diff --git a/conformance/tests/admin-network-policy-experimental-egress-rules.go b/conformance/tests/admin-network-policy-experimental-egress-rules.go index d28723e1..1f4953d8 100644 --- a/conformance/tests/admin-network-policy-experimental-egress-rules.go +++ b/conformance/tests/admin-network-policy-experimental-egress-rules.go @@ -17,14 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" @@ -48,21 +42,10 @@ var CNPAdminTierEgressNamedPort = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for named port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-tcp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "egress-tcp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-tcp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() namedPortRule := mutate.Spec.Egress[5] webPort := "web" @@ -73,21 +56,17 @@ var CNPAdminTierEgressNamedPort = suite.ConformanceTest{ }, } mutate.Spec.Egress[5] = namedPortRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to hufflepuff from gryffindor at the web port, which is defined as TCP at port 80 in pod spec // egressRule at index5 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress is DENIED to hufflepuff from gryffindor for rest of the traffic; egressRule at index6 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) }) - }, } @@ -100,44 +79,32 @@ var CNPAdminTierEgressNodePeers = suite.ConformanceTest{ }, Manifests: []string{"base/admin_tier/experimental-egress-selector-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `node-and-cidr-as-peers-example` admin CNP // centaur-1 is our server host-networked pod in forbidden-forrest namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-forbidden-forrest", - Name: "centaur-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-forbidden-forrest", "centaur-1", s.TimeoutConfig.GetTimeout) t.Run("Should support an 'allow-egress' rule policy for egress-node-peer", func(t *testing.T) { // harry-potter-1 is our client pod in gryffindor namespace // ensure egress is ALLOWED to forbidden-forrest from gryffindor at the s.HostNetworkPorts[0] TCP port // egressRule at index0 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(s.HostNetworkPorts[0]), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(s.HostNetworkPorts[0]), s.TimeoutConfig, true) }) t.Run("Should support a 'pass-egress' rule policy for egress-node-peer", func(t *testing.T) { // harry-potter-1 is our client pod in gryffindor namespace // ensure egress is PASSED to forbidden-forrest from gryffindor at the s.HostNetworkPorts[2] UDP port // egressRule at index1 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(s.HostNetworkPorts[2]), s.TimeoutConfig.RequestTimeout, true) // Pass rule at index2 takes effect - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(s.HostNetworkPorts[2]), s.TimeoutConfig, true) // Pass rule at index2 takes effect }) t.Run("Should support a 'deny-egress' rule policy for egress-node-peer", func(t *testing.T) { // harry-potter-1 is our client pod in gryffindor namespace // ensure egress is DENIED to rest of the nodes from gryffindor; egressRule at index2 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(s.HostNetworkPorts[1]), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(s.HostNetworkPorts[4]), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(s.HostNetworkPorts[6]), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(s.HostNetworkPorts[1]), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(s.HostNetworkPorts[4]), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(s.HostNetworkPorts[6]), s.TimeoutConfig, false) }) }, } diff --git a/conformance/tests/admin-network-policy-experimental-ingress-rules.go b/conformance/tests/admin-network-policy-experimental-ingress-rules.go index 636c802e..400a19fd 100644 --- a/conformance/tests/admin-network-policy-experimental-ingress-rules.go +++ b/conformance/tests/admin-network-policy-experimental-ingress-rules.go @@ -17,14 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" @@ -41,21 +35,10 @@ var CNPAdminTierIngressNamedPort = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for named port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-udp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "ingress-udp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-udp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() dnsPortRule := mutate.DeepCopy().Spec.Ingress[5] dnsPort := "dns" @@ -66,19 +49,16 @@ var CNPAdminTierIngressNamedPort = suite.ConformanceTest{ }, } mutate.Spec.Ingress[5] = dnsPortRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure ingress is ALLOWED from gryffindor to hufflepuff at the dns port, which is defined as UDP at port 53 in pod spec // modified ingressRule at index5 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryfindor namespace // ensure ingress is DENIED from gryffindor to hufflepuff for rest of the traffic; ingressRule at index6 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) }) }, } diff --git a/conformance/tests/admin-network-policy-standard-egress-inline-cidr-rules.go b/conformance/tests/admin-network-policy-standard-egress-inline-cidr-rules.go index f89c83aa..79aa1830 100644 --- a/conformance/tests/admin-network-policy-standard-egress-inline-cidr-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-inline-cidr-rules.go @@ -17,14 +17,9 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" "k8s.io/utils/net" - "sigs.k8s.io/controller-runtime/pkg/client" api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" @@ -45,65 +40,39 @@ var CNPAdminTierEgressInlineCIDRPeers = suite.ConformanceTest{ }, Manifests: []string{"base/admin_tier/standard-egress-inline-cidr-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `inline-cidr-as-peers-example` admin CNP t.Run("Should support a 'deny-egress' rule policy for egress-cidr-peer", func(t *testing.T) { // harry-potter-1 is our client pod in gryffindor namespace // Let us pick a pod in ravenclaw namespace and try to connect, it won't work // ensure egress is DENIED to 0.0.0.0/0 from gryffindor; egressRule at index1 should take effect // luna-lovegood-0 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-0", s.TimeoutConfig.GetTimeout) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) // Let us pick a pod in hufflepuff namespace and try to connect, it won't work // ensure egress is DENIED to 0.0.0.0/0 from gryffindor; egressRule at index1 should take effect // cedric-diggory-0 is our server pod in hufflepuff namespace - serverPod = &v1.Pod{} - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + serverPod = kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-0", s.TimeoutConfig.GetTimeout) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) // Let us pick a pod in slytherin namespace and try to connect, it will work since we have a higher priority allow rule // ensure traffic is allowed to slytherin; egressRule at index0 should take effect // draco-malfoy-0 is our server pod in slytherin namespace - serverPod = &v1.Pod{} - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + serverPod = kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) }) // To test allow CIDR rule, insert the following rule at index0 //- name: "allow-egress-to-specific-podIPs" @@ -113,23 +82,9 @@ var CNPAdminTierEgressInlineCIDRPeers = suite.ConformanceTest{ // - luna-lovegood-0.IP // - cedric-diggory-0.IP t.Run("Should support an 'allow-egress' rule policy for egress-cidr-peer", func(t *testing.T) { - serverPodRavenclaw := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-0", - }, serverPodRavenclaw) - require.NoErrorf(t, err, "unable to fetch the server pod") - serverPodHufflepuff := &v1.Pod{} - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-0", - }, serverPodHufflepuff) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "inline-cidr-as-peers-example", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "inline-cidr-as-peers-example", s.TimeoutConfig.GetTimeout) + serverPodRavenclaw := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-0", s.TimeoutConfig.GetTimeout) + serverPodHufflepuff := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-0", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() var mask string if net.IsIPv4String(serverPodRavenclaw.Status.PodIP) { @@ -153,62 +108,42 @@ var CNPAdminTierEgressInlineCIDRPeers = suite.ConformanceTest{ }, } mutate.Spec.Egress = append(newRule, mutate.Spec.Egress...) - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to luna-lovegood-0.IP and cedric-diggory-0.IP // new egressRule at index0 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPodRavenclaw.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPodRavenclaw.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPodRavenclaw.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPodHufflepuff.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPodHufflepuff.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPodHufflepuff.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPodRavenclaw.Status.PodIP, int32(80), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPodRavenclaw.Status.PodIP, int32(53), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPodRavenclaw.Status.PodIP, int32(9003), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPodHufflepuff.Status.PodIP, int32(80), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPodHufflepuff.Status.PodIP, int32(53), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPodHufflepuff.Status.PodIP, int32(9003), s.TimeoutConfig, true) + // ensure other pods are still unreachable: luna-lovegood-1.IP and cedric-diggory-1.IP // deny at egress rule index2 should kick in - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-1", - }, serverPodRavenclaw) - require.NoErrorf(t, err, "unable to fetch the server pod") - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-1", - }, serverPodHufflepuff) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPodRavenclaw = kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-1", s.TimeoutConfig.GetTimeout) + serverPodHufflepuff = kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to luna-lovegood-0.IP and cedric-diggory-0.IP // new egressRule at index0 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPodRavenclaw.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPodRavenclaw.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPodRavenclaw.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPodHufflepuff.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPodHufflepuff.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPodHufflepuff.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPodRavenclaw.Status.PodIP, int32(80), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPodRavenclaw.Status.PodIP, int32(53), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPodRavenclaw.Status.PodIP, int32(9003), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPodHufflepuff.Status.PodIP, int32(80), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPodHufflepuff.Status.PodIP, int32(53), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPodHufflepuff.Status.PodIP, int32(9003), s.TimeoutConfig, false) }) }, } diff --git a/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go b/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go index fe86f5fa..f8b40c2b 100644 --- a/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go @@ -17,15 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) @@ -46,177 +39,108 @@ var CNPAdminTierEgressSCTP = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-sctp` admin CNP // harry-potter-0 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure egress is ALLOWED to gryffindor from ravenclaw // egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) // luna-lovegood-1 is our client pod in ravenclaw namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) t.Run("Should support an 'allow-egress' policy for SCTP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-sctp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure egress is ALLOWED to hufflepuff from ravenclaw at port 9003; egressRule at index5 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) // luna-lovegood-1 is our client pod in ravenclaw namespace // ensure egress is DENIED to hufflepuff from ravenclaw for rest of the traffic; egressRule at index6 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) }) t.Run("Should support an 'deny-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-sctp` admin CNP // harry-potter-0 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "egress-sctp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-sctp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in gryffindor namespace // ensure egress is DENIED to gryffindor from ravenclaw // egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) // luna-lovegood-1 is our client pod in ravenclaw namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) }) t.Run("Should support a 'deny-egress' policy for SCTP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-sctp` admin CNP // draco-malfoy-0 is our server pod in slytherin namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure egress to slytherin is DENIED from ravenclaw at port 9003; egressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) // luna-lovegood-1 is our client pod in ravenclaw namespace // ensure egress to slytherin is ALLOWED from ravenclaw for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) t.Run("Should support an 'pass-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-sctp` admin CNP // harry-potter-0 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "egress-sctp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-sctp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index2 denyRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[2] mutate.Spec.Egress[2] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure egress is PASSED from gryffindor to ravenclaw // egressRule at index0 will take precedence over egressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) // luna-lovegood-1 is our client pod in ravenclaw namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) t.Run("Should support a 'pass-egress' policy for SCTP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-sctp` admin CNP // draco-malfoy-0 is our server pod in slytherin namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "egress-sctp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-sctp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index3 and index4 denyRule := mutate.Spec.Egress[3] mutate.Spec.Egress[3] = mutate.Spec.Egress[4] mutate.Spec.Egress[4] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure egress to slytherin is PASSED from ravenclaw at port 9003; egressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) // luna-lovegood-1 is our client pod in ravenclaw namespace // ensure egress to slytherin is ALLOWED from ravenclaw for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) }, } diff --git a/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go b/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go index be510bd9..a5d58e25 100644 --- a/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go @@ -17,15 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) @@ -46,176 +39,107 @@ var CNPAdminTierEgressTCP = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-tcp` admin CNP // luna-lovegood-0 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-0", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to ravenclaw from gryffindor // egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) t.Run("Should support an 'allow-egress' policy for TCP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-tcp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to hufflepuff from gryffindor at port 8080; egressRule at index5 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress is DENIED to hufflepuff from gryffindor for rest of the traffic; egressRule at index6 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) }) t.Run("Should support an 'deny-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-tcp` admin CNP // luna-lovegood-1 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "egress-tcp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-tcp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is DENIED to ravenclaw from gryffindor // egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // harry-potter-1 is our client pod in gryffindor namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) }) t.Run("Should support a 'deny-egress' policy for TCP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-tcp` admin CNP // draco-malfoy-0 is our server pod in slytherin namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress to slytherin is DENIED from gryffindor at port 80; egressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress to slytherin is ALLOWED from gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) t.Run("Should support an 'pass-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-tcp` admin CNP // luna-lovegood-0 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "egress-tcp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-0", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-tcp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index2 denyRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[2] mutate.Spec.Egress[2] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // harry-potter-0 is our server pod in gryffindor namespace // ensure egress is PASSED from gryffindor to ravenclaw // egressRule at index0 will take precedence over egressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // harry-potter-1 is our server pod in gryffindor namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) t.Run("Should support a 'pass-egress' policy for TCP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-tcp` admin CNP // draco-malfoy-0 is our server pod in slytherin namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "egress-tcp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-tcp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index3 and index4 denyRule := mutate.Spec.Egress[3] mutate.Spec.Egress[3] = mutate.Spec.Egress[4] mutate.Spec.Egress[4] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress from gryffindor is PASSED to slytherin at port 80; egressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress from gryffindor is ALLOWED to slytherin for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) }, } diff --git a/conformance/tests/admin-network-policy-standard-egress-udp-rules.go b/conformance/tests/admin-network-policy-standard-egress-udp-rules.go index ded9c3e8..82a4502f 100644 --- a/conformance/tests/admin-network-policy-standard-egress-udp-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-udp-rules.go @@ -17,15 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) @@ -46,177 +39,108 @@ var CNPAdminTierEgressUDP = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-udp` admin CNP // luna-lovegood-0 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-0", s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress is ALLOWED to ravenclaw from hufflepuff // egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) }) t.Run("Should support an 'allow-egress' policy for UDP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-udp` admin CNP // harry-potter-1 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-1", s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress is ALLOWED to gryffindor from hufflepuff at port 53; egressRule at index5 - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace // ensure egress is DENIED to gryffindor from hufflepuff for rest of the traffic; egressRule at index6 - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) }) t.Run("Should support an 'deny-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-udp` admin CNP // luna-lovegood-1 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "egress-udp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-udp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress is DENIED to ravenclaw to hufflepuff // egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) // cedric-diggory-1 is our client pod in hufflepuff namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) }) t.Run("Should support a 'deny-egress' policy for UDP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-udp` admin CNP // draco-malfoy-0 is our server pod in slytherin namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress to slytherin is DENIED from hufflepuff at port 80; egressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress to slytherin is ALLOWED from hufflepuff for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) }) t.Run("Should support an 'pass-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-udp` admin CNP // luna-lovegood-1 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "egress-udp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-udp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index2 denyRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[2] mutate.Spec.Egress[2] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress is PASSED to ravenclaw from hufflepuff // egressRule at index0 will take precedence over egressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) }) t.Run("Should support a 'pass-egress' policy for UDP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `egress-udp` admin CNP // draco-malfoy-0 is our server pod in slytherin namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "egress-udp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "egress-udp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index3 and index4 denyRule := mutate.Spec.Egress[3] mutate.Spec.Egress[3] = mutate.Spec.Egress[4] mutate.Spec.Egress[4] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress to slytherin is PASSED from hufflepuff at port 5353; egressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace // ensure egress to slytherin is ALLOWED from hufflepuff for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) }) }, } diff --git a/conformance/tests/admin-network-policy-standard-gress-rules.go b/conformance/tests/admin-network-policy-standard-gress-rules.go index 46967d11..b32fb97f 100644 --- a/conformance/tests/admin-network-policy-standard-gress-rules.go +++ b/conformance/tests/admin-network-policy-standard-gress-rules.go @@ -17,15 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) @@ -46,153 +39,102 @@ var CNPAdminTierGress = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-gress' policy across different protocols", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `gress-rules` admin CNP /* First; let's test egress works! */ // luna-lovegood-0 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-0", s.TimeoutConfig.GetTimeout) // harry-potter-x is our client pod in gryffindor namespace // ensure egress is ALLOWED to ravenclaw from gryffindor // egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) /* Second; let's test ingress works! */ // harry-potter-0 is our server pod in gryffindor namespace - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod = kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) // luna-lovegood-x is our client pod in ravenclaw namespace // ensure ingress is ALLOWED from ravenclaw to gryffindor // ingressRule at index0 will take precedence over ingressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) }) t.Run("Should support an 'allow-gress' policy across different protocols at the specified ports", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `gress-rules` admin CNP /* First; let's test egress works! */ // cedric-diggory-1 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to hufflepuff from gryffindor at port 8080; egressRule at index5 - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress is DENIED to hufflepuff from gryffindor for rest of the traffic; egressRule at index6 - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to hufflepuff from gryffindor at port 5353; egressRule at index5 - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress is DENIED to hufflepuff from gryffindor for rest of the traffic; egressRule at index6 - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to hufflepuff from gryffindor at port 9003; egressRule at index5 - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress is DENIED to hufflepuff from gryffindor for rest of the traffic; egressRule at index6 - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) /* Second; let's test ingress works! */ // harry-potter-1 is our server pod in gryffindor namespace - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod = kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-1", s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure ingress is ALLOWED from hufflepuff to gryffindor at port 80; ingressRule at index5 - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace // ensure ingress is DENIED from hufflepuff to gryffindor for rest of the traffic; ingressRule at index6 - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure ingress is ALLOWED from hufflepuff to gryffindor at port 5353; ingressRule at index5 - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace // ensure ingress is DENIED from hufflepuff to gryffindor for rest of the traffic; ingressRule at index6 - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure ingress is ALLOWED from hufflepuff to gryffindor at port 9003; ingressRule at index5 - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace // ensure ingress is DENIED from hufflepuff to gryffindor for rest of the traffic; ingressRule at index6 - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) }) t.Run("Should support an 'deny-gress' policy across different protocols", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `gress-rules` admin CNP /* First; let's test egress works! */ // luna-lovegood-1 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "gress-rules", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "gress-rules", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index1 for both ingress and egress allowOutRule := mutate.Spec.Egress[0] @@ -201,143 +143,98 @@ var CNPAdminTierGress = suite.ConformanceTest{ allowInRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowInRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // harry-potter-x is our client pod in gryffindor namespace // ensure egress is DENIED to ravenclaw from gryffindor // egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) /* Second; let's test ingress works! */ // harry-potter-1 is our server pod in gryffindor namespace - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod = kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-1", s.TimeoutConfig.GetTimeout) // luna-lovegood-x is our client pod in ravenclaw namespace // ensure ingress is DENIED from ravenclaw to gryffindor // ingressRule at index0 will take precedence over ingressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) }) t.Run("Should support a 'deny-gress' policy across different protocols at the specified ports", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `gress-rules` admin CNP /* First; let's test egress works! */ // draco-malfoy-0 is our server pod in slytherin namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress to slytherin is DENIED from gryffindor at port 80; egressRule at index3 - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress to slytherin is ALLOWED from gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress to slytherin is DENIED from gryffindor at port 53; egressRule at index3 - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress to slytherin is ALLOWED from gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress to slytherin is DENIED from gryffindor at port 53; egressRule at index3 - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress to slytherin is ALLOWED from gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) /* Second; let's test ingress works! */ // harry-potter-0 is our server pod in gryffindor namespace - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod = kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is DENIED to gryffindor at port 80; ingressRule at index3 - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is DENIED to gryffindor at port 80; ingressRule at index3 - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is DENIED to gryffindor at port 80; ingressRule at index3 - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) t.Run("Should support an 'pass-gress' policy across different protocols", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `gress-rules` admin CNP /* First; let's test egress works! */ // luna-lovegood-0 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "gress-rules", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-0", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "gress-rules", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index2 for both ingress and egress denyOutRule := mutate.Spec.Egress[0] @@ -346,68 +243,46 @@ var CNPAdminTierGress = suite.ConformanceTest{ denyInRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[2] mutate.Spec.Ingress[2] = denyInRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // harry-potter-0 is our server pod in gryffindor namespace // ensure egress is PASSED from gryffindor to ravenclaw // egressRule at index0 will take precedence over egressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // harry-potter-0 is our server pod in gryffindor namespace // ensure egress is PASSED from gryffindor to ravenclaw // egressRule at index0 will take precedence over egressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) // harry-potter-0 is our server pod in gryffindor namespace // ensure egress is PASSED from gryffindor to ravenclaw // egressRule at index0 will take precedence over egressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) /* Second; let's test ingress works! */ // harry-potter-0 is our server pod in gryffindor namespace - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod = kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure ingress is PASSED from ravenclaw to gryffindor // ingressRule at index0 will take precedence over ingressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // luna-lovegood-1 is our client pod in ravenclaw namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) // luna-lovegood-1 is our client pod in ravenclaw namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) }) t.Run("Should support a 'pass-gress' policy across different protocols at the specified ports", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `gress-rules` admin CNP /* First; let's test egress works! */ // draco-malfoy-0 is our server pod in slytherin namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "gress-rules", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "gress-rules", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index3 and index4 denyToRule := mutate.Spec.Egress[3] @@ -416,76 +291,59 @@ var CNPAdminTierGress = suite.ConformanceTest{ denyInRule := mutate.Spec.Ingress[3] mutate.Spec.Ingress[3] = mutate.Spec.Ingress[4] mutate.Spec.Ingress[4] = denyInRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress from gryffindor is PASSED to slytherin at port 80; egressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress from gryffindor is ALLOWED to slytherin for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress from gryffindor is PASSED to slytherin at port 53; egressRule at index3 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress from gryffindor is ALLOWED to slytherin for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress from gryffindor is PASSED to slytherin at port 80; egressRule at index3 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress from gryffindor is ALLOWED to slytherin for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) /* Second; let's test ingress works! */ // harry-potter-0 is our server pod in gryffindor namespace - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod = kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is PASSED to gryffindor at port 9003; ingressRule at index3 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is PASSED to gryffindor at port 9003; ingressRule at index3 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is PASSED to gryffindor at port 9003; ingressRule at index3 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) }, } diff --git a/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go b/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go index cb721439..b912e8fc 100644 --- a/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go +++ b/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go @@ -17,15 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) @@ -46,176 +39,107 @@ var CNPAdminTierIngressSCTP = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-sctp` admin CNP // luna-lovegood-0 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-0", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure ingress is ALLOWED from gryffindor to ravenclaw // ingressRule at index0 will take precedence over ingressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) t.Run("Should support an 'allow-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-sctp` admin CNP // luna-lovegood-1 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-1", s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure ingress is ALLOWED from hufflepuff to ravenclaw at port 9003; ingressRule at index5 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace // ensure ingress is DENIED from hufflepuff to ravenclaw for rest of the traffic; ingressRule at index6 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) }) t.Run("Should support an 'deny-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-sctp` admin CNP // luna-lovegood-1 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "ingress-sctp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-sctp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure ingress is DENIED from gryffindor to ravenclaw // ingressRule at index0 will take precedence over ingressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) // harry-potter-1 is our client pod in gryffindor namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) }) t.Run("Should support a 'deny-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-sctp` admin CNP // luna-lovegood-0 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-0", s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is DENIED to ravenclaw at port 9003; ingressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to ravenclaw for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) t.Run("Should support an 'pass-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-sctp` admin CNP // luna-lovegood-1 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "ingress-sctp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-sctp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index2 denyRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[2] mutate.Spec.Ingress[2] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure ingress is PASSED from gryffindor to ravenclaw // ingressRule at index0 will take precedence over ingressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryffindor namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) t.Run("Should support a 'pass-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-sctp` admin CNP // luna-lovegood-0 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "ingress-sctp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-0", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-sctp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index3 and index4 denyRule := mutate.Spec.Ingress[3] mutate.Spec.Ingress[3] = mutate.Spec.Ingress[4] mutate.Spec.Ingress[4] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is PASSED to ravenclaw at port 9003; ingressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to ravenclaw for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) }, } diff --git a/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go b/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go index 44e83f63..2d34dcba 100644 --- a/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go +++ b/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go @@ -17,15 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) @@ -46,176 +39,107 @@ var CNPAdminTierIngressTCP = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-tcp` admin CNP // harry-potter-0 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure ingress is ALLOWED from ravenclaw to gryffindor // ingressRule at index0 will take precedence over ingressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) t.Run("Should support an 'allow-ingress' policy for TCP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-tcp` admin CNP // harry-potter-1 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-1", s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure ingress is ALLOWED from hufflepuff to gryffindor at port 80; ingressRule at index5 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace // ensure ingress is DENIED from hufflepuff to gryffindor for rest of the traffic; ingressRule at index6 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) }) t.Run("Should support an 'deny-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-tcp` admin CNP // harry-potter-1 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "ingress-tcp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-tcp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure ingress is DENIED from ravenclaw to gryffindor // ingressRule at index0 will take precedence over ingressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // luna-lovegood-1 is our client pod in ravenclaw namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) }) t.Run("Should support a 'deny-ingress' policy for TCP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-tcp` admin CNP // harry-potter-0 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is DENIED to gryffindor at port 80; ingressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) t.Run("Should support an 'pass-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-tcp` admin CNP // harry-potter-0 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "ingress-tcp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-tcp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index2 denyRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[2] mutate.Spec.Ingress[2] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure ingress is PASSED from ravenclaw to gryffindor // ingressRule at index0 will take precedence over ingressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // luna-lovegood-1 is our client pod in ravenclaw namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) t.Run("Should support a 'pass-ingress' policy for TCP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-tcp` admin CNP // harry-potter-0 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "ingress-tcp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-tcp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index3 and index4 denyRule := mutate.Spec.Ingress[3] mutate.Spec.Ingress[3] = mutate.Spec.Ingress[4] mutate.Spec.Ingress[4] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is PASSED to gryffindor at port 9003; ingressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) }, } diff --git a/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go b/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go index a0d9afff..e4bcbf66 100644 --- a/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go +++ b/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go @@ -17,15 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) @@ -47,176 +40,107 @@ var CNPAdminTierIngressUDP = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-udp` admin CNP // cedric-diggory-0 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-0", s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure ingress is ALLOWED from ravenclaw to hufflepuff // ingressRule at index0 will take precedence over ingressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) }) t.Run("Should support an 'allow-ingress' policy for UDP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-udp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure ingress is ALLOWED from gryffindor to hufflepuff at port 53; ingressRule at index5 - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryfindor namespace // ensure ingress is DENIED from gryffindor to hufflepuff for rest of the traffic; ingressRule at index6 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) }) t.Run("Should support an 'deny-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-udp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "ingress-udp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-udp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure ingress is DENIED from ravenclaw to hufflepuff // ingressRule at index0 will take precedence over ingressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) // luna-lovegood-1 is our client pod in ravenclaw namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) }) t.Run("Should support a 'deny-ingress' policy for UDP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-udp` admin CNP // cedric-diggory-0 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-0", s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is DENIED to hufflepuff at port 80; ingressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to hufflepuff for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) }) t.Run("Should support an 'pass-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-udp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "ingress-udp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-udp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index2 denyRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[2] mutate.Spec.Ingress[2] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure ingress is PASSED from ravenclaw to hufflepuff // ingressRule at index0 will take precedence over ingressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) // luna-lovegood-1 is our client pod in ravenclaw namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) }) t.Run("Should support a 'pass-ingress' policy for UDP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `ingress-udp` admin CNP // cedric-diggory-0 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "ingress-udp", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-0", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "ingress-udp", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index3 and index4 denyRule := mutate.Spec.Ingress[3] mutate.Spec.Ingress[3] = mutate.Spec.Ingress[4] mutate.Spec.Ingress[4] = denyRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is PASSED to hufflepuff at port 5353; ingressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to hufflepuff for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) }) }, } diff --git a/conformance/tests/admin-network-policy-standard-integration.go b/conformance/tests/admin-network-policy-standard-integration.go index ef151337..16991371 100644 --- a/conformance/tests/admin-network-policy-standard-integration.go +++ b/conformance/tests/admin-network-policy-standard-integration.go @@ -20,9 +20,7 @@ import ( "context" "testing" - "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" networkingv1 "k8s.io/api/networking/v1" "sigs.k8s.io/controller-runtime/pkg/client" @@ -47,117 +45,71 @@ var CNPAdminTierIntegration = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should Deny traffic from slytherin to gryffindor respecting admin CNP", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `pass-example` admin CNP from api_integration/standard-anp-np-banp.yaml // harry-potter-0 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress is DENIED to gryffindor from slytherin // inressRule at index0 will take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // draco-malfoy-1 is our client pod in slytherin namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) }) t.Run("Should Deny traffic to slytherin from gryffindor respecting admin CNP", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `pass-example` admin CNP from api_integration/standard-anp-np-banp.yaml // draco-malfoy-0 is our server pod in slytherin namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is DENIED to slytherin from gryffindor // egressRule at index0 will take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // harry-potter-1 is our client pod in gryffindor namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) }) t.Run("Should support a 'pass-ingress' policy for admin CNP and respect the match for network policy", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `pass example` admin CNP from api_integration/standard-anp-np-banp.yaml // and alters the ingress rule action to "pass" - cnp := &api.ClusterNetworkPolicy{} - err := s.Client.Get(ctx, client.ObjectKey{ - Name: "pass-example", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "pass-example", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // change ingress rule from "deny" to "pass" mutate.Spec.Ingress[0].Action = api.ClusterNetworkPolicyRuleActionPass - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // harry-potter-0 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress is PASSED to gryffindor from slytherin - the underlying network policy ALLOW should take effect // inressRule at index0 will take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // draco-malfoy-1 is our client pod in slytherin namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) t.Run("Should support a 'pass-egress' policy for admin CNP and respect the match for network policy", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `pass example` admin CNP from api_integration/standard-anp-np-banp.yaml // and alters the egress rule action to "pass" - cnp := &api.ClusterNetworkPolicy{} - err := s.Client.Get(ctx, client.ObjectKey{ - Name: "pass-example", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "pass-example", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // change egress rule from "deny" to "pass" mutate.Spec.Egress[0].Action = api.ClusterNetworkPolicyRuleActionPass - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our server pod in slytherin namespace - serverPod := &v1.Pod{} - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is PASSED from gryffindor to slytherin - the underlying network policy ALLOW should take effect // egressRule at index0 will take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryffindor namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) t.Run("Should support a 'pass-ingress' policy for admin CNP and respect the match for baseline cluster network policy", func(t *testing.T) { @@ -174,45 +126,29 @@ var CNPAdminTierIntegration = suite.ConformanceTest{ err = s.Client.Delete(ctx, np) require.NoErrorf(t, err, "unable to delete the network policy") // harry-potter-0 is our server pod in gryffindor namespace - clientPod := &v1.Pod{} - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, clientPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + clientPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress is PASSED to gryffindor from slytherin - the baseline cluster network policy DENY should take effect // inressRule at index0 will take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", - clientPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", + clientPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // draco-malfoy-1 is our client pod in slytherin namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", - clientPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", + clientPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) }) t.Run("Should support a 'pass-egress' policy for admin CNP and respect the match for baseline cluster network policy", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP from api_integration/standard-anp-np-banp.yaml // draco-malfoy-0 is our server pod in slytherin namespace - clientPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, clientPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + clientPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure ingress is PASSED to gryffindor from slytherin - the underlying baseline cluster network policy DENY should take effect // egressRule at index0 will take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - clientPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + clientPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // harry-potter-1 is our client pod in gryffindor namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - clientPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + clientPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) }) }, } diff --git a/conformance/tests/admin-network-policy-standard-priority.go b/conformance/tests/admin-network-policy-standard-priority.go index 1091c66c..ceb5ca29 100644 --- a/conformance/tests/admin-network-policy-standard-priority.go +++ b/conformance/tests/admin-network-policy-standard-priority.go @@ -17,15 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) @@ -46,99 +39,61 @@ var CNPAdminTierPriorityField = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should Deny traffic from slytherin to gryffindor respecting admin CNP", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `priority-50-example` admin CNP; takes precedence over old-priority-60-new-priority-40-example admin CNP // harry-potter-0 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress is DENIED to gryffindor from slytherin // inressRule at index0 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // draco-malfoy-1 is our client pod in slytherin namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) }) t.Run("Should Deny traffic to slytherin from gryffindor respecting admin CNP", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `priority-50-example` admin CNP; takes precedence over old-priority-60-new-priority-40-example admin CNP // draco-malfoy-0 is our server pod in slytherin namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure ingress is DENIED to gryffindor from slytherin // egressRule at index0 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // harry-potter-1 is our client pod in gryffindor namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) }) t.Run("Should respect admin CNP priority field; thus passing both ingress and egress traffic over to baseline CNP", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `old-priority-60-new-priority-40-example` admin CNP - cnp := &api.ClusterNetworkPolicy{} - err := s.Client.Get(ctx, client.ObjectKey{ - Name: "old-priority-60-new-priority-40-example", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "old-priority-60-new-priority-40-example", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // change priority from 60 to 40 mutate.Spec.Priority = 40 - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // harry-potter-0 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress is PASSED to gryffindor from slytherin - the baseline cluster network policy ALLOW should take effect // inressRule at index0 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // draco-malfoy-1 is our client pod in slytherin namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) // draco-malfoy-0 is our server pod in slytherin namespace - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod = kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure ingress is PASSED to gryffindor from slytherin - the baseline cluster network policy ALLOW should take effect // egressRule at index0 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryffindor namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) }, } diff --git a/conformance/tests/baseline-admin-network-policy-experimental-egress-rules.go b/conformance/tests/baseline-admin-network-policy-experimental-egress-rules.go index 387aa5e8..a2301f91 100644 --- a/conformance/tests/baseline-admin-network-policy-experimental-egress-rules.go +++ b/conformance/tests/baseline-admin-network-policy-experimental-egress-rules.go @@ -17,14 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" @@ -48,21 +42,10 @@ var CNPBaselineTierEgressNamedPort = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for named port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // harry-potter-1 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "default", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "default", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() dnsPortRule := mutate.Spec.Egress[3] dnsPort := "dns" @@ -73,21 +56,17 @@ var CNPBaselineTierEgressNamedPort = suite.ConformanceTest{ }, } mutate.Spec.Egress[3] = dnsPortRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress is ALLOWED to gryffindor from hufflepuff at the dns port, which is defined as UDP at port 53 in pod spec // modified ingressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace // ensure egress is DENIED to gryffindor from hufflepuff for rest of the traffic; egressRule at index4 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) }) - }, } @@ -100,35 +79,25 @@ var CNPBaselineTierEgressNodePeers = suite.ConformanceTest{ }, Manifests: []string{"base/baseline_tier/experimental-egress-selector-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // centaur-1 is our server host-networked pod in forbidden-forrest namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-forbidden-forrest", - Name: "centaur-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-forbidden-forrest", "centaur-1", s.TimeoutConfig.GetTimeout) t.Run("Should support an 'allow-egress' rule policy for egress-node-peer", func(t *testing.T) { // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to forbidden-forrest from gryffindor at the s.HostNetworkPorts[0] TCP port // egressRule at index0 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(s.HostNetworkPorts[0]), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(s.HostNetworkPorts[1]), s.TimeoutConfig.RequestTimeout, true) // Pass rule at index2 takes effect - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(s.HostNetworkPorts[0]), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(s.HostNetworkPorts[1]), s.TimeoutConfig, true) // Pass rule at index2 takes effect }) + t.Run("Should support a 'deny-egress' rule policy for egress-node-peer", func(t *testing.T) { // harry-potter-1 is our client pod in gryffindor namespace // ensure egress is DENIED to rest of the nodes from gryffindor; egressRule at index1 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(s.HostNetworkPorts[4]), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(s.HostNetworkPorts[6]), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(s.HostNetworkPorts[4]), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(s.HostNetworkPorts[6]), s.TimeoutConfig, false) }) }, } diff --git a/conformance/tests/baseline-admin-network-policy-experimental-ingress-rules.go b/conformance/tests/baseline-admin-network-policy-experimental-ingress-rules.go index e674e8a8..a5ecc981 100644 --- a/conformance/tests/baseline-admin-network-policy-experimental-ingress-rules.go +++ b/conformance/tests/baseline-admin-network-policy-experimental-ingress-rules.go @@ -17,14 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" @@ -47,21 +41,10 @@ var CNPBaselineTierIngressNamedPort = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for named port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // harry-potter-1 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "default", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "default", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() namedPortRule := mutate.Spec.Ingress[3] webPort := "web" @@ -72,20 +55,16 @@ var CNPBaselineTierIngressNamedPort = suite.ConformanceTest{ }, } mutate.Spec.Ingress[3] = namedPortRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure ingress is ALLOWED from hufflepuff to gryffindor at at the web port, which is defined as TCP at port 80 in pod spec // ingressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace // ensure ingress is DENIED from hufflepuff to gryffindor for rest of the traffic; ingressRule at index4 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) }) - }, } diff --git a/conformance/tests/baseline-admin-network-policy-standard-egress-inline-cidr-rules.go b/conformance/tests/baseline-admin-network-policy-standard-egress-inline-cidr-rules.go index 7500a3ff..935b65a1 100644 --- a/conformance/tests/baseline-admin-network-policy-standard-egress-inline-cidr-rules.go +++ b/conformance/tests/baseline-admin-network-policy-standard-egress-inline-cidr-rules.go @@ -17,14 +17,9 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" "k8s.io/utils/net" - "sigs.k8s.io/controller-runtime/pkg/client" api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" @@ -45,64 +40,38 @@ var CNPBaselineTierEgressInlineCIDRPeers = suite.ConformanceTest{ }, Manifests: []string{"base/baseline_tier/standard-egress-inline-cidr-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() t.Run("Should support a 'deny-egress' rule policy for egress-cidr-peer", func(t *testing.T) { // harry-potter-1 is our client pod in gryffindor namespace // Let us pick a pod in ravenclaw namespace and try to connect, it won't work // ensure egress is DENIED to 0.0.0.0/0 from gryffindor; egressRule at index1 should take effect // luna-lovegood-0 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-0", s.TimeoutConfig.GetTimeout) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) // Let us pick a pod in hufflepuff namespace and try to connect, it won't work // ensure egress is DENIED to 0.0.0.0/0 from gryffindor; egressRule at index1 should take effect // cedric-diggory-0 is our server pod in hufflepuff namespace - serverPod = &v1.Pod{} - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + serverPod = kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-0", s.TimeoutConfig.GetTimeout) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) // Let us pick a pod in slytherin namespace and try to connect, it will work since we have a higher priority allow rule // ensure traffic is allowed to slytherin; egressRule at index0 should take effect // draco-malfoy-0 is our server pod in slytherin namespace - serverPod = &v1.Pod{} - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + serverPod = kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) }) // To test allow CIDR rule, insert the following rule at index0 //- name: "allow-egress-to-specific-podIPs" @@ -112,23 +81,10 @@ var CNPBaselineTierEgressInlineCIDRPeers = suite.ConformanceTest{ // - luna-lovegood-0.IP // - cedric-diggory-0.IP t.Run("Should support an 'allow-egress' rule policy for egress-cidr-peer", func(t *testing.T) { - serverPodRavenclaw := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-0", - }, serverPodRavenclaw) - require.NoErrorf(t, err, "unable to fetch the server pod") - serverPodHufflepuff := &v1.Pod{} - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-0", - }, serverPodHufflepuff) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "default", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + serverPodRavenclaw := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-0", s.TimeoutConfig.GetTimeout) + serverPodHufflepuff := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-0", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "default", s.TimeoutConfig.GetTimeout) + mutate := cnp.DeepCopy() var mask string if net.IsIPv4String(serverPodRavenclaw.Status.PodIP) { @@ -152,62 +108,43 @@ var CNPBaselineTierEgressInlineCIDRPeers = suite.ConformanceTest{ }, } mutate.Spec.Egress = append(newRule, mutate.Spec.Egress...) - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) + // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to luna-lovegood-0.IP and cedric-diggory-0.IP // new egressRule at index0 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPodRavenclaw.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPodRavenclaw.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPodRavenclaw.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPodHufflepuff.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPodHufflepuff.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPodHufflepuff.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPodRavenclaw.Status.PodIP, int32(80), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPodRavenclaw.Status.PodIP, int32(53), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPodRavenclaw.Status.PodIP, int32(9003), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPodHufflepuff.Status.PodIP, int32(80), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPodHufflepuff.Status.PodIP, int32(53), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPodHufflepuff.Status.PodIP, int32(9003), s.TimeoutConfig, true) + // ensure other pods are still unreachable: luna-lovegood-1.IP and cedric-diggory-1.IP // deny at egress rule index2 should kick in - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-1", - }, serverPodRavenclaw) - require.NoErrorf(t, err, "unable to fetch the server pod") - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-1", - }, serverPodHufflepuff) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPodRavenclaw = kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-1", s.TimeoutConfig.GetTimeout) + serverPodHufflepuff = kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to luna-lovegood-0.IP and cedric-diggory-0.IP // new egressRule at index0 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPodRavenclaw.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPodRavenclaw.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPodRavenclaw.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPodHufflepuff.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPodHufflepuff.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPodHufflepuff.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPodRavenclaw.Status.PodIP, int32(80), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPodRavenclaw.Status.PodIP, int32(53), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPodRavenclaw.Status.PodIP, int32(9003), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPodHufflepuff.Status.PodIP, int32(80), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPodHufflepuff.Status.PodIP, int32(53), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPodHufflepuff.Status.PodIP, int32(9003), s.TimeoutConfig, false) }) }, } diff --git a/conformance/tests/baseline-admin-network-policy-standard-egress-sctp-rules.go b/conformance/tests/baseline-admin-network-policy-standard-egress-sctp-rules.go index 6d9f40be..25a09cc9 100644 --- a/conformance/tests/baseline-admin-network-policy-standard-egress-sctp-rules.go +++ b/conformance/tests/baseline-admin-network-policy-standard-egress-sctp-rules.go @@ -17,15 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) @@ -46,107 +39,66 @@ var CNPBaselineTierEgressSCTP = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // harry-potter-0 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure egress is ALLOWED to gryffindor from ravenclaw // egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) // luna-lovegood-1 is our client pod in ravenclaw namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) t.Run("Should support an 'allow-egress' policy for SCTP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // cedric-diggory-1 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure egress is ALLOWED to hufflepuff from ravenclaw at port 9003; egressRule at index5 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) // luna-lovegood-1 is our client pod in ravenclaw namespace // ensure egress is DENIED to hufflepuff from ravenclaw for rest of the traffic; egressRule at index6 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) }) t.Run("Should support an 'deny-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // harry-potter-0 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "default", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "default", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in gryffindor namespace // ensure egress is DENIED to gryffindor from ravenclaw // egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) // luna-lovegood-1 is our client pod in ravenclaw namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) }) t.Run("Should support a 'deny-egress' policy for SCTP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // draco-malfoy-0 is our server pod in slytherin namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure egress to slytherin is DENIED from ravenclaw at port 9003; egressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) // luna-lovegood-1 is our client pod in ravenclaw namespace // ensure egress to slytherin is ALLOWED from ravenclaw for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) }, } diff --git a/conformance/tests/baseline-admin-network-policy-standard-egress-tcp-rules.go b/conformance/tests/baseline-admin-network-policy-standard-egress-tcp-rules.go index 713ee34f..6c86fe78 100644 --- a/conformance/tests/baseline-admin-network-policy-standard-egress-tcp-rules.go +++ b/conformance/tests/baseline-admin-network-policy-standard-egress-tcp-rules.go @@ -17,15 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) @@ -46,106 +39,65 @@ var CNPBaselineTierEgressTCP = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // luna-lovegood-0 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-0", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to ravenclaw from gryffindor // egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) t.Run("Should support an 'allow-egress' policy for TCP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // cedric-diggory-1 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to hufflepuff from gryffindor at port 80; egressRule at index5 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress is DENIED to hufflepuff from gryffindor for rest of the traffic; egressRule at index6 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) }) t.Run("Should support an 'deny-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // luna-lovegood-1 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "default", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "default", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is DENIED to ravenclaw from gryffindor // egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // harry-potter-1 is our client pod in gryffindor namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) }) t.Run("Should support a 'deny-egress' policy for TCP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // draco-malfoy-0 is our server pod in slytherin namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress to slytherin is DENIED from gryffindor at port 80; egressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress to slytherin is ALLOWED from gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) }, } diff --git a/conformance/tests/baseline-admin-network-policy-standard-egress-udp-rules.go b/conformance/tests/baseline-admin-network-policy-standard-egress-udp-rules.go index ca191106..818fc090 100644 --- a/conformance/tests/baseline-admin-network-policy-standard-egress-udp-rules.go +++ b/conformance/tests/baseline-admin-network-policy-standard-egress-udp-rules.go @@ -17,15 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) @@ -46,107 +39,66 @@ var CNPBaselineTierEgressUDP = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // luna-lovegood-0 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-0", s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress is ALLOWED to ravenclaw from hufflepuff // egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) }) t.Run("Should support an 'allow-egress' policy for UDP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // harry-potter-1 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-1", s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress is ALLOWED to gryffindor from hufflepuff at port 53; egressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace // ensure egress is DENIED to gryffindor from hufflepuff for rest of the traffic; egressRule at index4 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) }) t.Run("Should support an 'deny-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // luna-lovegood-1 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "default", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "default", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress is DENIED to ravenclaw to hufflepuff // egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) // cedric-diggory-1 is our client pod in hufflepuff namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) }) t.Run("Should support a 'deny-egress' policy for UDP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // draco-malfoy-0 is our server pod in slytherin namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress to slytherin is DENIED from hufflepuff at port 80; egressRule at index2 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure egress to slytherin is ALLOWED from hufflepuff for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) }) }, } diff --git a/conformance/tests/baseline-admin-network-policy-standard-gress-rules.go b/conformance/tests/baseline-admin-network-policy-standard-gress-rules.go index 78c04cdf..40b71e1e 100644 --- a/conformance/tests/baseline-admin-network-policy-standard-gress-rules.go +++ b/conformance/tests/baseline-admin-network-policy-standard-gress-rules.go @@ -17,15 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) @@ -46,153 +39,102 @@ var CNPBaselineTierGress = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-gress' policy across different protocols", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP /* First; let's test egress works! */ // luna-lovegood-0 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-0", s.TimeoutConfig.GetTimeout) // harry-potter-x is our client pod in gryffindor namespace // ensure egress is ALLOWED to ravenclaw from gryffindor // egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) /* Second; let's test ingress works! */ // harry-potter-0 is our server pod in gryffindor namespace - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod = kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) // luna-lovegood-x is our client pod in ravenclaw namespace // ensure ingress is ALLOWED from ravenclaw to gryffindor // ingressRule at index0 will take precedence over ingressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) }) t.Run("Should support an 'allow-gress' policy across different protocols at the specified ports", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP /* First; let's test egress works! */ // cedric-diggory-1 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to hufflepuff from gryffindor at port 8080; egressRule at index5 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress is DENIED to hufflepuff from gryffindor for rest of the traffic; egressRule at index6 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to hufflepuff from gryffindor at port 5353; egressRule at index5 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress is DENIED to hufflepuff from gryffindor for rest of the traffic; egressRule at index6 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress is ALLOWED to hufflepuff from gryffindor at port 9003; egressRule at index5 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress is DENIED to hufflepuff from gryffindor for rest of the traffic; egressRule at index6 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) /* Second; let's test ingress works! */ // harry-potter-1 is our server pod in gryffindor namespace - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod = kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-1", s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure ingress is ALLOWED from hufflepuff to gryffindor at port 80; ingressRule at index5 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace // ensure ingress is DENIED from hufflepuff to gryffindor for rest of the traffic; ingressRule at index6 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure ingress is ALLOWED from hufflepuff to gryffindor at port 5353; ingressRule at index5 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace // ensure ingress is DENIED from hufflepuff to gryffindor for rest of the traffic; ingressRule at index6 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure ingress is ALLOWED from hufflepuff to gryffindor at port 9003; ingressRule at index5 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace // ensure ingress is DENIED from hufflepuff to gryffindor for rest of the traffic; ingressRule at index6 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) }) t.Run("Should support an 'deny-gress' policy across different protocols", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP /* First; let's test egress works! */ // luna-lovegood-1 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "default", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "default", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index1 for both ingress and egress allowOutRule := mutate.Spec.Egress[0] @@ -201,123 +143,89 @@ var CNPBaselineTierGress = suite.ConformanceTest{ allowInRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowInRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // harry-potter-x is our client pod in gryffindor namespace // ensure egress is DENIED to ravenclaw from gryffindor // egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) /* Second; let's test ingress works! */ // harry-potter-1 is our server pod in gryffindor namespace - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod = kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-1", s.TimeoutConfig.GetTimeout) // luna-lovegood-x is our client pod in ravenclaw namespace // ensure ingress is DENIED from ravenclaw to gryffindor // ingressRule at index0 will take precedence over ingressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) }) t.Run("Should support a 'deny-gress' policy across different protocols at the specified ports", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP /* First; let's test egress works! */ // draco-malfoy-0 is our server pod in slytherin namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-slytherin", - Name: "draco-malfoy-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-slytherin", "draco-malfoy-0", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress to slytherin is DENIED from gryffindor at port 80; egressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress to slytherin is ALLOWED from gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress to slytherin is DENIED from gryffindor at port 53; egressRule at index3 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress to slytherin is ALLOWED from gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) // harry-potter-0 is our client pod in gryffindor namespace // ensure egress to slytherin is DENIED from gryffindor at port 53; egressRule at index3 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) // harry-potter-1 is our client pod in gryffindor namespace // ensure egress to slytherin is ALLOWED from gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) /* Second; let's test ingress works! */ // harry-potter-0 is our server pod in gryffindor namespace - err = s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod = kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is DENIED to gryffindor at port 80; ingressRule at index3 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is DENIED to gryffindor at port 80; ingressRule at index3 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is DENIED to gryffindor at port 80; ingressRule at index3 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) }, } diff --git a/conformance/tests/baseline-admin-network-policy-standard-ingress-sctp-rules.go b/conformance/tests/baseline-admin-network-policy-standard-ingress-sctp-rules.go index 0ad0e418..5924535a 100644 --- a/conformance/tests/baseline-admin-network-policy-standard-ingress-sctp-rules.go +++ b/conformance/tests/baseline-admin-network-policy-standard-ingress-sctp-rules.go @@ -17,15 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) @@ -46,106 +39,65 @@ var CNPBaselineTierIngressSCTP = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // luna-lovegood-0 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-0", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure ingress is ALLOWED from gryffindor to ravenclaw // ingressRule at index0 will take precedence over ingressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) t.Run("Should support an 'allow-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // luna-lovegood-1 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-1", s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure ingress is ALLOWED from hufflepuff to ravenclaw at port 9003; ingressRule at index5 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace // ensure ingress is DENIED from hufflepuff to ravenclaw for rest of the traffic; ingressRule at index6 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) }) t.Run("Should support an 'deny-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // luna-lovegood-1 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "default", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "default", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure ingress is DENIED from gryffindor to ravenclaw // ingressRule at index0 will take precedence over ingressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) // harry-potter-1 is our client pod in gryffindor namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) }) t.Run("Should support a 'deny-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // luna-lovegood-0 is our server pod in ravenclaw namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-ravenclaw", - Name: "luna-lovegood-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-ravenclaw", "luna-lovegood-0", s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is DENIED to ravenclaw at port 9003; ingressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", - serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, false) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to ravenclaw for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", - serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) }, } diff --git a/conformance/tests/baseline-admin-network-policy-standard-ingress-tcp-rules.go b/conformance/tests/baseline-admin-network-policy-standard-ingress-tcp-rules.go index db5ad421..c7b36c2a 100644 --- a/conformance/tests/baseline-admin-network-policy-standard-ingress-tcp-rules.go +++ b/conformance/tests/baseline-admin-network-policy-standard-ingress-tcp-rules.go @@ -17,15 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) @@ -46,106 +39,65 @@ var CNPBaselineTierIngressTCP = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // harry-potter-0 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure ingress is ALLOWED from ravenclaw to gryffindor // ingressRule at index0 will take precedence over ingressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) t.Run("Should support an 'allow-ingress' policy for TCP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // harry-potter-1 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-1", s.TimeoutConfig.GetTimeout) // cedric-diggory-0 is our client pod in hufflepuff namespace // ensure ingress is ALLOWED from hufflepuff to gryffindor at port 80; ingressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) // cedric-diggory-1 is our client pod in hufflepuff namespace // ensure ingress is DENIED from hufflepuff to gryffindor for rest of the traffic; ingressRule at index4 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) }) t.Run("Should support an 'deny-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // harry-potter-1 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "default", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the baseline cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "default", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure ingress is DENIED from ravenclaw to gryffindor // ingressRule at index0 will take precedence over ingressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // luna-lovegood-1 is our client pod in ravenclaw namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) }) t.Run("Should support a 'deny-ingress' policy for TCP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // harry-potter-0 is our server pod in gryffindor namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-gryffindor", - Name: "harry-potter-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-0", s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is DENIED to gryffindor at port 80; ingressRule at index2 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", - serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to gryffindor for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", - serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) }) }, } diff --git a/conformance/tests/baseline-admin-network-policy-standard-ingress-udp-rules.go b/conformance/tests/baseline-admin-network-policy-standard-ingress-udp-rules.go index 9d06977c..1b44f578 100644 --- a/conformance/tests/baseline-admin-network-policy-standard-ingress-udp-rules.go +++ b/conformance/tests/baseline-admin-network-policy-standard-ingress-udp-rules.go @@ -17,15 +17,8 @@ limitations under the License. package tests import ( - "context" "testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - - api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/kubernetes" "sigs.k8s.io/network-policy-api/conformance/utils/suite" ) @@ -46,106 +39,65 @@ var CNPBaselineTierIngressUDP = suite.ConformanceTest{ Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // cedric-diggory-0 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-0", s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure ingress is ALLOWED from ravenclaw to hufflepuff // ingressRule at index0 will take precedence over ingressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) }) t.Run("Should support an 'allow-ingress' policy for UDP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // cedric-diggory-1 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout) // harry-potter-0 is our client pod in gryffindor namespace // ensure ingress is ALLOWED from gryffindor to hufflepuff at port 53; ingressRule at index5 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) // harry-potter-1 is our client pod in gryfindor namespace // ensure ingress is DENIED from gryffindor to hufflepuff for rest of the traffic; ingressRule at index6 should take effect - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) }) t.Run("Should support an 'deny-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // cedric-diggory-1 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-1", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") - cnp := &api.ClusterNetworkPolicy{} - err = s.Client.Get(ctx, client.ObjectKey{ - Name: "default", - }, cnp) - require.NoErrorf(t, err, "unable to fetch the cluster network policy") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout) + cnp := kubernetes.GetClusterNetworkPolicy(t, s.Client, "default", s.TimeoutConfig.GetTimeout) mutate := cnp.DeepCopy() // swap rules at index0 and index1 allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule - err = s.Client.Patch(ctx, mutate, client.MergeFrom(cnp)) - require.NoErrorf(t, err, "unable to patch the baseline cluster network policy") + kubernetes.PatchClusterNetworkPolicy(t, s.Client, cnp, mutate, s.TimeoutConfig.GetTimeout) // luna-lovegood-0 is our client pod in ravenclaw namespace // ensure ingress is DENIED from ravenclaw to hufflepuff // ingressRule at index0 will take precedence over ingressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, false) // luna-lovegood-1 is our client pod in ravenclaw namespace - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) }) t.Run("Should support a 'deny-ingress' policy for UDP protocol at the specified port", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) - defer cancel() // This test uses `default` baseline CNP // cedric-diggory-0 is our server pod in hufflepuff namespace - serverPod := &v1.Pod{} - err := s.Client.Get(ctx, client.ObjectKey{ - Namespace: "network-policy-conformance-hufflepuff", - Name: "cedric-diggory-0", - }, serverPod) - require.NoErrorf(t, err, "unable to fetch the server pod") + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-0", s.TimeoutConfig.GetTimeout) // draco-malfoy-0 is our client pod in slytherin namespace // ensure ingress from slytherin is DENIED to hufflepuff at port 80; ingressRule at index3 should take effect - success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", - serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) // draco-malfoy-1 is our client pod in slytherin namespace // ensure ingress from slytherin is ALLOWED to hufflepuff for rest of the traffic; matches no rules hence allowed - success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", - serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) - assert.True(t, success) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) }) }, } diff --git a/conformance/utils/config/timeout.go b/conformance/utils/config/timeout.go index 5420d97f..30aa6325 100644 --- a/conformance/utils/config/timeout.go +++ b/conformance/utils/config/timeout.go @@ -44,6 +44,14 @@ type TimeoutConfig struct { // RequestTimeout represents the maximum time before which the connection attempt from client to server will timeout. // Max value for conformant implementation: None RequestTimeout time.Duration + + // PokeTimeout represents the maximum time to wait for PokeServer to report the expected result. + // Max value for conformant implementation: None + PokeTimeout time.Duration + + // PokingInterval represents the polling interval for PokeServer retries. + // Max value for conformant implementation: None + PokeInterval time.Duration } // DefaultTimeoutConfig populates a TimeoutConfig with the default values. @@ -55,6 +63,8 @@ func DefaultTimeoutConfig() TimeoutConfig { ManifestFetchTimeout: 10 * time.Second, NamespacesMustBeReady: 300 * time.Second, RequestTimeout: 3 * time.Second, + PokeTimeout: 10 * time.Second, + PokeInterval: 500 * time.Millisecond, } } @@ -78,4 +88,10 @@ func SetupTimeoutConfig(timeoutConfig *TimeoutConfig) { if timeoutConfig.RequestTimeout == 0 { timeoutConfig.RequestTimeout = defaultTimeoutConfig.RequestTimeout } + if timeoutConfig.PokeTimeout == 0 { + timeoutConfig.PokeTimeout = defaultTimeoutConfig.PokeTimeout + } + if timeoutConfig.PokeInterval == 0 { + timeoutConfig.PokeInterval = defaultTimeoutConfig.PokeInterval + } } diff --git a/conformance/utils/kubernetes/helper.go b/conformance/utils/kubernetes/helper.go index 1f8f25c7..0ad57408 100644 --- a/conformance/utils/kubernetes/helper.go +++ b/conformance/utils/kubernetes/helper.go @@ -9,9 +9,11 @@ import ( "testing" "time" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/wait" k8sclient "k8s.io/client-go/kubernetes" @@ -20,6 +22,7 @@ import ( "k8s.io/client-go/tools/remotecommand" "sigs.k8s.io/controller-runtime/pkg/client" + api "sigs.k8s.io/network-policy-api/apis/v1alpha2" "sigs.k8s.io/network-policy-api/conformance/utils/config" ) @@ -60,9 +63,20 @@ func RunCommandFromPod(client k8sclient.Interface, kubeConfig *rest.Config, podN return stdoutB.String(), stderrB.String(), nil } -// PokeServer is a utility function that checks if the connection from the provided clientPod in clientNamespace towards the targetHost:targetPort +// PokeServer verifies expected connectivity. It waits for the expected result by checking the connectivity every TimeoutConfig.PokeInterval +// and timing out after TimeoutConfig.PokeTimeout. If eventually the expected result is met, it verifies the connectivity +// once more to rule out transient cases. +func PokeServer(t *testing.T, client k8sclient.Interface, kubeConfig *rest.Config, clientNamespace, clientPod, protocol, targetHost string, targetPort int32, timeoutConfig config.TimeoutConfig, shouldConnect bool) { + require.Eventually(t, func() bool { + return doPokeServer(t, client, kubeConfig, clientNamespace, clientPod, protocol, targetHost, targetPort, timeoutConfig.RequestTimeout, shouldConnect) + }, timeoutConfig.PokeTimeout, timeoutConfig.PokeInterval) + success := doPokeServer(t, client, kubeConfig, clientNamespace, clientPod, protocol, targetHost, targetPort, timeoutConfig.RequestTimeout, shouldConnect) + assert.True(t, success) +} + +// doPokeServer is a utility function that checks if the connection from the provided clientPod in clientNamespace towards the targetHost:targetPort // using the provided protocol can be established or not and returns the result based on if the expectation is shouldConnect or !shouldConnect -func PokeServer(t *testing.T, client k8sclient.Interface, kubeConfig *rest.Config, clientNamespace, clientPod, protocol, targetHost string, targetPort int32, timeout time.Duration, shouldConnect bool) bool { +func doPokeServer(t *testing.T, client k8sclient.Interface, kubeConfig *rest.Config, clientNamespace, clientPod, protocol, targetHost string, targetPort int32, timeout time.Duration, shouldConnect bool) bool { t.Helper() timeoutArg := fmt.Sprintf("--timeout=%v", timeout) protocolArg := fmt.Sprintf("--protocol=%s", protocol) @@ -129,3 +143,33 @@ func NamespacesMustBeReady(t *testing.T, c client.Client, timeoutConfig config.T }) require.NoErrorf(t, waitErr, "error waiting for %s namespaces to be ready", strings.Join(namespaces, ", ")) } + +func GetPod(t *testing.T, c client.Client, namespace string, name string, timeout time.Duration) *v1.Pod { + pod := &v1.Pod{} + ctx, cancel := context.WithTimeout(context.Background(), timeout) + defer cancel() + err := c.Get(ctx, client.ObjectKey{ + Namespace: namespace, + Name: name, + }, pod) + require.NoErrorf(t, err, "unable to fetch pod %s/%s", namespace, name) + return pod +} + +func GetClusterNetworkPolicy(t *testing.T, c client.Client, name string, timeout time.Duration) *api.ClusterNetworkPolicy { + cnp := &api.ClusterNetworkPolicy{} + ctx, cancel := context.WithTimeout(context.Background(), timeout) + defer cancel() + err := c.Get(ctx, client.ObjectKey{ + Name: name, + }, cnp) + require.NoErrorf(t, err, "unable to fetch cluster network policy %s", name) + return cnp +} + +func PatchClusterNetworkPolicy(t *testing.T, c client.Client, from *api.ClusterNetworkPolicy, to *api.ClusterNetworkPolicy, timeout time.Duration) { + ctx, cancel := context.WithTimeout(context.Background(), timeout) + defer cancel() + err := c.Patch(ctx, to, client.MergeFrom(from)) + require.NoErrorf(t, err, "unable to patch cluster network policy %s", from.Name) +}