From aad69cc36acb34cb544c4f92d1a7579c1031d3f2 Mon Sep 17 00:00:00 2001 From: Anvesh J Date: Sun, 22 Dec 2024 17:31:08 +0530 Subject: [PATCH] cnf-network: add multi-netpolicy tests for ipvlan cni --- .../policy/internal/tsparams/consts.go | 4 + .../policy/internal/tsparams/policyvars.go | 28 + tests/cnf/core/network/policy/tests/common.go | 99 +++ .../tests/multinetpolicy_bondoversriov.go | 427 +++++-------- .../policy/tests/multinetpolicy_ipvlan.go | 576 ++++++++++++++++++ 5 files changed, 865 insertions(+), 269 deletions(-) create mode 100644 tests/cnf/core/network/policy/tests/common.go create mode 100644 tests/cnf/core/network/policy/tests/multinetpolicy_ipvlan.go diff --git a/tests/cnf/core/network/policy/internal/tsparams/consts.go b/tests/cnf/core/network/policy/internal/tsparams/consts.go index b7ce91bae..4ab623f92 100644 --- a/tests/cnf/core/network/policy/internal/tsparams/consts.go +++ b/tests/cnf/core/network/policy/internal/tsparams/consts.go @@ -5,4 +5,8 @@ const ( LabelSuite = "policy" // TestNamespaceName policy namespace where all test cases are performed. TestNamespaceName = "policy-tests" + // MultiNetPolNs1 policy namespace where all test cases are performed. + MultiNetPolNs1 = "policy-ns1" + // MultiNetPolNs2 policy namespace where all test cases are performed. + MultiNetPolNs2 = "policy-ns2" ) diff --git a/tests/cnf/core/network/policy/internal/tsparams/policyvars.go b/tests/cnf/core/network/policy/internal/tsparams/policyvars.go index c7b2ebabe..cd0959955 100644 --- a/tests/cnf/core/network/policy/internal/tsparams/policyvars.go +++ b/tests/cnf/core/network/policy/internal/tsparams/policyvars.go @@ -47,4 +47,32 @@ var ( WaitTrafficTimeout = 1 * time.Minute // RetryTrafficInterval represents retry interval for the traffic Eventually functions. RetryTrafficInterval = 20 * time.Second + // AllOpen represents that ports 5001,5002,5003 to be open. + AllOpen = map[string]string{"5001": "pass", "5002": "pass", "5003": "pass"} + // AllClose represents that ports 5001,5002,5003 to be close. + AllClose = map[string]string{"5001": "fail", "5002": "fail", "5003": "fail"} + // P5001Open represents that port 5001 to be open and 5002-3 to be closed. + P5001Open = map[string]string{"5001": "pass", "5002": "fail", "5003": "fail"} + // P5001p5002Open represents that port 5001 & 5002 to be open and 5003 to be closed. + P5001p5002Open = map[string]string{"5001": "pass", "5002": "pass", "5003": "fail"} + // Protocols indicates list of protocols used in policy tests. + Protocols = []string{"tcp", "tcp", "udp"} + // Ports indicates list of ports used in policy tests. + Ports = []string{"5001", "5002", "5003"} + // TestData represents test resource data for policy tests. + TestData = PodsData{ + "pod1": {IPv4: "192.168.10.10/24", IPv6: "2001:0:0:1::10/64", Protocols: Protocols, Ports: Ports}, + "pod2": {IPv4: "192.168.10.11/24", IPv6: "2001:0:0:1::11/64", Protocols: Protocols, Ports: Ports}, + "pod3": {IPv4: "192.168.10.12/24", IPv6: "2001:0:0:1::12/64", Protocols: Protocols, Ports: Ports}, + "pod4": {IPv4: "192.168.20.11/24", IPv6: "2001:0:0:2::11/64", Protocols: Protocols, Ports: Ports}, + "pod5": {IPv4: "192.168.20.12/24", IPv6: "2001:0:0:2::12/64", Protocols: Protocols, Ports: Ports}, + } ) + +// PodsData contains test pods data used for policy tests. +type PodsData map[string]struct { + IPv4 string + IPv6 string + Protocols []string + Ports []string +} diff --git a/tests/cnf/core/network/policy/tests/common.go b/tests/cnf/core/network/policy/tests/common.go new file mode 100644 index 000000000..510ff11cd --- /dev/null +++ b/tests/cnf/core/network/policy/tests/common.go @@ -0,0 +1,99 @@ +package tests + +import ( + "encoding/xml" + "fmt" + "net" + "strings" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "github.com/openshift-kni/eco-goinfra/pkg/pod" + "github.com/openshift-kni/eco-gotests/tests/cnf/core/network/policy/internal/tsparams" +) + +func verifyPaths( + sPod, dPod *pod.Builder, + ipv4ExpectedResult, ipv6ExpectedResult map[string]string, + testData tsparams.PodsData, +) { + By("Deriving applicable paths between given source and destination pods") + runNmapAndValidateResults(sPod, testData[sPod.Object.Name].IPv4, + testData[dPod.Object.Name].Protocols, testData[dPod.Object.Name].Ports, + strings.Split(testData[dPod.Object.Name].IPv4, "/")[0], ipv4ExpectedResult) + runNmapAndValidateResults(sPod, testData[sPod.Object.Name].IPv6, + testData[dPod.Object.Name].Protocols, testData[dPod.Object.Name].Ports, + strings.Split(testData[dPod.Object.Name].IPv6, "/")[0], ipv6ExpectedResult) +} + +func runNmapAndValidateResults( + sPod *pod.Builder, + sourceIP string, + protocols []string, + ports []string, + targetIP string, + expectedResult map[string]string) { + // NmapXML defines the structure nmap command output in xml. + type NmapXML struct { + XMLName xml.Name `xml:"nmaprun"` + Text string `xml:",chardata"` + Host struct { + Text string `xml:",chardata"` + Status struct { + Text string `xml:",chardata"` + State string `xml:"state,attr"` + } `xml:"status"` + Address []struct { + Text string `xml:",chardata"` + Addr string `xml:"addr,attr"` + Addrtype string `xml:"addrtype,attr"` + } `xml:"address"` + Ports struct { + Text string `xml:",chardata"` + Port []struct { + Text string `xml:",chardata"` + Protocol string `xml:"protocol,attr"` + Portid string `xml:"portid,attr"` + State struct { + Text string `xml:",chardata"` + State string `xml:"state,attr"` + } `xml:"state"` + } `xml:"port"` + } `xml:"ports"` + } `xml:"host"` + } + + By("Running nmap command in source pod") + + var nmapOutput NmapXML + + nmapCmd := fmt.Sprintf("nmap -v -oX - -sT -sU -p T:5001,T:5002,U:5003 %s", targetIP) + + if net.ParseIP(targetIP).To4() == nil { + nmapCmd += " -6" + } + + output, err := sPod.ExecCommand([]string{"/bin/bash", "-c", nmapCmd}) + Expect(err).NotTo(HaveOccurred(), "Failed to execute nmap command in source pod") + + err = xml.Unmarshal(output.Bytes(), &nmapOutput) + Expect(err).NotTo(HaveOccurred(), fmt.Sprintf("Failed to unmarshal nmap output: %s", output.String())) + + By("Verifying nmap output is matching with expected results") + Expect(len(nmapOutput.Host.Ports.Port)).To(Equal(len(ports)), + fmt.Sprintf("number of ports in nmap output as expected. Nmap XML output: %v", nmapOutput.Host.Ports.Port)) + + for index := range len(nmapOutput.Host.Ports.Port) { + if expectedResult[nmapOutput.Host.Ports.Port[index].Portid] == "pass" { + By(fmt.Sprintf("Path %s/%s =====> %s:%s:%s Expected to Pass\n", + sPod.Object.Name, sourceIP, targetIP, protocols[index], ports[index])) + Expect(nmapOutput.Host.Ports.Port[index].State.State).To(Equal("open"), + fmt.Sprintf("Port is not open as expected. Output: %v", nmapOutput.Host.Ports.Port[index])) + } else { + By(fmt.Sprintf("Path %s/%s =====> %s:%s:%s Expected to Fail\n", + sPod.Object.Name, sourceIP, targetIP, protocols[index], ports[index])) + Expect(nmapOutput.Host.Ports.Port[index].State.State).To(SatisfyAny(Equal("open|filtered"), Equal("filtered")), + fmt.Sprintf("Port is not filtered as expected. Output: %v", nmapOutput.Host.Ports.Port[index])) + } + } +} diff --git a/tests/cnf/core/network/policy/tests/multinetpolicy_bondoversriov.go b/tests/cnf/core/network/policy/tests/multinetpolicy_bondoversriov.go index fef019da6..dc1fa5dbd 100644 --- a/tests/cnf/core/network/policy/tests/multinetpolicy_bondoversriov.go +++ b/tests/cnf/core/network/policy/tests/multinetpolicy_bondoversriov.go @@ -1,10 +1,7 @@ package tests import ( - "encoding/xml" "fmt" - "net" - "strings" "time" . "github.com/onsi/ginkgo/v2" @@ -29,42 +26,20 @@ import ( "k8s.io/apimachinery/pkg/labels" ) -type podsData map[string]struct { - IPv4 string - IPv6 string - Protocols []string - Ports []string -} - var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversriov"), ContinueOnFailure, func() { var ( sriovInterfacesUnderTest []string tNs1, tNs2 *namespace.Builder testPod1, testPod2, testPod3, testPod4, testPod5 *pod.Builder - ports = []string{"5001", "5002", "5003"} - protocols = []string{"tcp", "tcp", "udp"} - allOpen = map[string]string{"5001": "pass", "5002": "pass", "5003": "pass"} - allClose = map[string]string{"5001": "fail", "5002": "fail", "5003": "fail"} - p5001Open = map[string]string{"5001": "pass", "5002": "fail", "5003": "fail"} - p5001p5002Open = map[string]string{"5001": "pass", "5002": "pass", "5003": "fail"} ) const ( - testNs1, testNs2 = "policy-ns1", "policy-ns2" nicPf1, nicPf2 = "pf1", "pf2" ns1, ns2 = "ns1", "ns2" pod1, pod2, pod3, pod4, pod5 = "pod1", "pod2", "pod3", "pod4", "pod5" ) - testData := podsData{ - "pod1": {IPv4: "192.168.10.10/24", IPv6: "2001:0:0:1::10/64", Protocols: protocols, Ports: ports}, - "pod2": {IPv4: "192.168.10.11/24", IPv6: "2001:0:0:1::11/64", Protocols: protocols, Ports: ports}, - "pod3": {IPv4: "192.168.10.12/24", IPv6: "2001:0:0:1::12/64", Protocols: protocols, Ports: ports}, - "pod4": {IPv4: "192.168.20.11/24", IPv6: "2001:0:0:2::11/64", Protocols: protocols, Ports: ports}, - "pod5": {IPv4: "192.168.20.12/24", IPv6: "2001:0:0:2::12/64", Protocols: protocols, Ports: ports}, - } - BeforeAll(func() { By("Verifying if Multi-NetPolicy tests can be executed on given cluster") err := netenv.DoesClusterHasEnoughNodes(APIClient, NetConfig, 1, 1) @@ -84,10 +59,10 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr enableMultiNetworkPolicy(true) By("Deploy Test Resources: 2 Namespaces") - tNs1, err = namespace.NewBuilder(APIClient, testNs1).WithMultipleLabels(params.PrivilegedNSLabels). + tNs1, err = namespace.NewBuilder(APIClient, tsparams.MultiNetPolNs1).WithMultipleLabels(params.PrivilegedNSLabels). WithLabel("ns", "ns1").Create() Expect(err).ToNot(HaveOccurred(), "Failed to create test namespace") - tNs2, err = namespace.NewBuilder(APIClient, testNs2).WithMultipleLabels(params.PrivilegedNSLabels). + tNs2, err = namespace.NewBuilder(APIClient, tsparams.MultiNetPolNs2).WithMultipleLabels(params.PrivilegedNSLabels). WithLabel("ns", "ns2").Create() Expect(err).ToNot(HaveOccurred(), "Failed to create test namespace") @@ -107,44 +82,44 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr Expect(err).ToNot(HaveOccurred(), "Failed to create test policy") By("Deploy Test Resources: 4 Sriov Networks") - defineAndCreateSriovNetwork(ns1+nicPf1, nicPf1, testNs1) - defineAndCreateSriovNetwork(ns1+nicPf2, nicPf2, testNs1) - defineAndCreateSriovNetwork(ns2+nicPf1, nicPf1, testNs2) - defineAndCreateSriovNetwork(ns2+nicPf2, nicPf2, testNs2) + defineAndCreateSriovNetwork(ns1+nicPf1, nicPf1, tsparams.MultiNetPolNs1) + defineAndCreateSriovNetwork(ns1+nicPf2, nicPf2, tsparams.MultiNetPolNs1) + defineAndCreateSriovNetwork(ns2+nicPf1, nicPf1, tsparams.MultiNetPolNs2) + defineAndCreateSriovNetwork(ns2+nicPf2, nicPf2, tsparams.MultiNetPolNs2) err = netenv.WaitForSriovAndMCPStable(APIClient, tsparams.MCOWaitTimeout, 10*time.Second, NetConfig.CnfMcpLabel, NetConfig.SriovOperatorNamespace) Expect(err).ToNot(HaveOccurred(), "Sriov and MCP are not stable") By("Deploy Test Resources: 2 NADs for bond CNI") - defineAndCreateBondNAD("bond", testNs1) - defineAndCreateBondNAD("bond", testNs2) + defineAndCreateBondNAD(tsparams.MultiNetPolNs1) + defineAndCreateBondNAD(tsparams.MultiNetPolNs2) By("Deploy Test Resources: 5 Pods") - testPod1 = defineAndCreatePodWithBondIf(pod1, testNs1, ns1+nicPf1, ns1+nicPf2, - workerNodeList[0].Object.Name, testData) - testPod2 = defineAndCreatePodWithBondIf(pod2, testNs1, ns1+nicPf1, ns1+nicPf2, - workerNodeList[0].Object.Name, testData) - testPod3 = defineAndCreatePodWithBondIf(pod3, testNs1, ns1+nicPf1, ns1+nicPf2, - workerNodeList[0].Object.Name, testData) - testPod4 = defineAndCreatePodWithBondIf(pod4, testNs2, ns2+nicPf1, ns2+nicPf2, - workerNodeList[0].Object.Name, testData) - testPod5 = defineAndCreatePodWithBondIf(pod5, testNs2, ns2+nicPf1, ns2+nicPf2, - workerNodeList[0].Object.Name, testData) + testPod1 = defineAndCreatePodWithBondIf(pod1, tsparams.MultiNetPolNs1, ns1+nicPf1, ns1+nicPf2, + workerNodeList[0].Object.Name, tsparams.TestData) + testPod2 = defineAndCreatePodWithBondIf(pod2, tsparams.MultiNetPolNs1, ns1+nicPf1, ns1+nicPf2, + workerNodeList[0].Object.Name, tsparams.TestData) + testPod3 = defineAndCreatePodWithBondIf(pod3, tsparams.MultiNetPolNs1, ns1+nicPf1, ns1+nicPf2, + workerNodeList[0].Object.Name, tsparams.TestData) + testPod4 = defineAndCreatePodWithBondIf(pod4, tsparams.MultiNetPolNs2, ns2+nicPf1, ns2+nicPf2, + workerNodeList[0].Object.Name, tsparams.TestData) + testPod5 = defineAndCreatePodWithBondIf(pod5, tsparams.MultiNetPolNs2, ns2+nicPf1, ns2+nicPf2, + workerNodeList[0].Object.Name, tsparams.TestData) By("Check egress traffic from pod1 to other 4 pods. All ports should be open") - verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod3, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod5, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) By("Check ingress traffic to pod1 from other 4 pods. All ports should be open") - verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod3, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod5, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) }) AfterEach(func() { @@ -167,8 +142,8 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr It("Egress - block all", reportxml.ID("77169"), func() { By("Create Multi Network Policy") - _, err := networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-deny", testNs1). - WithNetwork(fmt.Sprintf("%s/bond,%s/bond", testNs1, testNs2)). + _, err := networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-deny", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/bond,%s/bond", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). Create() @@ -176,17 +151,17 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr By("Check egress traffic from pod1 to other 4 pods. All ports should be filtered") - verifyPaths(testPod1, testPod2, allClose, allClose, testData) - verifyPaths(testPod1, testPod3, allClose, allClose, testData) - verifyPaths(testPod1, testPod4, allClose, allClose, testData) - verifyPaths(testPod1, testPod5, allClose, allClose, testData) + verifyPaths(testPod1, testPod2, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) By("Check ingress traffic to pod1 from other 4 pods. All ports should be open") - verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod3, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod5, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) }) It("Egress - allow all", reportxml.ID("77201"), func() { @@ -195,8 +170,8 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr testEgressRule, err := networkpolicy.NewEgressRuleBuilder().GetEgressRuleCfg() Expect(err).ToNot(HaveOccurred(), "egress rule configuration not generated") - _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-allow", testNs1). - WithNetwork(fmt.Sprintf("%s/bond,%s/bond", testNs1, testNs2)). + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-allow", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/bond,%s/bond", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). WithEgressRule(*testEgressRule). @@ -205,17 +180,17 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr By("Check egress traffic from pod1 to other 4 pods. All ports should be open") - verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod3, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod5, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) By("Check ingress traffic to pod1 from other 4 pods. All ports should be open") - verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod3, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod5, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) }) It("Egress - podSelector - NonExistent Label", reportxml.ID("77199"), func() { @@ -226,8 +201,8 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr GetEgressRuleCfg() Expect(err).ToNot(HaveOccurred(), "egress rule configuration not generated") - _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-podsel-nonexist", testNs1). - WithNetwork(fmt.Sprintf("%s/bond,%s/bond", testNs1, testNs2)). + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-podsel-nonexist", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/bond,%s/bond", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). WithEgressRule(*testEgressRule). @@ -236,17 +211,17 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr By("Check egress traffic from pod1 to other 4 pods. All ports should be filtered") - verifyPaths(testPod1, testPod2, allClose, allClose, testData) - verifyPaths(testPod1, testPod3, allClose, allClose, testData) - verifyPaths(testPod1, testPod4, allClose, allClose, testData) - verifyPaths(testPod1, testPod5, allClose, allClose, testData) + verifyPaths(testPod1, testPod2, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) By("Check ingress traffic to pod1 from other 4 pods. All ports should be open") - verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod3, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod5, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) }) It("Egress - namespaceSelector - NonExistent Label", reportxml.ID("77197"), func() { @@ -257,8 +232,8 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr GetEgressRuleCfg() Expect(err).ToNot(HaveOccurred(), "egress rule configuration not generated") - _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-nssel-nonexist", testNs1). - WithNetwork(fmt.Sprintf("%s/bond,%s/bond", testNs1, testNs2)). + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-nssel-nonexist", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/bond,%s/bond", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). WithEgressRule(*testEgressRule). @@ -267,17 +242,17 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr By("Check egress traffic from pod1 to other 4 pods. All ports should be filtered") - verifyPaths(testPod1, testPod2, allClose, allClose, testData) - verifyPaths(testPod1, testPod3, allClose, allClose, testData) - verifyPaths(testPod1, testPod4, allClose, allClose, testData) - verifyPaths(testPod1, testPod5, allClose, allClose, testData) + verifyPaths(testPod1, testPod2, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) By("Check ingress traffic to pod1 from other 4 pods. All ports should be open") - verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod3, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod5, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) }) It("Egress - Pod and/or Namespace Selector", reportxml.ID("77204"), func() { @@ -290,8 +265,8 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr GetEgressRuleCfg() Expect(err).ToNot(HaveOccurred(), "egress rule configuration not generated") - _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-pod-ns-selector", testNs1). - WithNetwork(fmt.Sprintf("%s/bond,%s/bond", testNs1, testNs2)). + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-pod-ns-selector", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/bond,%s/bond", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). WithEgressRule(*testEgressRule). @@ -300,17 +275,17 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr By("Check egress traffic from pod1 to other 4 pods. Only pod2 and pod4 should be accessible on all ports") - verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod3, allClose, allClose, testData) - verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod5, allClose, allClose, testData) + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) By("Check ingress traffic to pod1 from other 4 pods. All ports should be open") - verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod3, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod5, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) }) It("Egress - IPBlock IPv4 and IPv6 and Ports", reportxml.ID("77202"), func() { @@ -323,8 +298,8 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr GetEgressRuleCfg() Expect(err).ToNot(HaveOccurred(), "egress rule configuration not generated") - _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-ipv4v6-port", testNs1). - WithNetwork(fmt.Sprintf("%s/bond,%s/bond", testNs1, testNs2)). + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-ipv4v6-port", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/bond,%s/bond", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). WithEgressRule(*testEgressRule). @@ -335,24 +310,24 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr "Pod2 tcp port 5001 should be accessible over IPv4." + "Pod4 tcp port 5001 should be accessible over IPv6") - verifyPaths(testPod1, testPod2, p5001Open, allClose, testData) - verifyPaths(testPod1, testPod3, allClose, allClose, testData) - verifyPaths(testPod1, testPod4, allClose, p5001Open, testData) - verifyPaths(testPod1, testPod5, allClose, allClose, testData) + verifyPaths(testPod1, testPod2, tsparams.P5001Open, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllClose, tsparams.P5001Open, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) By("Check ingress traffic to pod1 from other 4 pods. All ports should be open") - verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod3, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod5, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) }) It("Ingress - block all", reportxml.ID("77237"), func() { By("Create Multi Network Policy") - _, err := networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-deny", testNs1). - WithNetwork(fmt.Sprintf("%s/bond,%s/bond", testNs1, testNs2)). + _, err := networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-deny", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/bond,%s/bond", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). Create() @@ -360,17 +335,17 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr By("Check egress traffic from pod1 to other 4 pods. All ports should be open") - verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod3, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod5, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) By("Check ingress traffic to pod1 from other 4 pods. All ports should be filtered") - verifyPaths(testPod2, testPod1, allClose, allClose, testData) - verifyPaths(testPod3, testPod1, allClose, allClose, testData) - verifyPaths(testPod4, testPod1, allClose, allClose, testData) - verifyPaths(testPod5, testPod1, allClose, allClose, testData) + verifyPaths(testPod2, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) }) It("Ingress - allow all", reportxml.ID("77236"), func() { @@ -379,8 +354,8 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr testIngressRule, err := networkpolicy.NewIngressRuleBuilder().GetIngressRuleCfg() Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") - _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-allow", testNs1). - WithNetwork(fmt.Sprintf("%s/bond,%s/bond", testNs1, testNs2)). + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-allow", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/bond,%s/bond", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). WithIngressRule(*testIngressRule). @@ -389,17 +364,17 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr By("Check egress traffic from pod1 to other 4 pods. All ports should be open") - verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod3, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod5, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) By("Check ingress traffic to pod1 from other 4 pods. All ports should be open") - verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod3, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod5, testPod1, allOpen, allOpen, testData) + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) }) It("Ingress - podSelector - NonExistent Label", reportxml.ID("77233"), func() { @@ -410,8 +385,8 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr GetIngressRuleCfg() Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") - _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-podsel-nonexist", testNs1). - WithNetwork(fmt.Sprintf("%s/bond,%s/bond", testNs1, testNs2)). + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-podsel-nonexist", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/bond,%s/bond", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). WithIngressRule(*testIngressRule). @@ -420,17 +395,17 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr By("Check egress traffic from pod1 to other 4 pods. All ports should be open") - verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod3, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod5, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) By("Check ingress traffic to pod1 from other 4 pods. All ports should be filtered") - verifyPaths(testPod2, testPod1, allClose, allClose, testData) - verifyPaths(testPod3, testPod1, allClose, allClose, testData) - verifyPaths(testPod4, testPod1, allClose, allClose, testData) - verifyPaths(testPod5, testPod1, allClose, allClose, testData) + verifyPaths(testPod2, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) }) It("Ingress - namespaceSelector - NonExistent Label", reportxml.ID("77235"), func() { @@ -441,8 +416,8 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr GetIngressRuleCfg() Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") - _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-nssel-nonexist", testNs1). - WithNetwork(fmt.Sprintf("%s/bond,%s/bond", testNs1, testNs2)). + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-nssel-nonexist", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/bond,%s/bond", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). WithIngressRule(*testIngressRule). @@ -451,17 +426,17 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr By("Check egress traffic from pod1 to other 4 pods. All ports should be open") - verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod3, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod5, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) By("Check ingress traffic to pod1 from other 4 pods. All ports should be filtered") - verifyPaths(testPod2, testPod1, allClose, allClose, testData) - verifyPaths(testPod3, testPod1, allClose, allClose, testData) - verifyPaths(testPod4, testPod1, allClose, allClose, testData) - verifyPaths(testPod5, testPod1, allClose, allClose, testData) + verifyPaths(testPod2, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) }) It("Ingress - Pod and/or Namespace Selector", reportxml.ID("77242"), func() { @@ -474,8 +449,8 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr GetIngressRuleCfg() Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") - _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-pod-ns-selector", testNs1). - WithNetwork(fmt.Sprintf("%s/bond,%s/bond", testNs1, testNs2)). + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-pod-ns-selector", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/bond,%s/bond", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). WithIngressRule(*testIngressRule). @@ -484,17 +459,17 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr By("Check egress traffic from pod1 to other 4 pods. All ports should be open") - verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod3, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod5, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) By("Check ingress traffic to pod1 from other 4 pods. Only pod2 and pod4 can access pod1 on all ports") - verifyPaths(testPod2, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod3, testPod1, allClose, allClose, testData) - verifyPaths(testPod4, testPod1, allOpen, allOpen, testData) - verifyPaths(testPod5, testPod1, allClose, allClose, testData) + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) }) It("Ingress - IPBlock IPv4 and IPv6 and Ports", reportxml.ID("77238"), func() { @@ -507,8 +482,8 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr GetIngressRuleCfg() Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") - _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-ipv4v6-port", testNs1). - WithNetwork(fmt.Sprintf("%s/bond,%s/bond", testNs1, testNs2)). + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-ipv4v6-port", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/bond,%s/bond", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). WithIngressRule(*testIngressRule). @@ -517,19 +492,19 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr By("Check egress traffic from pod1 to other 4 pods. All ports should be open") - verifyPaths(testPod1, testPod2, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod3, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod4, allOpen, allOpen, testData) - verifyPaths(testPod1, testPod5, allOpen, allOpen, testData) + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) By("Check ingress traffic to pod1 from other 4 pods. " + "Pod2 can access tcp port 5001 of pod1 over IPv4." + "Pod4 can access tcp port 5001 of pod4 over IPv6") - verifyPaths(testPod2, testPod1, p5001Open, allClose, testData) - verifyPaths(testPod3, testPod1, allClose, allClose, testData) - verifyPaths(testPod4, testPod1, allClose, p5001Open, testData) - verifyPaths(testPod5, testPod1, allClose, allClose, testData) + verifyPaths(testPod2, testPod1, tsparams.P5001Open, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllClose, tsparams.P5001Open, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) }) It("Ingress & Egress - Peer and Ports", reportxml.ID("77469"), func() { @@ -550,7 +525,7 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-egress", "policy-ns1"). - WithNetwork("policy-ns1/bond,policy-ns2/bond"). + WithNetwork(fmt.Sprintf("%s/bond,%s/bond", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). @@ -561,19 +536,19 @@ var _ = Describe("Multi-NetworkPolicy : Bond CNI", Ordered, Label("bondcnioversr By("Check egress traffic from pod1 to other 4 pods. Only Pod5 ports should be accessible over IPv6") - verifyPaths(testPod1, testPod2, allClose, allClose, testData) - verifyPaths(testPod1, testPod3, allClose, allClose, testData) - verifyPaths(testPod1, testPod4, allClose, allClose, testData) - verifyPaths(testPod1, testPod5, allClose, allOpen, testData) + verifyPaths(testPod1, testPod2, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllClose, tsparams.AllOpen, tsparams.TestData) By("Check ingress traffic to pod1 from other 4 pods. " + "Pod2 can access tcp ports 5001 & 5002 of pod1 over IPv4. " + "Pod4 can access tcp ports 5001 & 5002 of pod1 over both IPv4 & IPv6") - verifyPaths(testPod2, testPod1, p5001p5002Open, allClose, testData) - verifyPaths(testPod3, testPod1, allClose, allClose, testData) - verifyPaths(testPod4, testPod1, p5001p5002Open, p5001p5002Open, testData) - verifyPaths(testPod5, testPod1, allClose, allClose, testData) + verifyPaths(testPod2, testPod1, tsparams.P5001p5002Open, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.P5001p5002Open, tsparams.P5001p5002Open, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) }) }) @@ -585,7 +560,7 @@ func defineAndCreateSriovNetwork(netName, resName, targetNs string) { Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("Failed to create Sriov Network %s", netName)) } -func defineAndCreateBondNAD(nadName, nsName string) { +func defineAndCreateBondNAD(nsName string) { config, err := nad.NewMasterBondPlugin("bond", "active-backup"). WithFailOverMac(1). WithLinksInContainer(true). @@ -598,12 +573,12 @@ func defineAndCreateBondNAD(nadName, nsName string) { }).GetMasterPluginConfig() Expect(err).ToNot(HaveOccurred(), "Failed to get master bond plugin config") - _, err = nad.NewBuilder(APIClient, nadName, nsName).WithMasterPlugin(config).Create() + _, err = nad.NewBuilder(APIClient, "bond", nsName).WithMasterPlugin(config).Create() Expect(err).ToNot(HaveOccurred(), "Failed to create net-attach-def") } func defineAndCreatePodWithBondIf( - podName, nsName, net1Name, net2Name, nodeName string, testData podsData) *pod.Builder { + podName, nsName, net1Name, net2Name, nodeName string, testData tsparams.PodsData) *pod.Builder { var rootUser int64 securityContext := corev1.SecurityContext{ @@ -656,89 +631,3 @@ func defineAndCreatePodWithBondIf( return tPod } - -func verifyPaths( - sPod, dPod *pod.Builder, - ipv4ExpectedResult, ipv6ExpectedResult map[string]string, - testData podsData, -) { - By("Deriving applicable paths between given source and destination pods") - runNmapAndValidateResults(sPod, testData[sPod.Object.Name].IPv4, - testData[dPod.Object.Name].Protocols, testData[dPod.Object.Name].Ports, - strings.Split(testData[dPod.Object.Name].IPv4, "/")[0], ipv4ExpectedResult) - runNmapAndValidateResults(sPod, testData[sPod.Object.Name].IPv6, - testData[dPod.Object.Name].Protocols, testData[dPod.Object.Name].Ports, - strings.Split(testData[dPod.Object.Name].IPv6, "/")[0], ipv6ExpectedResult) -} - -func runNmapAndValidateResults( - sPod *pod.Builder, - sourceIP string, - protocols []string, - ports []string, - targetIP string, - expectedResult map[string]string) { - // NmapXML defines the structure nmap command output in xml. - type NmapXML struct { - XMLName xml.Name `xml:"nmaprun"` - Text string `xml:",chardata"` - Host struct { - Text string `xml:",chardata"` - Status struct { - Text string `xml:",chardata"` - State string `xml:"state,attr"` - } `xml:"status"` - Address []struct { - Text string `xml:",chardata"` - Addr string `xml:"addr,attr"` - Addrtype string `xml:"addrtype,attr"` - } `xml:"address"` - Ports struct { - Text string `xml:",chardata"` - Port []struct { - Text string `xml:",chardata"` - Protocol string `xml:"protocol,attr"` - Portid string `xml:"portid,attr"` - State struct { - Text string `xml:",chardata"` - State string `xml:"state,attr"` - } `xml:"state"` - } `xml:"port"` - } `xml:"ports"` - } `xml:"host"` - } - - By("Running nmap command in source pod") - - var nmapOutput NmapXML - - nmapCmd := fmt.Sprintf("nmap -v -oX - -sT -sU -p T:5001,T:5002,U:5003 %s", targetIP) - - if net.ParseIP(targetIP).To4() == nil { - nmapCmd += " -6" - } - - output, err := sPod.ExecCommand([]string{"/bin/bash", "-c", nmapCmd}) - Expect(err).NotTo(HaveOccurred(), "Failed to execute nmap command in source pod") - - err = xml.Unmarshal(output.Bytes(), &nmapOutput) - Expect(err).NotTo(HaveOccurred(), fmt.Sprintf("Failed to unmarshal nmap output: %s", output.String())) - - By("Verifying nmap output is matching with expected results") - Expect(len(nmapOutput.Host.Ports.Port)).To(Equal(len(ports)), - fmt.Sprintf("number of ports in nmap output as expected. Nmap XML output: %v", nmapOutput.Host.Ports.Port)) - - for index := range len(nmapOutput.Host.Ports.Port) { - if expectedResult[nmapOutput.Host.Ports.Port[index].Portid] == "pass" { - By(fmt.Sprintf("Path %s/%s =====> %s:%s:%s Expected to Pass\n", - sPod.Object.Name, sourceIP, targetIP, protocols[index], ports[index])) - Expect(nmapOutput.Host.Ports.Port[index].State.State).To(Equal("open"), - fmt.Sprintf("Port is not open as expected. Output: %v", nmapOutput.Host.Ports.Port[index])) - } else { - By(fmt.Sprintf("Path %s/%s =====> %s:%s:%s Expected to Fail\n", - sPod.Object.Name, sourceIP, targetIP, protocols[index], ports[index])) - Expect(nmapOutput.Host.Ports.Port[index].State.State).To(SatisfyAny(Equal("open|filtered"), Equal("filtered")), - fmt.Sprintf("Port is not filtered as expected. Output: %v", nmapOutput.Host.Ports.Port[index])) - } - } -} diff --git a/tests/cnf/core/network/policy/tests/multinetpolicy_ipvlan.go b/tests/cnf/core/network/policy/tests/multinetpolicy_ipvlan.go new file mode 100644 index 000000000..7fd5420f8 --- /dev/null +++ b/tests/cnf/core/network/policy/tests/multinetpolicy_ipvlan.go @@ -0,0 +1,576 @@ +package tests + +import ( + "fmt" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + . "github.com/openshift-kni/eco-gotests/tests/cnf/core/network/internal/netinittools" + + multinetpolicyapiv1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta1" + "github.com/openshift-kni/eco-goinfra/pkg/nad" + "github.com/openshift-kni/eco-goinfra/pkg/namespace" + "github.com/openshift-kni/eco-goinfra/pkg/networkpolicy" + "github.com/openshift-kni/eco-goinfra/pkg/nodes" + "github.com/openshift-kni/eco-goinfra/pkg/pod" + "github.com/openshift-kni/eco-goinfra/pkg/reportxml" + "github.com/openshift-kni/eco-gotests/tests/cnf/core/network/internal/netenv" + "github.com/openshift-kni/eco-gotests/tests/cnf/core/network/policy/internal/tsparams" + "github.com/openshift-kni/eco-gotests/tests/internal/params" + "gopkg.in/k8snetworkplumbingwg/multus-cni.v4/pkg/types" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" +) + +var _ = Describe("Multi-NetworkPolicy : IPVLAN CNI", Ordered, Label("ipvlancni"), ContinueOnFailure, func() { + + var ( + sriovInterfacesUnderTest []string + tNs1, tNs2 *namespace.Builder + testPod1, testPod2, testPod3, testPod4, testPod5 *pod.Builder + ) + + BeforeAll(func() { + By("Verifying if Multi-NetPolicy tests can be executed on given cluster") + err := netenv.DoesClusterHasEnoughNodes(APIClient, NetConfig, 1, 1) + Expect(err).ToNot(HaveOccurred(), + "Cluster doesn't support Multi-NetPolicy test cases as it doesn't have enough nodes") + + By("Listing Worker nodes") + workerNodeList, err := nodes.List( + APIClient, metav1.ListOptions{LabelSelector: labels.Set(NetConfig.WorkerLabelMap).String()}) + Expect(err).ToNot(HaveOccurred(), "Failed to list worker nodes") + + By("Fetching SR-IOV interfaces from ENV VAR to use them as master interfaces for ipvlan") + sriovInterfacesUnderTest, err = NetConfig.GetSriovInterfaces(2) + Expect(err).ToNot(HaveOccurred(), "Failed to retrieve SR-IOV interfaces for testing") + + By("Enable MultiNetworkPolicy support") + enableMultiNetworkPolicy(true) + + By("Deploy Test Resources: Two Namespaces") + tNs1, err = namespace.NewBuilder(APIClient, tsparams.MultiNetPolNs1).WithMultipleLabels(params.PrivilegedNSLabels). + WithLabel("ns", "ns1").Create() + Expect(err).ToNot(HaveOccurred(), "Failed to create test namespace") + tNs2, err = namespace.NewBuilder(APIClient, tsparams.MultiNetPolNs2).WithMultipleLabels(params.PrivilegedNSLabels). + WithLabel("ns", "ns2").Create() + Expect(err).ToNot(HaveOccurred(), "Failed to create test namespace") + + By("Deploy Test Resources: Two NADs for IPVLAN CNI") + defineAndCreateIpvlanNAD(tsparams.MultiNetPolNs1, sriovInterfacesUnderTest[0]) + defineAndCreateIpvlanNAD(tsparams.MultiNetPolNs2, sriovInterfacesUnderTest[1]) + + By("Deploy Test Resources: Five Pods") + testPod1 = defineAndCreatePodWithIpvlanIf( + "pod1", tsparams.MultiNetPolNs1, workerNodeList[0].Object.Name, tsparams.TestData) + testPod2 = defineAndCreatePodWithIpvlanIf( + "pod2", tsparams.MultiNetPolNs1, workerNodeList[0].Object.Name, tsparams.TestData) + testPod3 = defineAndCreatePodWithIpvlanIf( + "pod3", tsparams.MultiNetPolNs1, workerNodeList[0].Object.Name, tsparams.TestData) + testPod4 = defineAndCreatePodWithIpvlanIf( + "pod4", tsparams.MultiNetPolNs2, workerNodeList[0].Object.Name, tsparams.TestData) + testPod5 = defineAndCreatePodWithIpvlanIf( + "pod5", tsparams.MultiNetPolNs2, workerNodeList[0].Object.Name, tsparams.TestData) + + By("Check egress traffic from pod1 to other four pods. All ports should be open") + + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + + By("Check ingress traffic to pod1 from other four pods. All ports should be open") + + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + }) + + AfterEach(func() { + err := tNs1.CleanObjects(1*time.Minute, networkpolicy.GetMultiNetworkGVR()) + Expect(err).ToNot(HaveOccurred(), "failed to clean Multi-NetworkPolicies in test namespace") + }) + + AfterAll(func() { + By("Delete test namespace") + err := tNs1.Delete() + Expect(err).ToNot(HaveOccurred(), "Failed to delete test namespace") + err = tNs2.Delete() + Expect(err).ToNot(HaveOccurred(), "Failed to delete test namespace") + }) + + It("Egress - block all", reportxml.ID("77467"), func() { + + By("Create Multi Network Policy") + _, err := networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-deny", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). + Create() + Expect(err).ToNot(HaveOccurred(), "Failed to create Multi Network Policy") + + By("Check egress traffic from pod1 to other four pods. All ports should be filtered") + + verifyPaths(testPod1, testPod2, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + + By("Check ingress traffic to pod1 from other four pods. All ports should be open") + + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + }) + + It("Egress - allow all", reportxml.ID("77474"), func() { + + By("Create Multi Network Policy") + testEgressRule, err := networkpolicy.NewEgressRuleBuilder().GetEgressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "egress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-allow", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). + WithEgressRule(*testEgressRule). + Create() + Expect(err).ToNot(HaveOccurred(), "Failed to create Multi Network Policy") + + By("Check egress traffic from pod1 to other four pods. All ports should be open") + + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + + By("Check ingress traffic to pod1 from other four pods. All ports should be open") + + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + }) + + It("Egress - podSelector - NonExistent Label", reportxml.ID("77473"), func() { + + By("Create Multi Network Policy") + testEgressRule, err := networkpolicy.NewEgressRuleBuilder(). + WithPeerPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "none"}}). + GetEgressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "egress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-podsel-nonexist", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). + WithEgressRule(*testEgressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other four pods. All ports should be filtered") + + verifyPaths(testPod1, testPod2, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + + By("Check ingress traffic to pod1 from other four pods. All ports should be open") + + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + }) + + It("Egress - namespaceSelector - NonExistent Label", reportxml.ID("77472"), func() { + + By("Create Multi Network Policy") + testEgressRule, err := networkpolicy.NewEgressRuleBuilder(). + WithPeerNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"ns": "none"}}). + GetEgressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "egress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-nssel-nonexist", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). + WithEgressRule(*testEgressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other four pods. All ports should be filtered") + + verifyPaths(testPod1, testPod2, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + + By("Check ingress traffic to pod1 from other four pods. All ports should be open") + + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + }) + + It("Egress - Pod and/or Namespace Selector", reportxml.ID("77477"), func() { + + By("Create Multi Network Policy") + testEgressRule, err := networkpolicy.NewEgressRuleBuilder(). + WithPeerPodAndNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod4"}}, + metav1.LabelSelector{MatchLabels: map[string]string{"ns": "ns2"}}). + WithPeerPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod2"}}). + GetEgressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "egress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-pod-ns-selector", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). + WithEgressRule(*testEgressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other four pods. Only pod2 and pod4 should be accessible on all ports") + + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + + By("Check ingress traffic to pod1 from other four pods. All ports should be open") + + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + }) + + It("Egress - IPBlock IPv4 and IPv6 and Ports", reportxml.ID("77475"), func() { + + By("Create Multi Network Policy") + testEgressRule, err := networkpolicy.NewEgressRuleBuilder(). + WithPortAndProtocol(5001, "TCP"). + WithCIDR("192.168.10.0/24", []string{"192.168.10.12/32"}). + WithCIDR("2001:0:0:2::/64", []string{"2001:0:0:2::12/128"}). + GetEgressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "egress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "egress-ipv4v6-port", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). + WithEgressRule(*testEgressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other four pods. " + + "Pod2 tcp port 5001 should be accessible over IPv4." + + "Pod4 tcp port 5001 should be accessible over IPv6") + + verifyPaths(testPod1, testPod2, tsparams.P5001Open, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllClose, tsparams.P5001Open, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + + By("Check ingress traffic to pod1 from other four pods. All ports should be open") + + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + }) + + It("Ingress - block all", reportxml.ID("77486"), func() { + + By("Create Multi Network Policy") + _, err := networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-deny", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). + Create() + Expect(err).ToNot(HaveOccurred(), "Failed to create Multi Network Policy") + + By("Check egress traffic from pod1 to other four pods. All ports should be open") + + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + + By("Check ingress traffic to pod1 from other four pods. All ports should be filtered") + + verifyPaths(testPod2, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + }) + + It("Ingress - allow all", reportxml.ID("77485"), func() { + + By("Create Multi Network Policy") + testIngressRule, err := networkpolicy.NewIngressRuleBuilder().GetIngressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-allow", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). + WithIngressRule(*testIngressRule). + Create() + Expect(err).ToNot(HaveOccurred(), "Failed to create Multi Network Policy") + + By("Check egress traffic from pod1 to other four pods. All ports should be open") + + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + + By("Check ingress traffic to pod1 from other four pods. All ports should be open") + + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + }) + + It("Ingress - podSelector - NonExistent Label", reportxml.ID("77484"), func() { + + By("Create Multi Network Policy") + testIngressRule, err := networkpolicy.NewIngressRuleBuilder(). + WithPeerPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "none"}}). + GetIngressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-podsel-nonexist", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). + WithIngressRule(*testIngressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other four pods. All ports should be open") + + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + + By("Check ingress traffic to pod1 from other four pods. All ports should be filtered") + + verifyPaths(testPod2, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + }) + + It("Ingress - namespaceSelector - NonExistent Label", reportxml.ID("77483"), func() { + + By("Create Multi Network Policy") + testIngressRule, err := networkpolicy.NewIngressRuleBuilder(). + WithPeerNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"ns": "none"}}). + GetIngressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-nssel-nonexist", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). + WithIngressRule(*testIngressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other four pods. All ports should be open") + + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + + By("Check ingress traffic to pod1 from other four pods. All ports should be filtered") + + verifyPaths(testPod2, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + }) + + It("Ingress - Pod and/or Namespace Selector", reportxml.ID("77481"), func() { + + By("Create Multi Network Policy") + testIngressRule, err := networkpolicy.NewIngressRuleBuilder(). + WithPeerPodAndNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod4"}}, + metav1.LabelSelector{MatchLabels: map[string]string{"ns": "ns2"}}). + WithPeerPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod2"}}). + GetIngressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-pod-ns-selector", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). + WithIngressRule(*testIngressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other four pods. All ports should be open") + + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + + By("Check ingress traffic to pod1 from other four pods. Only pod2 and pod4 can access pod1 on all ports") + + verifyPaths(testPod2, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + }) + + It("Ingress - IPBlock IPv4 and IPv6 and Ports", reportxml.ID("77479"), func() { + + By("Create Multi Network Policy") + testIngressRule, err := networkpolicy.NewIngressRuleBuilder(). + WithPortAndProtocol(5001, "TCP"). + WithCIDR("192.168.10.0/24", []string{"192.168.10.12/32"}). + WithCIDR("2001:0:0:2::/64", []string{"2001:0:0:2::12/128"}). + GetIngressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-ipv4v6-port", tsparams.MultiNetPolNs1). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). + WithIngressRule(*testIngressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other four pods. All ports should be open") + + verifyPaths(testPod1, testPod2, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllOpen, tsparams.AllOpen, tsparams.TestData) + + By("Check ingress traffic to pod1 from other four pods. " + + "Pod2 can access tcp port 5001 of pod1 over IPv4." + + "Pod4 can access tcp port 5001 of pod4 over IPv6") + + verifyPaths(testPod2, testPod1, tsparams.P5001Open, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.AllClose, tsparams.P5001Open, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + }) + + It("Ingress & Egress - Peer and Ports", reportxml.ID("77487"), func() { + + By("Create Multi Network Policy") + testEgressRule, err := networkpolicy.NewEgressRuleBuilder(). + WithPeerPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod2"}}). + WithCIDR("2001:0:0:2::/64", []string{"2001:0:0:2::11/128"}). + GetEgressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "egress rule configuration not generated") + + testIngressRule, err := networkpolicy.NewIngressRuleBuilder(). + WithCIDR("192.168.10.0/24", []string{"192.168.10.12/32"}). + WithPeerPodAndNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod4"}}, + metav1.LabelSelector{MatchLabels: map[string]string{"ns": "ns2"}}). + WithProtocol("TCP"). + GetIngressRuleCfg() + Expect(err).ToNot(HaveOccurred(), "ingress rule configuration not generated") + + _, err = networkpolicy.NewMultiNetworkPolicyBuilder(APIClient, "ingress-egress", "policy-ns1"). + WithNetwork(fmt.Sprintf("%s/ipvlan,%s/ipvlan", tsparams.MultiNetPolNs1, tsparams.MultiNetPolNs2)). + WithPodSelector(metav1.LabelSelector{MatchLabels: map[string]string{"app": "pod1"}}). + WithPolicyType(multinetpolicyapiv1.PolicyTypeIngress). + WithPolicyType(multinetpolicyapiv1.PolicyTypeEgress). + WithIngressRule(*testIngressRule). + WithEgressRule(*testEgressRule). + Create() + Expect(err).NotTo(HaveOccurred(), "failed to create multi network policy") + + By("Check egress traffic from pod1 to other four pods. Only Pod5 ports should be accessible over IPv6") + + verifyPaths(testPod1, testPod2, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod3, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod4, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod1, testPod5, tsparams.AllClose, tsparams.AllOpen, tsparams.TestData) + + By("Check ingress traffic to pod1 from other four pods. " + + "Pod2 can access tcp ports 5001 & 5002 of pod1 over IPv4. " + + "Pod4 can access tcp ports 5001 & 5002 of pod1 over both IPv4 & IPv6") + + verifyPaths(testPod2, testPod1, tsparams.P5001p5002Open, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod3, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + verifyPaths(testPod4, testPod1, tsparams.P5001p5002Open, tsparams.P5001p5002Open, tsparams.TestData) + verifyPaths(testPod5, testPod1, tsparams.AllClose, tsparams.AllClose, tsparams.TestData) + }) +}) + +func defineAndCreateIpvlanNAD(nsName, masterIf string) { + config, err := nad.NewMasterIPVlanPlugin("ipvlan"). + WithMasterInterface(masterIf). + WithIPAM(&nad.IPAM{ + Type: "static", + Routes: []nad.Routes{{Dst: "192.168.0.0/16"}, {Dst: "2001::0/62"}}, + }).GetMasterPluginConfig() + Expect(err).ToNot(HaveOccurred(), "Failed to get master ipvlan plugin config") + + _, err = nad.NewBuilder(APIClient, "ipvlan", nsName).WithMasterPlugin(config).Create() + Expect(err).ToNot(HaveOccurred(), "Failed to create net-attach-def") +} + +func defineAndCreatePodWithIpvlanIf( + podName, nsName, nodeName string, testData tsparams.PodsData) *pod.Builder { + var rootUser int64 + + securityContext := corev1.SecurityContext{ + RunAsUser: &rootUser, + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{"IPC_LOCK", "SYS_RESOURCE", "NET_RAW", "NET_ADMIN"}, + }, + } + + netAnnotation := []*types.NetworkSelectionElement{ + { + Name: "ipvlan", + InterfaceRequest: "ipvlan1", + IPRequest: []string{testData[podName].IPv4, testData[podName].IPv6}, + }, + } + + tPodBuilder := pod.NewBuilder(APIClient, podName, nsName, NetConfig.CnfNetTestContainer). + WithNodeSelector(map[string]string{"kubernetes.io/hostname": nodeName}). + WithSecondaryNetwork(netAnnotation). + WithPrivilegedFlag(). + WithLabel("app", podName) + + for index := range len(testData[podName].Protocols) { + containerBuilder, err := pod.NewContainerBuilder(testData[podName].Protocols[index]+testData[podName].Ports[index], + NetConfig.CnfNetTestContainer, + []string{"/bin/bash", "-c", fmt.Sprintf("testcmd -listen -interface ipvlan1 -protocol %s -port %s", + testData[podName].Protocols[index], testData[podName].Ports[index])}). + WithSecurityContext(&securityContext). + GetContainerCfg() + Expect(err).ToNot(HaveOccurred(), "Failed to get container config") + + if index == 0 { + tPodBuilder.RedefineDefaultContainer(*containerBuilder) + } else { + tPodBuilder.WithAdditionalContainer(containerBuilder) + } + } + + tPod, err := tPodBuilder.CreateAndWaitUntilRunning(1 * time.Minute) + Expect(err).ToNot(HaveOccurred(), "Failed to create test pod") + + return tPod +}