testACNPIngressRuleDenyCGWithXBtoYA(t) })
 		t.Run("Case=ACNPClusterGroupServiceRef", func(t *testing.T) { testACNPClusterGroupServiceRefCreateAndUpdate(t, data) })
 		t.Run("Case=ACNPNestedClusterGroup", func(t *testing.T) { testACNPNestedClusterGroupCreateAndUpdate(t, data) })

diff --git a/test/e2e/utils/cgspecbuilder.go b/test/e2e/utils/cgspecbuilder.go
@@ -68,8 +68,8 @@ func (b *ClusterGroupSpecBuilder) SetNamespaceSelector(nsSelector map[string]str
 	return b
 }
 
-func (b *ClusterGroupSpecBuilder) SetIPBlock(ipb *secv1alpha1.IPBlock) *ClusterGroupSpecBuilder {
-	b.Spec.IPBlock = ipb
+func (b *ClusterGroupSpecBuilder) SetIPBlocks(ipBlocks []secv1alpha1.IPBlock) *ClusterGroupSpecBuilder {
+	b.Spec.IPBlocks = ipBlocks
 	return b
 }