From 6195f96e56ee1e9f52986a0e768e22ca0d1949d6 Mon Sep 17 00:00:00 2001 From: jay vyas Date: Mon, 5 Jun 2023 08:31:25 -0400 Subject: [PATCH] minor fix comments in netpol so its easy to understand the tests for newcomers, remove one misleading comment (#118264) * Fix comments in the netpol tests for new contributors to understand them better * typo --- test/e2e/network/netpol/network_policy.go | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/test/e2e/network/netpol/network_policy.go b/test/e2e/network/netpol/network_policy.go index 67966086e1e..1822a7364b9 100644 --- a/test/e2e/network/netpol/network_policy.go +++ b/test/e2e/network/netpol/network_policy.go @@ -45,8 +45,7 @@ const ( // Calico, Cillium, Antrea seem to do different things. // Since different CNIs have different results, that causes tests including loopback to fail // on some CNIs. So let's just ignore loopback calls for the purposes of deciding test pass/fail. - ignoreLoopback = true - + ignoreLoopback = true namespaceLabelKey = "kubernetes.io/metadata.name" ) @@ -118,16 +117,29 @@ var _ = common.SIGDescribe("Netpol", func() { var k8s *kubeManager ginkgo.It("should support a 'default-deny-ingress' policy [Feature:NetworkPolicy]", func(ctx context.Context) { + + // Only poll TCP protocols := []v1.Protocol{protocolTCP} + + // Only testing port 80 ports := []int32{80} + + // Create pods and namespaces for this test k8s = initializeResources(ctx, f, protocols, ports) + + // Only going to make a policy in namespace X nsX, _, _ := getK8sNamespaces(k8s) policy := GenNetworkPolicyWithNameAndPodSelector("deny-ingress", metav1.LabelSelector{}, SetSpecIngressRules()) + + // Create the policy CreatePolicy(ctx, k8s, policy, nsX) + // Make a truth table of connectivity for all pods in ns x y z reachability := NewReachability(k8s.AllPodStrings(), true) + // Set the nsX as false, since it has a policy that blocks traffic reachability.ExpectPeer(&Peer{}, &Peer{Namespace: nsX}, false) + // Confirm that the real world connectivity matches our matrix ValidateOrFail(k8s, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachability}) }) @@ -614,7 +626,7 @@ var _ = common.SIGDescribe("Netpol", func() { reachability.ExpectAllIngress(NewPodString(nsX, "a"), false) ValidateOrFail(k8s, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachability}) - // add a new label, we'll remove it after this test is completed + // add a new label AddNamespaceLabel(ctx, k8s, nsY, "ns2", "updated") // anything from namespace 'y' should be able to get to x/a @@ -631,7 +643,7 @@ var _ = common.SIGDescribe("Netpol", func() { nsX, _, _ := getK8sNamespaces(k8s) ginkgo.DeferCleanup(ResetPodLabels, k8s, nsX, "b") - // add a new label, we'll remove it after this test is done + // add a new label matchLabels := map[string]string{"pod": "b", "pod2": "updated"} allowedLabels := &metav1.LabelSelector{MatchLabels: matchLabels} ingressRule := networkingv1.NetworkPolicyIngressRule{} @@ -725,8 +737,8 @@ var _ = common.SIGDescribe("Netpol", func() { ingressRule := networkingv1.NetworkPolicyIngressRule{} ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{PodSelector: allowedPodLabels}) policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-pod-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) - // add an egress rule on to it... + // add an egress rule on to it... policy.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{ { Ports: []networkingv1.NetworkPolicyPort{