From 33ce7496ecf7a8dce38b92a0938c2ff4263a9c2d Mon Sep 17 00:00:00 2001 From: Anvesh J Date: Sun, 22 Dec 2024 17:31:08 +0530 Subject: [PATCH] cnf-network: add multi-netpolicy tests for ipvlan cni --- .../tests/multinetpolicy_bondoversriov.go | 2 +- .../policy/tests/multinetpolicy_ipvlan.go | 589 ++++++++++++++++++ 2 files changed, 590 insertions(+), 1 deletion(-) create mode 100644 tests/cnf/core/network/policy/tests/multinetpolicy_ipvlan.go diff --git a/tests/cnf/core/network/policy/tests/multinetpolicy_bondoversriov.go b/tests/cnf/core/network/policy/tests/multinetpolicy_bondoversriov.go index fef019da6..99c6ed77f 100644 --- a/tests/cnf/core/network/policy/tests/multinetpolicy_bondoversriov.go +++ b/tests/cnf/core/network/policy/tests/multinetpolicy_bondoversriov.go @@ -550,7 +550,7 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-egress", "policy-ns1"). - WithNetwork("policy-ns1/bond,policy-ns2/bond"). + WithNetwork(fmt.Sprintf("%s/bond,%s/bond", testNs1, testNs2)). WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). diff --git a/tests/cnf/core/network/policy/tests/multinetpolicy_ipvlan.go b/tests/cnf/core/network/policy/tests/multinetpolicy_ipvlan.go new file mode 100644 index 000000000..5532a438d --- /dev/null +++ b/tests/cnf/core/network/policy/tests/multinetpolicy_ipvlan.go @@ -0,0 +1,589 @@ +package tests + +import ( + "fmt" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + . "github.com/openshift-kni/eco-gotests/tests/cnf/core/network/internal/netinittools" + + multinetpolicyapiv1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta1" + "github.com/openshift-kni/eco-goinfra/pkg/nad" + "github.com/openshift-kni/eco-goinfra/pkg/namespace" + "github.com/openshift-kni/eco-goinfra/pkg/networkpolicy" + "github.com/openshift-kni/eco-goinfra/pkg/nodes" + "github.com/openshift-kni/eco-goinfra/pkg/pod" + "github.com/openshift-kni/eco-goinfra/pkg/reportxml" + "github.com/openshift-kni/eco-gotests/tests/cnf/core/network/internal/netenv" + "github.com/openshift-kni/eco-gotests/tests/internal/params" + "gopkg.in/k8snetworkplumbingwg/multus-cni.v4/pkg/types" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" +) + +var _ = Describe("Multi-NetworkPolicy : IPVLAN CNI", Ordered, Label("ipvlancni"), ContinueOnFailure, func() { + + var ( + sriovInterfacesUnderTest []string + tNs1, tNs2 *namespace.Builder + testPod1, testPod2, testPod3, testPod4, testPod5 *pod.Builder + ports = []string{"5001", "5002", "5003"} + protocols = []string{"tcp", "tcp", "udp"} + allOpen = map[string]string{"5001": "pass", "5002": "pass", "5003": "pass"} + allClose = map[string]string{"5001": "fail", "5002": "fail", "5003": "fail"} + p5001Open = map[string]string{"5001": "pass", "5002": "fail", "5003": "fail"} + p5001p5002Open = map[string]string{"5001": "pass", "5002": "pass", "5003": "fail"} + ) + + const ( + testNs1, testNs2 = "policy-ns1", "policy-ns2" + pod1, pod2, pod3, pod4, pod5 = "pod1", "pod2", "pod3", "pod4", "pod5" + ) + + testData := podsData{ + "pod1": {IPv4: "192.168.10.10/24", IPv6: "2001:0:0:1::10/64", Protocols: protocols, Ports: ports}, + "pod2": {IPv4: "192.168.10.11/24", IPv6: "2001:0:0:1::11/64", Protocols: protocols, Ports: ports}, + "pod3": {IPv4: "192.168.10.12/24", IPv6: "2001:0:0:1::12/64", Protocols: protocols, Ports: ports}, + "pod4": {IPv4: "192.168.20.11/24", IPv6: "2001:0:0:2::11/64", Protocols: protocols, Ports: ports}, + "pod5": {IPv4: "192.168.20.12/24", IPv6: "2001:0:0:2::12/64", Protocols: protocols, Ports: ports}, + } + + BeforeAll(func() { + By("Verifying if Multi-NetPolicy tests can be executed on given cluster") + err := netenv.DoesClusterHasEnoughNodes(APIClient, NetConfig, 1, 1) + Expect(err).ToNot(HaveOccurred(), + "Cluster doesn't support Multi-NetPolicy test cases as it doesn't have enough nodes") + + By("Listing Worker nodes") + workerNodeList, err := nodes.List( + APIClient, metav1.ListOptions{LabelSelector: labels.Set(NetConfig.WorkerLabelMap).String()}) + Expect(err).ToNot(HaveOccurred(), "Failed to list worker nodes") + + By("Fetching SR-IOV interfaces from ENV VAR to use them as master interfaces for ipvlan") + sriovInterfacesUnderTest, err = NetConfig.GetSriovInterfaces(2) + Expect(err).ToNot(HaveOccurred(), "Failed to retrieve SR-IOV interfaces for testing") + + By("Enable MultiNetworkPolicy support") + enableMultiNetworkPolicy(true) + + By("Deploy Test Resources: 2 Namespaces") + tNs1, err = namespace.NewBuilder(APIClient, testNs1).WithMultipleLabels(params.PrivilegedNSLabels). + WithLabel("ns", "ns1").Create() + Expect(err).ToNot(HaveOccurred(), "Failed to create test namespace") + tNs2, err = namespace.NewBuilder(APIClient, testNs2).WithMultipleLabels(params.PrivilegedNSLabels). + WithLabel("ns", "ns2").Create() + Expect(err).ToNot(HaveOccurred(), "Failed to create test namespace") + + By("Deploy Test Resources: 2 NADs for IPVLAN CNI") + defineAndCreateIpvlanNAD("ipvlan", testNs1, sriovInterfacesUnderTest[0]) + defineAndCreateIpvlanNAD("ipvlan", testNs2, sriovInterfacesUnderTest[1]) + + By("Deploy Test Resources: 5 Pods") + testPod1 = defineAndCreatePodWithIpvlanIf(pod1, testNs1, workerNodeList[0].Object.Name, testData) + testPod2 = defineAndCreatePodWithIpvlanIf(pod2, testNs1, workerNodeList[0].Object.Name, testData) + testPod3 = defineAndCreatePodWithIpvlanIf(pod3, testNs1, workerNodeList[0].Object.Name, testData) + testPod4 = defineAndCreatePodWithIpvlanIf(pod4, testNs2, workerNodeList[0].Object.Name, testData) + testPod5 = defineAndCreatePodWithIpvlanIf(pod5, testNs2, workerNodeList[0].Object.Name, testData) + + By("Check egress traffic from pod1 to other 4 pods. All ports should be open") + + verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod3, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod5, allOpen, allOpen, testData) + + By("Check ingress traffic to pod1 from other 4 pods. All ports should be open") + + verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod3, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod5, testPod1, allOpen, allOpen, testData) + }) + + AfterEach(func() { + err := tNs1.CleanObjects(1*time.Minute, networkpolicy.GetMultiNetworkGVR()) + Expect(err).ToNot(HaveOccurred(), "failed to clean Multi-NetworkPolicies in test namespace") + }) + + AfterAll(func() { + By("Delete test namespace") + err := tNs1.Delete() + Expect(err).ToNot(HaveOccurred(), "Failed to delete test namespace") + err = tNs2.Delete() + Expect(err).ToNot(HaveOccurred(), "Failed to delete test namespace") + }) + + It("Egress - block all", reportxml.ID("77467"), func() { + + By("Create Multi Network Policy") + _, err := networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-deny", testNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", testNs1, testNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). + Create() + Expect(err).ToNot(HaveOccurred(), "Failed to create Multi Network Policy") + + By("Check egress traffic from pod1 to other 4 pods. All ports should be filtered") + + verifyPaths(testPod1, testPod2, allClose, allClose, testData) + verifyPaths(testPod1, testPod3, allClose, allClose, testData) + verifyPaths(testPod1, testPod4, allClose, allClose, testData) + verifyPaths(testPod1, testPod5, allClose, allClose, testData) + + By("Check ingress traffic to pod1 from other 4 pods. All ports should be open") + + verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod3, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod5, testPod1, allOpen, allOpen, testData) + }) + + It("Egress - allow all", reportxml.ID("77474"), func() { + + By("Create Multi Network Policy") + testEgressRule, err := networkpolicy.NewEgressRuleBuilder().GetEgressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "egress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-allow", testNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", testNs1, testNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). + WithEgressRule(*testEgressRule). + Create() + Expect(err).ToNot(HaveOccurred(), "Failed to create Multi Network Policy") + + By("Check egress traffic from pod1 to other 4 pods. All ports should be open") + + verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod3, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod5, allOpen, allOpen, testData) + + By("Check ingress traffic to pod1 from other 4 pods. All ports should be open") + + verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod3, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod5, testPod1, allOpen, allOpen, testData) + }) + + It("Egress - podSelector - NonExistent Label", reportxml.ID("77473"), func() { + + By("Create Multi Network Policy") + testEgressRule, err := networkpolicy.NewEgressRuleBuilder(). + WithPeerPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "none"}}). + GetEgressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "egress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-podsel-nonexist", testNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", testNs1, testNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). + WithEgressRule(*testEgressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other 4 pods. All ports should be filtered") + + verifyPaths(testPod1, testPod2, allClose, allClose, testData) + verifyPaths(testPod1, testPod3, allClose, allClose, testData) + verifyPaths(testPod1, testPod4, allClose, allClose, testData) + verifyPaths(testPod1, testPod5, allClose, allClose, testData) + + By("Check ingress traffic to pod1 from other 4 pods. All ports should be open") + + verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod3, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod5, testPod1, allOpen, allOpen, testData) + }) + + It("Egress - namespaceSelector - NonExistent Label", reportxml.ID("77472"), func() { + + By("Create Multi Network Policy") + testEgressRule, err := networkpolicy.NewEgressRuleBuilder(). + WithPeerNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"ns": "none"}}). + GetEgressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "egress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-nssel-nonexist", testNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", testNs1, testNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). + WithEgressRule(*testEgressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other 4 pods. All ports should be filtered") + + verifyPaths(testPod1, testPod2, allClose, allClose, testData) + verifyPaths(testPod1, testPod3, allClose, allClose, testData) + verifyPaths(testPod1, testPod4, allClose, allClose, testData) + verifyPaths(testPod1, testPod5, allClose, allClose, testData) + + By("Check ingress traffic to pod1 from other 4 pods. All ports should be open") + + verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod3, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod5, testPod1, allOpen, allOpen, testData) + }) + + It("Egress - Pod and/or Namespace Selector", reportxml.ID("77477"), func() { + + By("Create Multi Network Policy") + testEgressRule, err := networkpolicy.NewEgressRuleBuilder(). + WithPeerPodAndNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod4"}}, + metav1.LabelSelector{MatchLabels: map[string]string{"ns": "ns2"}}). + WithPeerPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod2"}}). + GetEgressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "egress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-pod-ns-selector", testNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", testNs1, testNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). + WithEgressRule(*testEgressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other 4 pods. Only pod2 and pod4 should be accessible on all ports") + + verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod3, allClose, allClose, testData) + verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod5, allClose, allClose, testData) + + By("Check ingress traffic to pod1 from other 4 pods. All ports should be open") + + verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod3, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod5, testPod1, allOpen, allOpen, testData) + }) + + It("Egress - IPBlock IPv4 and IPv6 and Ports", reportxml.ID("77475"), func() { + + By("Create Multi Network Policy") + testEgressRule, err := networkpolicy.NewEgressRuleBuilder(). + WithPortAndProtocol(5001, "TCP"). + WithCIDR("192.168.10.0/24", []string{"192.168.10.12/32"}). + WithCIDR("2001:0:0:2::/64", []string{"2001:0:0:2::12/128"}). + GetEgressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "egress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-ipv4v6-port", testNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", testNs1, testNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). + WithEgressRule(*testEgressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other 4 pods. " + + "Pod2 tcp port 5001 should be accessible over IPv4." + + "Pod4 tcp port 5001 should be accessible over IPv6") + + verifyPaths(testPod1, testPod2, p5001Open, allClose, testData) + verifyPaths(testPod1, testPod3, allClose, allClose, testData) + verifyPaths(testPod1, testPod4, allClose, p5001Open, testData) + verifyPaths(testPod1, testPod5, allClose, allClose, testData) + + By("Check ingress traffic to pod1 from other 4 pods. All ports should be open") + + verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod3, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod5, testPod1, allOpen, allOpen, testData) + }) + + It("Ingress - block all", reportxml.ID("77486"), func() { + + By("Create Multi Network Policy") + _, err := networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-deny", testNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", testNs1, testNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). + Create() + Expect(err).ToNot(HaveOccurred(), "Failed to create Multi Network Policy") + + By("Check egress traffic from pod1 to other 4 pods. All ports should be open") + + verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod3, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod5, allOpen, allOpen, testData) + + By("Check ingress traffic to pod1 from other 4 pods. All ports should be filtered") + + verifyPaths(testPod2, testPod1, allClose, allClose, testData) + verifyPaths(testPod3, testPod1, allClose, allClose, testData) + verifyPaths(testPod4, testPod1, allClose, allClose, testData) + verifyPaths(testPod5, testPod1, allClose, allClose, testData) + }) + + It("Ingress - allow all", reportxml.ID("77485"), func() { + + By("Create Multi Network Policy") + testIngressRule, err := networkpolicy.NewIngressRuleBuilder().GetIngressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-allow", testNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", testNs1, testNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). + WithIngressRule(*testIngressRule). + Create() + Expect(err).ToNot(HaveOccurred(), "Failed to create Multi Network Policy") + + By("Check egress traffic from pod1 to other 4 pods. All ports should be open") + + verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod3, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod5, allOpen, allOpen, testData) + + By("Check ingress traffic to pod1 from other 4 pods. All ports should be open") + + verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod3, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod5, testPod1, allOpen, allOpen, testData) + }) + + It("Ingress - podSelector - NonExistent Label", reportxml.ID("77484"), func() { + + By("Create Multi Network Policy") + testIngressRule, err := networkpolicy.NewIngressRuleBuilder(). + WithPeerPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "none"}}). + GetIngressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-podsel-nonexist", testNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", testNs1, testNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). + WithIngressRule(*testIngressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other 4 pods. All ports should be open") + + verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod3, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod5, allOpen, allOpen, testData) + + By("Check ingress traffic to pod1 from other 4 pods. All ports should be filtered") + + verifyPaths(testPod2, testPod1, allClose, allClose, testData) + verifyPaths(testPod3, testPod1, allClose, allClose, testData) + verifyPaths(testPod4, testPod1, allClose, allClose, testData) + verifyPaths(testPod5, testPod1, allClose, allClose, testData) + }) + + It("Ingress - namespaceSelector - NonExistent Label", reportxml.ID("77483"), func() { + + By("Create Multi Network Policy") + testIngressRule, err := networkpolicy.NewIngressRuleBuilder(). + WithPeerNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"ns": "none"}}). + GetIngressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-nssel-nonexist", testNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", testNs1, testNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). + WithIngressRule(*testIngressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other 4 pods. All ports should be open") + + verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod3, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod5, allOpen, allOpen, testData) + + By("Check ingress traffic to pod1 from other 4 pods. All ports should be filtered") + + verifyPaths(testPod2, testPod1, allClose, allClose, testData) + verifyPaths(testPod3, testPod1, allClose, allClose, testData) + verifyPaths(testPod4, testPod1, allClose, allClose, testData) + verifyPaths(testPod5, testPod1, allClose, allClose, testData) + }) + + It("Ingress - Pod and/or Namespace Selector", reportxml.ID("77481"), func() { + + By("Create Multi Network Policy") + testIngressRule, err := networkpolicy.NewIngressRuleBuilder(). + WithPeerPodAndNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod4"}}, + metav1.LabelSelector{MatchLabels: map[string]string{"ns": "ns2"}}). + WithPeerPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod2"}}). + GetIngressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-pod-ns-selector", testNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", testNs1, testNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). + WithIngressRule(*testIngressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other 4 pods. All ports should be open") + + verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod3, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod5, allOpen, allOpen, testData) + + By("Check ingress traffic to pod1 from other 4 pods. Only pod2 and pod4 can access pod1 on all ports") + + verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod3, testPod1, allClose, allClose, testData) + verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod5, testPod1, allClose, allClose, testData) + }) + + It("Ingress - IPBlock IPv4 and IPv6 and Ports", reportxml.ID("77479"), func() { + + By("Create Multi Network Policy") + testIngressRule, err := networkpolicy.NewIngressRuleBuilder(). + WithPortAndProtocol(5001, "TCP"). + WithCIDR("192.168.10.0/24", []string{"192.168.10.12/32"}). + WithCIDR("2001:0:0:2::/64", []string{"2001:0:0:2::12/128"}). + GetIngressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-ipv4v6-port", testNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", testNs1, testNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). + WithIngressRule(*testIngressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other 4 pods. All ports should be open") + + verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod3, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod5, allOpen, allOpen, testData) + + By("Check ingress traffic to pod1 from other 4 pods. " + + "Pod2 can access tcp port 5001 of pod1 over IPv4." + + "Pod4 can access tcp port 5001 of pod4 over IPv6") + + verifyPaths(testPod2, testPod1, p5001Open, allClose, testData) + verifyPaths(testPod3, testPod1, allClose, allClose, testData) + verifyPaths(testPod4, testPod1, allClose, p5001Open, testData) + verifyPaths(testPod5, testPod1, allClose, allClose, testData) + }) + + It("Ingress & Egress - Peer and Ports", reportxml.ID("77487"), func() { + + By("Create Multi Network Policy") + testEgressRule, err := networkpolicy.NewEgressRuleBuilder(). + WithPeerPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod2"}}). + WithCIDR("2001:0:0:2::/64", []string{"2001:0:0:2::11/128"}). + GetEgressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "egress rule configuration not generated") + + testIngressRule, err := networkpolicy.NewIngressRuleBuilder(). + WithCIDR("192.168.10.0/24", []string{"192.168.10.12/32"}). + WithPeerPodAndNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod4"}}, + metav1.LabelSelector{MatchLabels: map[string]string{"ns": "ns2"}}). + WithProtocol("TCP"). + GetIngressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-egress", "policy-ns1"). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", testNs1, testNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). + WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). + WithIngressRule(*testIngressRule). + WithEgressRule(*testEgressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other 4 pods. Only Pod5 ports should be accessible over IPv6") + + verifyPaths(testPod1, testPod2, allClose, allClose, testData) + verifyPaths(testPod1, testPod3, allClose, allClose, testData) + verifyPaths(testPod1, testPod4, allClose, allClose, testData) + verifyPaths(testPod1, testPod5, allClose, allOpen, testData) + + By("Check ingress traffic to pod1 from other 4 pods. " + + "Pod2 can access tcp ports 5001 & 5002 of pod1 over IPv4. " + + "Pod4 can access tcp ports 5001 & 5002 of pod1 over both IPv4 & IPv6") + + verifyPaths(testPod2, testPod1, p5001p5002Open, allClose, testData) + verifyPaths(testPod3, testPod1, allClose, allClose, testData) + verifyPaths(testPod4, testPod1, p5001p5002Open, p5001p5002Open, testData) + verifyPaths(testPod5, testPod1, allClose, allClose, testData) + }) +}) + +func defineAndCreateIpvlanNAD(nadName, nsName, masterIf string) { + config, err := nad.NewMasterIPVlanPlugin("ipvlan"). + WithMasterInterface(masterIf). + WithIPAM(&nad.IPAM{ + Type: "static", + Routes: []nad.Routes{{Dst: "192.168.0.0/16"}, {Dst: "2001::0/62"}}, + }).GetMasterPluginConfig() + Expect(err).ToNot(HaveOccurred(), "Failed to get master ipvlan plugin config") + + _, err = nad.NewBuilder(APIClient, nadName, nsName).WithMasterPlugin(config).Create() + Expect(err).ToNot(HaveOccurred(), "Failed to create net-attach-def") +} + +func defineAndCreatePodWithIpvlanIf( + podName, nsName, nodeName string, testData podsData) *pod.Builder { + var rootUser int64 + + securityContext := corev1.SecurityContext{ + RunAsUser: &rootUser, + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{"IPC_LOCK", "SYS_RESOURCE", "NET_RAW", "NET_ADMIN"}, + }, + } + + netAnnotation := []*types.NetworkSelectionElement{ + { + Name: "ipvlan", + InterfaceRequest: "ipvlan1", + IPRequest: []string{testData[podName].IPv4, testData[podName].IPv6}, + }, + } + + tPodBuilder := pod.NewBuilder(APIClient, podName, nsName, NetConfig.CnfNetTestContainer). + WithNodeSelector(map[string]string{"kubernetes.io/hostname": nodeName}). + WithSecondaryNetwork(netAnnotation). + WithPrivilegedFlag(). + WithLabel("app", podName) + + for index := range len(testData[podName].Protocols) { + containerBuilder, err := pod.NewContainerBuilder(testData[podName].Protocols[index]+testData[podName].Ports[index], + NetConfig.CnfNetTestContainer, + []string{"/bin/bash", "-c", fmt.Sprintf("testcmd -listen -interface ipvlan1 -protocol %s -port %s", + testData[podName].Protocols[index], testData[podName].Ports[index])}). + WithSecurityContext(&securityContext). + GetContainerCfg() + Expect(err).ToNot(HaveOccurred(), "Failed to get container config") + + if index == 0 { + tPodBuilder.RedefineDefaultContainer(*containerBuilder) + } else { + tPodBuilder.WithAdditionalContainer(containerBuilder) + } + } + + tPod, err := tPodBuilder.CreateAndWaitUntilRunning(1 * time.Minute) + Expect(err).ToNot(HaveOccurred(), "Failed to create test pod") + + return tPod +}