From f2e8fe93fb5f1edbd104148bd762f2d04e149e8d Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Mon, 24 Feb 2025 17:53:41 -0500 Subject: [PATCH] Fix bad CIDRs in a NetworkPolicy test It was writing out IPBlock CIDRs like "192.168.0.5/4" rather than "192.0.0.0/4". Also, simplify a bit by basing the `cidr` and the `except` both on podB, rather than one on podA and one on podB. (This is even theoretically a bugfix, since it's not _required_ that podA and podB be in the same /4.) Also reorganize the code to make the two test cases more consistent with each other. --- test/e2e/network/netpol/network_policy.go | 37 ++++++++++++++--------- 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/test/e2e/network/netpol/network_policy.go b/test/e2e/network/netpol/network_policy.go index 165a8c7c0b8..a527cf6b935 100644 --- a/test/e2e/network/netpol/network_policy.go +++ b/test/e2e/network/netpol/network_policy.go @@ -19,6 +19,7 @@ package netpol import ( "context" "fmt" + "net" "time" "k8s.io/apimachinery/pkg/util/intstr" @@ -1022,16 +1023,15 @@ var _ = common.SIGDescribe("Netpol", func() { ports := []int32{80} k8s = initializeResources(ctx, f, protocols, ports) nsX, _, _ := getK8sNamespaces(k8s) - podList, err := f.ClientSet.CoreV1().Pods(nsX).List(ctx, metav1.ListOptions{LabelSelector: "pod=a"}) - framework.ExpectNoError(err, "Failing to find pod x/a") - podA := podList.Items[0] - podServerAllowCIDR := fmt.Sprintf("%s/4", podA.Status.PodIP) - - podList, err = f.ClientSet.CoreV1().Pods(nsX).List(ctx, metav1.ListOptions{LabelSelector: "pod=b"}) + podList, err := f.ClientSet.CoreV1().Pods(nsX).List(ctx, metav1.ListOptions{LabelSelector: "pod=b"}) framework.ExpectNoError(err, "Failing to find pod x/b") podB := podList.Items[0] + // Create a rule that allows egress to a large set of IPs around + // podB, but not podB itself. + + podServerAllowCIDR := makeLargeCIDRForIP(podB.Status.PodIP) hostMask := 32 if utilnet.IsIPv6String(podB.Status.PodIP) { hostMask = 128 @@ -1056,21 +1056,19 @@ var _ = common.SIGDescribe("Netpol", func() { ports := []int32{80} k8s = initializeResources(ctx, f, protocols, ports) nsX, _, _ := getK8sNamespaces(k8s) - podList, err := f.ClientSet.CoreV1().Pods(nsX).List(ctx, metav1.ListOptions{LabelSelector: "pod=a"}) - framework.ExpectNoError(err, "Failing to find pod x/a") - podA := podList.Items[0] - podList, err = f.ClientSet.CoreV1().Pods(nsX).List(ctx, metav1.ListOptions{LabelSelector: "pod=b"}) + podList, err := f.ClientSet.CoreV1().Pods(nsX).List(ctx, metav1.ListOptions{LabelSelector: "pod=b"}) framework.ExpectNoError(err, "Failing to find pod x/b") podB := podList.Items[0] - // Exclude podServer's IP with an Except clause + // Create a rule that allows egress to a large set of IPs around + // podB, but not podB itself. + + podServerAllowCIDR := makeLargeCIDRForIP(podB.Status.PodIP) hostMask := 32 if utilnet.IsIPv6String(podB.Status.PodIP) { hostMask = 128 } - - podServerAllowCIDR := fmt.Sprintf("%s/4", podA.Status.PodIP) podServerExceptList := []string{fmt.Sprintf("%s/%d", podB.Status.PodIP, hostMask)} egressRule1 := networkingv1.NetworkPolicyEgressRule{} egressRule1.To = append(egressRule1.To, networkingv1.NetworkPolicyPeer{IPBlock: &networkingv1.IPBlock{CIDR: podServerAllowCIDR, Except: podServerExceptList}}) @@ -1083,8 +1081,8 @@ var _ = common.SIGDescribe("Netpol", func() { ValidateOrFail(k8s, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachability}) + // Create a second NetworkPolicy which allows access to podB podBIP := fmt.Sprintf("%s/%d", podB.Status.PodIP, hostMask) - //// Create NetworkPolicy which allows access to the podServer using podServer's IP in allow CIDR. egressRule3 := networkingv1.NetworkPolicyEgressRule{} egressRule3.To = append(egressRule3.To, networkingv1.NetworkPolicyPeer{IPBlock: &networkingv1.IPBlock{CIDR: podBIP}}) allowPolicy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-cidr-egress-rule", @@ -1465,3 +1463,14 @@ func initializeResources(ctx context.Context, f *framework.Framework, protocols framework.ExpectNoError(err, "unable to initialize resources") return k8s } + +// makeLargeCIDRForIP returns a CIDR that matches the given IP and many many many other +// IPs. (Specifically, it returns the /4 that contains the IP.) +func makeLargeCIDRForIP(ip string) string { + podIP := utilnet.ParseIPSloppy(ip) + if ip4 := podIP.To4(); ip4 != nil { + podIP = ip4 + } + cidrBase := podIP.Mask(net.CIDRMask(4, 8*len(podIP))) + return fmt.Sprintf("%s/4", cidrBase.String()) +}