Add same-labels e2e testcase

Signed-off-by: Dyanngg <[email protected]>
antrea-io · Jan 10, 2023 · dbfd891 · dbfd891
1 parent cdf7892
commit dbfd891
Show file tree

Hide file tree

Showing 3 changed files with 134 additions and 6 deletions.
diff --git a/pkg/controller/networkpolicy/validate.go b/pkg/controller/networkpolicy/validate.go
@@ -561,6 +561,9 @@ func (v *antreaPolicyValidator) validatePeers(ingress, egress []crdv1alpha1.Rule
 			if peer.NamespaceSelector != nil && peer.Namespaces != nil {
 				return "namespaces and namespaceSelector cannot be set at the same time for a single NetworkPolicyPeer", false
 			}
+			if peer.Namespaces != nil && numFieldsSetInStruct(peer.Namespaces) > 1 {
+				return "only one matching criteria can be specified in a single peer namespaces field", false
+			}
 			peerFieldsNum := numFieldsSetInStruct(peer)
 			if peer.Group != "" && peerFieldsNum > 1 {
 				return "group cannot be set with other peers in rules", false

diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go
@@ -138,10 +138,10 @@ func initNamespaceMeta(formFactor string) map[string]TestNamespaceMeta {
 			}
 			allNamespaceMeta["dev"+strconv.Itoa(i)] = devNS
 		}
-		allNamespaceMeta["no-tier-label"] = TestNamespaceMeta{
-			Name: "no-tier-label-" + suffix,
+		allNamespaceMeta["no-tier"] = TestNamespaceMeta{
+			Name: "no-tier-" + suffix,
 			Labels: map[string]string{
-				"purpose": "test",
+				"purpose": "test-exclusion",
 			},
 		}
 	} else if formFactor == formFactorNormal {
@@ -2640,7 +2640,7 @@ func testAuditLoggingBasic(t *testing.T, data *TestData) {
 			return false, nil
 		}
 
-		destinations := []string{getNS("z") + "/a", getNS("z") + "/b", getNS("z") + "/c"}
+		destinations := []string{getPodName("z", "a"), getPodName("z", "b"), getPodName("z", "c")}
 		srcIPs, _ := podIPs[getPodName("x", "a")]
 		var expectedNumEntries, actualNumEntries int
 		for _, d := range destinations {
@@ -2732,7 +2732,7 @@ func testAuditLoggingEnableNP(t *testing.T, data *TestData) {
 		}
 
 		var expectedNumEntries, actualNumEntries int
-		srcPods := []string{getNS("x") + "/b", getNS("x") + "/c"}
+		srcPods := []string{getPodName("x", "b"), getPodName("x", "c")}
 		expectedLogPrefix := []string{npRef + " <nil> Allow [0-9]+ ", "K8sNetworkPolicy <nil> Drop <nil> "}
 		destIPs, _ := podIPs[getPodName("x", "a")]
 		for i := 0; i < len(srcPods); i++ {
@@ -3185,7 +3185,93 @@ func testACNPStrictNamespacesIsolation(t *testing.T) {
 	}
 
 	testCase := []*TestCase{
-		{"ACNP strict Namespace isolation for all namespaces", []*TestStep{testStep1, testStep2}},
+		{"ACNP strict Namespace isolation for all Namespaces", []*TestStep{testStep1, testStep2}},
+	}
+	executeTests(t, testCase)
+}
+
+func testACNPStrictNamespacesIsolationByLabels(t *testing.T) {
+	samePurposeTierLabels := &crdv1alpha1.PeerNamespaces{
+		SameLabels: []string{"purpose", "tier"},
+	}
+	builder := &ClusterNetworkPolicySpecBuilder{}
+	builder = builder.SetName("test-acnp-strict-ns-isolation-by-labels").
+		SetTier("securityops").
+		SetPriority(1.0).
+		SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{}}})
+	builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil,
+		samePurposeTierLabels, nil, crdv1alpha1.RuleActionPass, "", "", nil)
+	builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{}, nil, nil,
+		nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil)
+	// prod1 and prod2 Namespaces should be able to connect to each other. The same goes for dev1 and
+	// dev2 Namespaces. However, any prod Namespace should not be able to connect to any dev Namespace
+	// due to different "tier" label values. For the "no-tier" Namespace, the first ingress rule will
+	// have no effect because the Namespace does not have a "tier" label. So every Pod in that Namespace
+	// will be isolated according to the second rule of the ACNP.
+	reachability := NewReachability(allPods, Dropped)
+	reachability.ExpectNamespaceIngressFromNamespace(getNS("prod1"), getNS("prod2"), Connected)
+	reachability.ExpectNamespaceEgressToNamespace(getNS("prod1"), getNS("prod2"), Connected)
+	reachability.ExpectNamespaceIngressFromNamespace(getNS("prod2"), getNS("prod1"), Connected)
+	reachability.ExpectNamespaceEgressToNamespace(getNS("prod2"), getNS("prod1"), Connected)
+	reachability.ExpectNamespaceIngressFromNamespace(getNS("dev1"), getNS("dev2"), Connected)
+	reachability.ExpectNamespaceEgressToNamespace(getNS("dev1"), getNS("dev2"), Connected)
+	reachability.ExpectNamespaceIngressFromNamespace(getNS("dev2"), getNS("dev1"), Connected)
+	reachability.ExpectNamespaceEgressToNamespace(getNS("dev2"), getNS("dev1"), Connected)
+	reachability.ExpectAllSelfNamespace(Connected)
+	reachability.ExpectSelfNamespace(getNS("no-tier"), Dropped)
+	reachability.ExpectSelf(allPods, Connected)
+
+	testStep1 := &TestStep{
+		"Namespace isolation by label, Port 80",
+		reachability,
+		[]metav1.Object{builder.Get()},
+		[]int32{80},
+		ProtocolTCP,
+		0,
+		nil,
+	}
+	testCase := []*TestCase{
+		{"ACNP strict Namespace isolation by Namespace purpose and tier labels", []*TestStep{testStep1}},
+	}
+	executeTests(t, testCase)
+}
+
+func testACNPStrictNamespacesIsolationBySingleLabel(t *testing.T) {
+	samePurposeTierLabels := &crdv1alpha1.PeerNamespaces{
+		SameLabels: []string{"purpose"},
+	}
+	builder := &ClusterNetworkPolicySpecBuilder{}
+	builder = builder.SetName("test-acnp-strict-ns-isolation-by-single-label").
+		SetTier("securityops").
+		SetPriority(1.0).
+		SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{}}})
+	builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil,
+		samePurposeTierLabels, nil, crdv1alpha1.RuleActionPass, "", "", nil)
+	builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{}, nil, nil,
+		nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil)
+	// Namespaces are split into two logical groups, purpose=test (prod1,2 and dev1,2) and purpose=test-exclusion
+	// (no-tier). The two groups of Namespace should not be able to connect to each other.
+	reachability := NewReachability(allPods, Connected)
+	reachability.ExpectNamespaceEgressToNamespace(getNS("prod1"), getNS("no-tier"), Dropped)
+	reachability.ExpectNamespaceEgressToNamespace(getNS("prod2"), getNS("no-tier"), Dropped)
+	reachability.ExpectNamespaceEgressToNamespace(getNS("dev1"), getNS("no-tier"), Dropped)
+	reachability.ExpectNamespaceEgressToNamespace(getNS("dev2"), getNS("no-tier"), Dropped)
+	reachability.ExpectNamespaceIngressFromNamespace(getNS("prod1"), getNS("no-tier"), Dropped)
+	reachability.ExpectNamespaceIngressFromNamespace(getNS("prod2"), getNS("no-tier"), Dropped)
+	reachability.ExpectNamespaceIngressFromNamespace(getNS("dev1"), getNS("no-tier"), Dropped)
+	reachability.ExpectNamespaceIngressFromNamespace(getNS("dev2"), getNS("no-tier"), Dropped)
+
+	testStep1 := &TestStep{
+		"Namespace isolation by single label, Port 80",
+		reachability,
+		[]metav1.Object{builder.Get()},
+		[]int32{80},
+		ProtocolTCP,
+		0,
+		nil,
+	}
+	testCase := []*TestCase{
+		{"ACNP strict Namespace isolation by Namespace purpose label", []*TestStep{testStep1}},
 	}
 	executeTests(t, testCase)
 }
@@ -4343,6 +4429,25 @@ func TestAntreaPolicy(t *testing.T) {
 	k8sUtils.Cleanup(namespaces)
 }
 
+func TestAntreaPolicyExtendedNamespaces(t *testing.T) {
+	skipIfHasWindowsNodes(t)
+	skipIfAntreaPolicyDisabled(t)
+
+	data, err := setupTest(t)
+	if err != nil {
+		t.Fatalf("Error when setting up test: %v", err)
+	}
+	defer teardownTest(t, data)
+
+	initialize(t, data, formFactorLarge)
+
+	t.Run("TestGroupACNPNamespaceLabelSelections", func(t *testing.T) {
+		t.Run("Case=ACNPStrictNamespacesIsolationByLabels", func(t *testing.T) { testACNPStrictNamespacesIsolationByLabels(t) })
+		t.Run("Case=ACNPStrictNamespacesIsolationBySingleLabel", func(t *testing.T) { testACNPStrictNamespacesIsolationBySingleLabel(t) })
+	})
+	k8sUtils.Cleanup(namespaces)
+}
+
 func TestAntreaPolicyStatus(t *testing.T) {
 	skipIfHasWindowsNodes(t)
 	skipIfAntreaPolicyDisabled(t)

diff --git a/test/e2e/reachability.go b/test/e2e/reachability.go
@@ -312,6 +312,26 @@ func (r *Reachability) ExpectEgressToNamespace(pod Pod, namespace string, connec
 	}
 }
 
+func (r *Reachability) ExpectNamespaceIngressFromNamespace(dstNamespace, srcNamespace string, connectivity PodConnectivityMark) {
+	dstPods, ok := r.PodsByNamespace[dstNamespace]
+	if !ok {
+		panic(fmt.Errorf("destination Namespace %s is not found", dstNamespace))
+	}
+	for _, p := range dstPods {
+		r.ExpectIngressFromNamespace(p, srcNamespace, connectivity)
+	}
+}
+
+func (r *Reachability) ExpectNamespaceEgressToNamespace(srcNamespace, dstNamespace string, connectivity PodConnectivityMark) {
+	srcPods, ok := r.PodsByNamespace[srcNamespace]
+	if !ok {
+		panic(fmt.Errorf("src Namespace %s is not found", srcNamespace))
+	}
+	for _, p := range srcPods {
+		r.ExpectEgressToNamespace(p, dstNamespace, connectivity)
+	}
+}
+
 func (r *Reachability) Observe(pod1 Pod, pod2 Pod, connectivity PodConnectivityMark) {
 	r.Observed.Set(string(pod1), string(pod2), connectivity)
 }