From 50d93d989f613f7ad648bb6c91cdf27325d98c0b Mon Sep 17 00:00:00 2001 From: Daniela Lins Date: Sat, 13 Feb 2021 17:57:04 +0100 Subject: [PATCH 01/16] Add tweaking functions to TestValidateNetworkPolicy Signed-off-by: Daniela Lins --- .../networking/validation/validation_test.go | 160 ++++++++++++++++++ 1 file changed, 160 insertions(+) diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index c03fd0af1ee..bed91565926 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -33,12 +33,172 @@ import ( utilpointer "k8s.io/utils/pointer" ) +func makeValidNetworkPolicy() *networking.NetworkPolicy { + return &networking.NetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, + Spec: networking.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{ + MatchLabels: map[string]string{"a": "b"}, + }, + }, + } +} + func TestValidateNetworkPolicy(t *testing.T) { protocolTCP := api.ProtocolTCP protocolUDP := api.ProtocolUDP protocolICMP := api.Protocol("ICMP") protocolSCTP := api.ProtocolSCTP endPort := int32(32768) + // Tweaks used below. + setIngressEmptyIngressRule := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{} + } + setIngressEmptyFrom := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From = []networking.NetworkPolicyPeer{} + } + setIngressEmptyPorts := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{} + } + + setIngressPorts := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: nil, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, + }, + { + Protocol: &protocolTCP, + Port: nil, + }, + { + Protocol: &protocolTCP, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 443}, + }, + { + Protocol: &protocolUDP, + Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"}, + }, + { + Protocol: &protocolSCTP, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 7777}, + }, + } + } + + setIngressPortsHigher := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: &protocolTCP, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 65535}, + EndPort: &endPort, + }, + } + } + + setIngressFromPodSelector := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{ + MatchLabels: map[string]string{"c": "d"}, + } + } + + setAlternativeIngressFromPodSelector := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{ + MatchLabels: map[string]string{"e": "f"}, + } + } + + setIngressFromNamespaceSelector := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].NamespaceSelector = &metav1.LabelSelector{ + MatchLabels: map[string]string{"c": "d"}, + } + } + + setIngressFromIPBlock := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ + CIDR: "192.168.0.0/16", + Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, + } + } + + setEgressEmptyTo := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].To = []networking.NetworkPolicyPeer{} + } + + setEgressToNamespaceSelector := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].To[0].NamespaceSelector =&metav1.LabelSelector{ + MatchLabels: map[string]string{"c": "d"}, + } + } + setEgressPorts := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: nil, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, + }, + { + Protocol: &protocolTCP, + Port: nil, + }, + { + Protocol: &protocolTCP, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 443}, + }, + { + Protocol: &protocolUDP, + Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"}, + }, + { + Protocol: &protocolSCTP, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 7777}, + }, + } + } + + setEgressPortsUDPandHigh := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: nil, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32000}, + EndPort: &endPort, + }, + { + Protocol: &protocolUDP, + Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"}, + }, + } + } + + setEgressPortsBothHigh := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: nil, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 30000}, + EndPort: &endPort, + }, + { + Protocol: nil, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32000}, + EndPort: &endPort, + }, + } + } + + setEgressToIPBlock := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].To[0].IPBlock = &networking.IPBlock{ + CIDR: "192.168.0.0/16", + Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, + } + } + + setPolicyTypesIngressEgress := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.PolicyTypes = []networking.PolicyType{networking.PolicyTypeIngress, networking.PolicyTypeEgress} + } + + setPolicyTypesEgress := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.PolicyTypes = []networking.PolicyType{networking.PolicyTypeEgress} + } + successCases := []networking.NetworkPolicy{ { ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, From 77da0540e6811738c1bee7d31f4d84d818d4ae78 Mon Sep 17 00:00:00 2001 From: Daniela Lins Date: Tue, 16 Feb 2021 19:45:17 +0100 Subject: [PATCH 02/16] Add tweaks and use them to build error structs Signed-off-by: Daniela Lins --- .../networking/validation/validation_test.go | 1292 ++++------------- 1 file changed, 303 insertions(+), 989 deletions(-) diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index bed91565926..8a5a3f5028e 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -44,6 +44,14 @@ func makeValidNetworkPolicy() *networking.NetworkPolicy { } } +func makeNetworkPolicyCustom(tweaks ...func(networkPolicy *networking.NetworkPolicy)) *networking.NetworkPolicy { + networkPolicy := makeValidNetworkPolicy() + for _, fn := range tweaks { + fn(networkPolicy) + } + return networkPolicy +} + func TestValidateNetworkPolicy(t *testing.T) { protocolTCP := api.ProtocolTCP protocolUDP := api.ProtocolUDP @@ -51,14 +59,24 @@ func TestValidateNetworkPolicy(t *testing.T) { protocolSCTP := api.ProtocolSCTP endPort := int32(32768) // Tweaks used below. - setIngressEmptyIngressRule := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{} + // setIngressEmptyIngressRule := func(networkPolicy *networking.NetworkPolicy) { + // networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{} + // } + setIngressEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{networking.NetworkPolicyIngressRule{}} } + setIngressEmptyFrom := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From = []networking.NetworkPolicyPeer{} } + + setIngressFromEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From = []networking.NetworkPolicyPeer{networking.NetworkPolicyPeer{}} + } + setIngressEmptyPorts := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{} + } setIngressPorts := func(networkPolicy *networking.NetworkPolicy) { @@ -87,10 +105,10 @@ func TestValidateNetworkPolicy(t *testing.T) { } setIngressPortsHigher := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{ + networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{ { Protocol: &protocolTCP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 65535}, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32768}, EndPort: &endPort, }, } @@ -107,7 +125,7 @@ func TestValidateNetworkPolicy(t *testing.T) { MatchLabels: map[string]string{"e": "f"}, } } - + setIngressFromNamespaceSelector := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].NamespaceSelector = &metav1.LabelSelector{ MatchLabels: map[string]string{"c": "d"}, @@ -120,16 +138,42 @@ func TestValidateNetworkPolicy(t *testing.T) { Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, } } - - setEgressEmptyTo := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].To = []networking.NetworkPolicyPeer{} + + setIngressFromIPBlockIPV6 := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ + CIDR: "fd00:192:168::/64", + Except: []string{"fd00:192:168:3::/64", "fd00:192:168:4::/64"}, + } + } + + // setEgressEmptyEgressRule := func(networkPolicy *networking.NetworkPolicy) { + // networkPolicy.Spec.Egress = []networking.NetworkPolicyEgressRule{} + // } + + setEgressEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress = []networking.NetworkPolicyEgressRule{networking.NetworkPolicyEgressRule{}} + } + + // setEgressEmptyTo := func(networkPolicy *networking.NetworkPolicy) { + // networkPolicy.Spec.Egress[0].To = []networking.NetworkPolicyPeer{} + // } + + setEgressToEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].To = []networking.NetworkPolicyPeer{networking.NetworkPolicyPeer{}} } setEgressToNamespaceSelector := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].To[0].NamespaceSelector =&metav1.LabelSelector{ + networkPolicy.Spec.Egress[0].To[0].NamespaceSelector = &metav1.LabelSelector{ MatchLabels: map[string]string{"c": "d"}, } } + + setEgressToPodSelector := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].To[0].PodSelector = &metav1.LabelSelector{ + MatchLabels: map[string]string{"c": "d"}, + } + } + setEgressPorts := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ { @@ -156,7 +200,7 @@ func TestValidateNetworkPolicy(t *testing.T) { } setEgressPortsUDPandHigh := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ { Protocol: nil, Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32000}, @@ -170,7 +214,7 @@ func TestValidateNetworkPolicy(t *testing.T) { } setEgressPortsBothHigh := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ { Protocol: nil, Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 30000}, @@ -183,7 +227,7 @@ func TestValidateNetworkPolicy(t *testing.T) { }, } } - + setEgressToIPBlock := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Egress[0].To[0].IPBlock = &networking.IPBlock{ CIDR: "192.168.0.0/16", @@ -199,1016 +243,286 @@ func TestValidateNetworkPolicy(t *testing.T) { networkPolicy.Spec.PolicyTypes = []networking.PolicyType{networking.PolicyTypeEgress} } - successCases := []networking.NetworkPolicy{ - { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Ingress: []networking.NetworkPolicyIngressRule{}, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{}, - Ports: []networking.NetworkPolicyPort{}, - }, - }, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - Ports: []networking.NetworkPolicyPort{ - { - Protocol: nil, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, - }, - { - Protocol: &protocolTCP, - Port: nil, - }, - { - Protocol: &protocolTCP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 443}, - }, - { - Protocol: &protocolUDP, - Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"}, - }, - { - Protocol: &protocolSCTP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 7777}, - }, - }, - }, - }, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - PodSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"c": "d"}, - }, - }, - }, - }, - }, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"c": "d"}, - }, - }, - }, - }, - }, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"c": "d"}, - }, - PodSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"e": "f"}, - }, - }, - }, - }, - }, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{ - { - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"c": "d"}, - }, - }, - }, - }, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - IPBlock: &networking.IPBlock{ - CIDR: "192.168.0.0/16", - Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, - }, - }, - }, - }, - }, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - IPBlock: &networking.IPBlock{ - CIDR: "192.168.0.0/16", - Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, - }, - }, - }, - }, - }, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{ - { - IPBlock: &networking.IPBlock{ - CIDR: "192.168.0.0/16", - Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, - }, - }, - }, - }, - }, - PolicyTypes: []networking.PolicyType{networking.PolicyTypeEgress}, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{ - { - IPBlock: &networking.IPBlock{ - CIDR: "192.168.0.0/16", - Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, - }, - }, - }, - }, - }, - PolicyTypes: []networking.PolicyType{networking.PolicyTypeIngress, networking.PolicyTypeEgress}, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - Ports: []networking.NetworkPolicyPort{ - { - Protocol: nil, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, - }, - { - Protocol: &protocolTCP, - Port: nil, - }, - { - Protocol: &protocolTCP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 443}, - }, - { - Protocol: &protocolUDP, - Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"}, - }, - { - Protocol: &protocolSCTP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 7777}, - }, - }, - }, - }, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{ - { - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"c": "d"}, - }, - }, - }, - }, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - IPBlock: &networking.IPBlock{ - CIDR: "fd00:192:168::/48", - Except: []string{"fd00:192:168:3::/64", "fd00:192:168:4::/64"}, - }, - }, - }, - }, - }, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - IPBlock: &networking.IPBlock{ - CIDR: "fd00:192:168::/48", - Except: []string{"fd00:192:168:3::/64", "fd00:192:168:4::/64"}, - }, - }, - }, - }, - }, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{ - { - IPBlock: &networking.IPBlock{ - CIDR: "fd00:192:168::/48", - Except: []string{"fd00:192:168:3::/64", "fd00:192:168:4::/64"}, - }, - }, - }, - }, - }, - PolicyTypes: []networking.PolicyType{networking.PolicyTypeEgress}, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{ - { - IPBlock: &networking.IPBlock{ - CIDR: "fd00:192:168::/48", - Except: []string{"fd00:192:168:3::/64", "fd00:192:168:4::/64"}, - }, - }, - }, - }, - }, - PolicyTypes: []networking.PolicyType{networking.PolicyTypeIngress, networking.PolicyTypeEgress}, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - Ports: []networking.NetworkPolicyPort{ - { - Protocol: nil, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32000}, - EndPort: &endPort, - }, - { - Protocol: &protocolUDP, - Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"}, - }, - }, - }, - }, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{ - { - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"c": "d"}, - }, - }, - }, - Ports: []networking.NetworkPolicyPort{ - { - Protocol: nil, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 30000}, - EndPort: &endPort, - }, - { - Protocol: nil, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32000}, - EndPort: &endPort, - }, - }, - }, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - PodSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"e": "f"}, - }, - }, - }, - Ports: []networking.NetworkPolicyPort{ - { - Protocol: &protocolTCP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32768}, - EndPort: &endPort, - }, - }, - }, - }, - }, - }, + successCases := []*networking.NetworkPolicy{ + makeNetworkPolicyCustom(setIngressEmptyFirstElement), + makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressEmptyFrom, setIngressEmptyPorts), + makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressPorts), + makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromPodSelector), + makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector), + makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setAlternativeIngressFromPodSelector), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock), + makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesEgress), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesIngressEgress), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPorts), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock), + makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesEgress), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesIngressEgress), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPortsUDPandHigh), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPortsBothHigh, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setAlternativeIngressFromPodSelector, setIngressPortsHigher), } // Success cases are expected to pass validation. for k, v := range successCases { - if errs := ValidateNetworkPolicy(&v); len(errs) != 0 { + if errs := ValidateNetworkPolicy(v); len(errs) != 0 { t.Errorf("Expected success for %d, got %v", k, errs) } } invalidSelector := map[string]string{"NoUppercaseOrSpecialCharsLike=Equals": "b"} - errorCases := map[string]networking.NetworkPolicy{ - "namespaceSelector and ipBlock": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"c": "d"}, - }, - IPBlock: &networking.IPBlock{ - CIDR: "192.168.0.0/16", - Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, - }, - }, - }, - }, - }, + + // Error specific tweaks + setMissingFromToType := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{ + { + From: []networking.NetworkPolicyPeer{{}}, }, - }, - "podSelector and ipBlock": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{ - { - PodSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"c": "d"}, - }, - IPBlock: &networking.IPBlock{ - CIDR: "192.168.0.0/16", - Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, - }, - }, - }, - }, - }, + } + networkPolicy.Spec.Egress = []networking.NetworkPolicyEgressRule{ + { + To: []networking.NetworkPolicyPeer{{}}, }, - }, - "missing from and to type": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{{}}, - }, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{{}}, - }, - }, + } + } + + setInvalidSpecPodselector := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec = networking.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{ + MatchLabels: invalidSelector, }, - }, - "invalid spec.podSelector": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: invalidSelector, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"c": "d"}, - }, - }, - }, - }, - }, + } + } + + setInvalidIngressPortProtocol := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: &protocolICMP, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, }, - }, - "invalid ingress.ports.protocol": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{}, - Ingress: []networking.NetworkPolicyIngressRule{ - { - Ports: []networking.NetworkPolicyPort{ - { - Protocol: &protocolICMP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, - }, - }, - }, - }, + } + } + + setInvalidIngressPortsPort := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: &protocolTCP, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 123456789}, }, - }, - "invalid ingress.ports.port (int)": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{}, - Ingress: []networking.NetworkPolicyIngressRule{ - { - Ports: []networking.NetworkPolicyPort{ - { - Protocol: &protocolTCP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 123456789}, - }, - }, - }, - }, + } + } + + setInvalidIngressPortsPortStr := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: &protocolTCP, + Port: &intstr.IntOrString{Type: intstr.String, StrVal: "!@#$"}, }, - }, - "invalid ingress.ports.port (str)": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{}, - Ingress: []networking.NetworkPolicyIngressRule{ - { - Ports: []networking.NetworkPolicyPort{ - { - Protocol: &protocolTCP, - Port: &intstr.IntOrString{Type: intstr.String, StrVal: "!@#$"}, - }, - }, - }, - }, + } + } + + setInvalidIngressFromPodSelector := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{ + MatchLabels: invalidSelector, + } + } + + setInvalidEgressToPodSelector := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].To[0].PodSelector = &metav1.LabelSelector{ + MatchLabels: invalidSelector, + } + } + + setInvalidEgressPortProtocol := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: &protocolICMP, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, }, - }, - "invalid ingress.from.podSelector": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{}, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - PodSelector: &metav1.LabelSelector{ - MatchLabels: invalidSelector, - }, - }, - }, - }, - }, + } + } + + setInvalidEgressPortsPort := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: &protocolTCP, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 123456789}, }, - }, - "invalid egress.to.podSelector": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{}, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{ - { - PodSelector: &metav1.LabelSelector{ - MatchLabels: invalidSelector, - }, - }, - }, - }, - }, + } + } + + setInvalidEgressPortsPortStr := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: &protocolTCP, + Port: &intstr.IntOrString{Type: intstr.String, StrVal: "!@#$"}, }, - }, - "invalid egress.ports.protocol": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{}, - Egress: []networking.NetworkPolicyEgressRule{ - { - Ports: []networking.NetworkPolicyPort{ - { - Protocol: &protocolICMP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, - }, - }, - }, - }, + } + } + + setInvalidIngressFromNameSpaceSelector := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].NamespaceSelector = &metav1.LabelSelector{ + MatchLabels: invalidSelector, + } + } + + unsetCIDR := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "" + } + + setInvalidCIDRFormat := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "192.168.5.6" + } + + setInvalidIPV6Format := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "fd00:192:168::" + } + + setEmptyExcept := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{"", " "} + } + + setExceptOutRange := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ + CIDR: "192.168.8.0/24", + Except: []string{"192.168.9.1/24"}, + } + } + setExceptNotStrictlyRange := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ + CIDR: "192.168.0.0/24", + Except: []string{"192.168.0.0/24"}, + } + } + + setExceptIPV6OutRange := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ + CIDR: "fd00:192:168:1::/64", + Except: []string{"fd00:192:168:2::/64"}, + } + } + + setInvalidPolicyTypes := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.PolicyTypes = []networking.PolicyType{"foo", "bar"} + } + + setTooManyPolicyTypes := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.PolicyTypes = []networking.PolicyType{"foo", "bar", "baz"} + } + + setEgressMultiplePortsOneInvalid := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: &protocolUDP, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 35000}, + EndPort: &endPort, }, - }, - "invalid egress.ports.port (int)": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{}, - Egress: []networking.NetworkPolicyEgressRule{ - { - Ports: []networking.NetworkPolicyPort{ - { - Protocol: &protocolTCP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 123456789}, - }, - }, - }, - }, + { + Protocol: nil, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32000}, + EndPort: &endPort, }, - }, - "invalid egress.ports.port (str)": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{}, - Egress: []networking.NetworkPolicyEgressRule{ - { - Ports: []networking.NetworkPolicyPort{ - { - Protocol: &protocolTCP, - Port: &intstr.IntOrString{Type: intstr.String, StrVal: "!@#$"}, - }, - }, - }, - }, + } + } + + setEndPortNamed := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: &protocolUDP, + Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"}, + EndPort: &endPort, }, - }, - "invalid ingress.from.namespaceSelector": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{}, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: invalidSelector, - }, - }, - }, - }, - }, + { + Protocol: nil, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32000}, + EndPort: &endPort, }, - }, - "missing cidr field": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{}, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - IPBlock: &networking.IPBlock{ - Except: []string{"192.168.8.0/24", "192.168.9.0/24"}, - }, - }, - }, - }, - }, + } + } + + setEndPortWithoutPort := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: &protocolTCP, + EndPort: &endPort, }, - }, - "invalid cidr format": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - IPBlock: &networking.IPBlock{ - CIDR: "192.168.5.6", - Except: []string{"192.168.1.0/24", "192.168.2.0/24"}, - }, - }, - }, - }, - }, + } + } + + setPortGreaterEndPort := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: &protocolSCTP, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 33000}, + EndPort: &endPort, }, - }, - "invalid ipv6 cidr format": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - IPBlock: &networking.IPBlock{ - CIDR: "fd00:192:168::", - Except: []string{"fd00:192:168:3::/64", "fd00:192:168:4::/64"}, - }, - }, - }, - }, - }, + } + } + + setMultipleInvalidPortRanges := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: &protocolUDP, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 35000}, + EndPort: &endPort, }, - }, - "except field is an empty string": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - IPBlock: &networking.IPBlock{ - CIDR: "192.168.8.0/24", - Except: []string{"", " "}, - }, - }, - }, - }, - }, + { + Protocol: &protocolTCP, + EndPort: &endPort, }, - }, - "except IP is outside of CIDR range": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - IPBlock: &networking.IPBlock{ - CIDR: "192.168.8.0/24", - Except: []string{"192.168.9.1/24"}, - }, - }, - }, - }, - }, + { + Protocol: &protocolTCP, + Port: &intstr.IntOrString{Type: intstr.String, StrVal: "https"}, + EndPort: &endPort, }, - }, - "except IP is not strictly within CIDR range": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - IPBlock: &networking.IPBlock{ - CIDR: "192.168.0.0/24", - Except: []string{"192.168.0.0/24"}, - }, - }, - }, - }, - }, + } + } + + setInvalidEndPortRanges := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: nil, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 30000}, + EndPort: utilpointer.Int32Ptr(65537), }, - }, - "except IPv6 is outside of CIDR range": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Ingress: []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - IPBlock: &networking.IPBlock{ - CIDR: "fd00:192:168:1::/64", - Except: []string{"fd00:192:168:2::/64"}, - }, - }, - }, - }, - }, - }, - }, - "invalid policyTypes": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{ - { - IPBlock: &networking.IPBlock{ - CIDR: "192.168.0.0/16", - Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, - }, - }, - }, - }, - }, - PolicyTypes: []networking.PolicyType{"foo", "bar"}, - }, - }, - "too many policyTypes": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{ - { - IPBlock: &networking.IPBlock{ - CIDR: "192.168.0.0/16", - Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, - }, - }, - }, - }, - }, - PolicyTypes: []networking.PolicyType{"foo", "bar", "baz"}, - }, - }, - "multiple ports defined, one port range is invalid": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{ - { - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"c": "d"}, - }, - }, - }, - Ports: []networking.NetworkPolicyPort{ - { - Protocol: &protocolUDP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 35000}, - EndPort: &endPort, - }, - { - Protocol: nil, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32000}, - EndPort: &endPort, - }, - }, - }, - }, - }, - }, - "endPort defined with named/string port": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{ - { - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"c": "d"}, - }, - }, - }, - Ports: []networking.NetworkPolicyPort{ - { - Protocol: &protocolUDP, - Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"}, - EndPort: &endPort, - }, - { - Protocol: nil, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32000}, - EndPort: &endPort, - }, - }, - }, - }, - }, - }, - "endPort defined without port defined": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{ - { - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"c": "d"}, - }, - }, - }, - Ports: []networking.NetworkPolicyPort{ - { - Protocol: &protocolTCP, - EndPort: &endPort, - }, - }, - }, - }, - }, - }, - "port is greater than endPort": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{ - { - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"c": "d"}, - }, - }, - }, - Ports: []networking.NetworkPolicyPort{ - { - Protocol: &protocolSCTP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 33000}, - EndPort: &endPort, - }, - }, - }, - }, - }, - }, - "multiple invalid port ranges defined": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{ - { - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"c": "d"}, - }, - }, - }, - Ports: []networking.NetworkPolicyPort{ - { - Protocol: &protocolUDP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 35000}, - EndPort: &endPort, - }, - { - Protocol: &protocolTCP, - EndPort: &endPort, - }, - { - Protocol: &protocolTCP, - Port: &intstr.IntOrString{Type: intstr.String, StrVal: "https"}, - EndPort: &endPort, - }, - }, - }, - }, - }, - }, - "invalid endport range defined": { - ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, - Spec: networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: map[string]string{"a": "b"}, - }, - Egress: []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{ - { - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"c": "d"}, - }, - }, - }, - Ports: []networking.NetworkPolicyPort{ - { - Protocol: nil, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 30000}, - EndPort: utilpointer.Int32Ptr(65537), - }, - }, - }, - }, - }, - }, + } + } + + errorCases := map[string]*networking.NetworkPolicy{ + "namespaceSelector and ipBlock": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromIPBlock), + "podSelector and ipBlock": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToPodSelector, setEgressToIPBlock), + "missing from and to type": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setEgressEmptyFirstElement, setMissingFromToType), + "invalid spec.podSelector": makeNetworkPolicyCustom(setInvalidSpecPodselector, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector), + "invalid ingress.ports.protocol": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setInvalidIngressPortProtocol), + "invalid ingress.ports.port (int)": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setInvalidIngressPortsPort), + "invalid ingress.ports.port (str)": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setInvalidIngressPortsPortStr), + "invalid ingress.from.podSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setInvalidIngressFromPodSelector), + "invalid egress.to.podSelector": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setInvalidEgressToPodSelector), + "invalid egress.ports.protocol": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setInvalidEgressPortProtocol), + "invalid egress.ports.port (int)": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setInvalidEgressPortsPort), + "invalid egress.ports.port (str)": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setInvalidEgressPortsPortStr), + "invalid ingress.from.namespaceSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setInvalidIngressFromNameSpaceSelector), + "missing cidr field": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, unsetCIDR), + "invalid cidr format": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, setInvalidCIDRFormat), + "invalid ipv6 cidr format": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6, setInvalidIPV6Format), + "except field is an empty string": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, setEmptyExcept), + "except IP is outside of CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, setExceptOutRange), + "except IP is not strictly within CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, setExceptNotStrictlyRange), + "except IPv6 is outside of CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6, setExceptIPV6OutRange), + "invalid policyTypes": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setInvalidPolicyTypes), + "too many policyTypes": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setTooManyPolicyTypes), + "multiple ports defined, one port range is invalid": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressMultiplePortsOneInvalid), + "endPort defined with named/string port": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEndPortNamed), + "endPort defined without port defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEndPortWithoutPort), + "port is greater than endPort": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setPortGreaterEndPort), + "multiple invalid port ranges defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setMultipleInvalidPortRanges), + "invalid endport range defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setInvalidEndPortRanges), } // Error cases are not expected to pass validation. for testName, networkPolicy := range errorCases { - if errs := ValidateNetworkPolicy(&networkPolicy); len(errs) == 0 { + if errs := ValidateNetworkPolicy(networkPolicy); len(errs) == 0 { t.Errorf("Expected failure for test: %s", testName) } } From 8572c973d8c9fd248d3c748c28fc47b2e6caa200 Mon Sep 17 00:00:00 2001 From: Daniela Lins Date: Wed, 17 Feb 2021 23:02:57 +0100 Subject: [PATCH 03/16] Add IPV6 IPBlock to success cases Signed-off-by: Daniela Lins --- .../networking/validation/validation_test.go | 47 +++++++++---------- 1 file changed, 22 insertions(+), 25 deletions(-) diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index 8a5a3f5028e..d039493a4de 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -58,10 +58,8 @@ func TestValidateNetworkPolicy(t *testing.T) { protocolICMP := api.Protocol("ICMP") protocolSCTP := api.ProtocolSCTP endPort := int32(32768) + // Tweaks used below. - // setIngressEmptyIngressRule := func(networkPolicy *networking.NetworkPolicy) { - // networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{} - // } setIngressEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{networking.NetworkPolicyIngressRule{}} } @@ -141,23 +139,15 @@ func TestValidateNetworkPolicy(t *testing.T) { setIngressFromIPBlockIPV6 := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ - CIDR: "fd00:192:168::/64", + CIDR: "fd00:192:168::/48", Except: []string{"fd00:192:168:3::/64", "fd00:192:168:4::/64"}, } } - // setEgressEmptyEgressRule := func(networkPolicy *networking.NetworkPolicy) { - // networkPolicy.Spec.Egress = []networking.NetworkPolicyEgressRule{} - // } - setEgressEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Egress = []networking.NetworkPolicyEgressRule{networking.NetworkPolicyEgressRule{}} } - // setEgressEmptyTo := func(networkPolicy *networking.NetworkPolicy) { - // networkPolicy.Spec.Egress[0].To = []networking.NetworkPolicyPeer{} - // } - setEgressToEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Egress[0].To = []networking.NetworkPolicyPeer{networking.NetworkPolicyPeer{}} } @@ -174,6 +164,20 @@ func TestValidateNetworkPolicy(t *testing.T) { } } + setEgressToIPBlock := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].To[0].IPBlock = &networking.IPBlock{ + CIDR: "192.168.0.0/16", + Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, + } + } + + setEgressToIPBlockIPV6 := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].To[0].IPBlock = &networking.IPBlock{ + CIDR: "fd00:192:168::/48", + Except: []string{"fd00:192:168:3::/64", "fd00:192:168:4::/64"}, + } + } + setEgressPorts := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ { @@ -228,21 +232,14 @@ func TestValidateNetworkPolicy(t *testing.T) { } } - setEgressToIPBlock := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].To[0].IPBlock = &networking.IPBlock{ - CIDR: "192.168.0.0/16", - Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, - } + setPolicyTypesEgress := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.PolicyTypes = []networking.PolicyType{networking.PolicyTypeEgress} } setPolicyTypesIngressEgress := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.PolicyTypes = []networking.PolicyType{networking.PolicyTypeIngress, networking.PolicyTypeEgress} } - setPolicyTypesEgress := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.PolicyTypes = []networking.PolicyType{networking.PolicyTypeEgress} - } - successCases := []*networking.NetworkPolicy{ makeNetworkPolicyCustom(setIngressEmptyFirstElement), makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressEmptyFrom, setIngressEmptyPorts), @@ -255,10 +252,10 @@ func TestValidateNetworkPolicy(t *testing.T) { makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesEgress), makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesIngressEgress), makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPorts), - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock), - makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock), - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesEgress), - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesIngressEgress), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6), + makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlockIPV6, setPolicyTypesEgress), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlockIPV6, setPolicyTypesIngressEgress), makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPortsUDPandHigh), makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPortsBothHigh, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setAlternativeIngressFromPodSelector, setIngressPortsHigher), } From c9a5bf14d81cc27c1f4bcadae209a029d4e449c6 Mon Sep 17 00:00:00 2001 From: Daniela Lins Date: Thu, 18 Feb 2021 10:02:27 +0100 Subject: [PATCH 04/16] Fixed gofmt issues Signed-off-by: Daniela Lins --- pkg/apis/networking/validation/validation_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index d039493a4de..fdb8298c9fb 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -61,7 +61,7 @@ func TestValidateNetworkPolicy(t *testing.T) { // Tweaks used below. setIngressEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{networking.NetworkPolicyIngressRule{}} + networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{{}} } setIngressEmptyFrom := func(networkPolicy *networking.NetworkPolicy) { @@ -69,7 +69,7 @@ func TestValidateNetworkPolicy(t *testing.T) { } setIngressFromEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].From = []networking.NetworkPolicyPeer{networking.NetworkPolicyPeer{}} + networkPolicy.Spec.Ingress[0].From = []networking.NetworkPolicyPeer{{}} } setIngressEmptyPorts := func(networkPolicy *networking.NetworkPolicy) { @@ -145,11 +145,11 @@ func TestValidateNetworkPolicy(t *testing.T) { } setEgressEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress = []networking.NetworkPolicyEgressRule{networking.NetworkPolicyEgressRule{}} + networkPolicy.Spec.Egress = []networking.NetworkPolicyEgressRule{{}} } setEgressToEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].To = []networking.NetworkPolicyPeer{networking.NetworkPolicyPeer{}} + networkPolicy.Spec.Egress[0].To = []networking.NetworkPolicyPeer{{}} } setEgressToNamespaceSelector := func(networkPolicy *networking.NetworkPolicy) { From f7482a6766b6a35dc00eedbe264e75b66d0e7a86 Mon Sep 17 00:00:00 2001 From: Daniela Lins Date: Sun, 21 Feb 2021 12:22:17 +0100 Subject: [PATCH 05/16] Went through the review notes - Adapt tweaks to be clearer - Use intstr.fromInt and intstr.fromStr - Added more tests to invalid ports Signed-off-by: Daniela Lins --- .../networking/validation/validation_test.go | 485 ++++++++---------- 1 file changed, 207 insertions(+), 278 deletions(-) diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index fdb8298c9fb..06d629f58b9 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -59,29 +59,40 @@ func TestValidateNetworkPolicy(t *testing.T) { protocolSCTP := api.ProtocolSCTP endPort := int32(32768) + // Ports + port80 := intstr.FromInt(80) + port443 := intstr.FromInt(443) + portDns := intstr.FromString("dns") + port7777 := intstr.FromInt(7777) + port32768 := intstr.FromInt(32768) + port30000 := intstr.FromInt(30000) + port32000 := intstr.FromInt(32000) + port35000 := intstr.FromInt(35000) + portInvalidInt := intstr.FromInt(123456789) + portInvalidStr := intstr.FromString("!@#$") + portHttps := intstr.FromString("https") + // Tweaks used below. setIngressEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{{}} } - setIngressEmptyFrom := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].From = []networking.NetworkPolicyPeer{} - } - setIngressFromEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From = []networking.NetworkPolicyPeer{{}} } setIngressEmptyPorts := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{} - + networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{ + { + Ports: []networking.NetworkPolicyPort{{}}, + }, + } } - setIngressPorts := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{ { Protocol: nil, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, + Port: &port80, }, { Protocol: &protocolTCP, @@ -89,15 +100,15 @@ func TestValidateNetworkPolicy(t *testing.T) { }, { Protocol: &protocolTCP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 443}, + Port: &port443, }, { Protocol: &protocolUDP, - Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"}, + Port: &portDns, }, { Protocol: &protocolSCTP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 7777}, + Port: &port7777, }, } } @@ -106,24 +117,19 @@ func TestValidateNetworkPolicy(t *testing.T) { networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{ { Protocol: &protocolTCP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32768}, + Port: &port32768, EndPort: &endPort, }, } } - setIngressFromPodSelector := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{ - MatchLabels: map[string]string{"c": "d"}, + setIngressFromPodSelector := func(k, v string) func(*networking.NetworkPolicy) { + return func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{ + MatchLabels: map[string]string{k: v}, + } } } - - setAlternativeIngressFromPodSelector := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{ - MatchLabels: map[string]string{"e": "f"}, - } - } - setIngressFromNamespaceSelector := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].NamespaceSelector = &metav1.LabelSelector{ MatchLabels: map[string]string{"c": "d"}, @@ -178,11 +184,19 @@ func TestValidateNetworkPolicy(t *testing.T) { } } + setEgressEmptyPorts := func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress = []networking.NetworkPolicyEgressRule{ + { + Ports: []networking.NetworkPolicyPort{{}}, + }, + } + } + setEgressPorts := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ { Protocol: nil, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, + Port: &port80, }, { Protocol: &protocolTCP, @@ -190,15 +204,15 @@ func TestValidateNetworkPolicy(t *testing.T) { }, { Protocol: &protocolTCP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 443}, + Port: &port443, }, { Protocol: &protocolUDP, - Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"}, + Port: &portDns, }, { Protocol: &protocolSCTP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 7777}, + Port: &port7777, }, } } @@ -207,12 +221,12 @@ func TestValidateNetworkPolicy(t *testing.T) { networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ { Protocol: nil, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32000}, + Port: &port32000, EndPort: &endPort, }, { Protocol: &protocolUDP, - Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"}, + Port: &portDns, }, } } @@ -221,12 +235,12 @@ func TestValidateNetworkPolicy(t *testing.T) { networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ { Protocol: nil, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 30000}, + Port: &port30000, EndPort: &endPort, }, { Protocol: nil, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32000}, + Port: &port32000, EndPort: &endPort, }, } @@ -242,11 +256,11 @@ func TestValidateNetworkPolicy(t *testing.T) { successCases := []*networking.NetworkPolicy{ makeNetworkPolicyCustom(setIngressEmptyFirstElement), - makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressEmptyFrom, setIngressEmptyPorts), + makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressEmptyPorts), makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressPorts), - makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromPodSelector), + makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromPodSelector("c", "d")), makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector), - makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setAlternativeIngressFromPodSelector), + makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromPodSelector("e", "f")), makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock), makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock), makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesEgress), @@ -257,7 +271,7 @@ func TestValidateNetworkPolicy(t *testing.T) { makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlockIPV6, setPolicyTypesEgress), makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlockIPV6, setPolicyTypesIngressEgress), makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPortsUDPandHigh), - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPortsBothHigh, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setAlternativeIngressFromPodSelector, setIngressPortsHigher), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPortsBothHigh, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromPodSelector("e", "f"), setIngressPortsHigher), } // Success cases are expected to pass validation. @@ -270,251 +284,166 @@ func TestValidateNetworkPolicy(t *testing.T) { invalidSelector := map[string]string{"NoUppercaseOrSpecialCharsLike=Equals": "b"} - // Error specific tweaks - setMissingFromToType := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{{}}, - }, - } - networkPolicy.Spec.Egress = []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{{}}, - }, - } - } - - setInvalidSpecPodselector := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec = networking.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{ - MatchLabels: invalidSelector, - }, - } - } - - setInvalidIngressPortProtocol := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: &protocolICMP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, - }, - } - } - - setInvalidIngressPortsPort := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: &protocolTCP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 123456789}, - }, - } - } - - setInvalidIngressPortsPortStr := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: &protocolTCP, - Port: &intstr.IntOrString{Type: intstr.String, StrVal: "!@#$"}, - }, - } - } - - setInvalidIngressFromPodSelector := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{ - MatchLabels: invalidSelector, - } - } - - setInvalidEgressToPodSelector := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].To[0].PodSelector = &metav1.LabelSelector{ - MatchLabels: invalidSelector, - } - } - - setInvalidEgressPortProtocol := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: &protocolICMP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, - }, - } - } - - setInvalidEgressPortsPort := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: &protocolTCP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 123456789}, - }, - } - } - - setInvalidEgressPortsPortStr := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: &protocolTCP, - Port: &intstr.IntOrString{Type: intstr.String, StrVal: "!@#$"}, - }, - } - } - - setInvalidIngressFromNameSpaceSelector := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].From[0].NamespaceSelector = &metav1.LabelSelector{ - MatchLabels: invalidSelector, - } - } - - unsetCIDR := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "" - } - - setInvalidCIDRFormat := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "192.168.5.6" - } - - setInvalidIPV6Format := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "fd00:192:168::" - } - - setEmptyExcept := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{"", " "} - } - - setExceptOutRange := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ - CIDR: "192.168.8.0/24", - Except: []string{"192.168.9.1/24"}, - } - } - setExceptNotStrictlyRange := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ - CIDR: "192.168.0.0/24", - Except: []string{"192.168.0.0/24"}, - } - } - - setExceptIPV6OutRange := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ - CIDR: "fd00:192:168:1::/64", - Except: []string{"fd00:192:168:2::/64"}, - } - } - - setInvalidPolicyTypes := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.PolicyTypes = []networking.PolicyType{"foo", "bar"} - } - - setTooManyPolicyTypes := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.PolicyTypes = []networking.PolicyType{"foo", "bar", "baz"} - } - - setEgressMultiplePortsOneInvalid := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: &protocolUDP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 35000}, - EndPort: &endPort, - }, - { - Protocol: nil, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32000}, - EndPort: &endPort, - }, - } - } - - setEndPortNamed := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: &protocolUDP, - Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"}, - EndPort: &endPort, - }, - { - Protocol: nil, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32000}, - EndPort: &endPort, - }, - } - } - - setEndPortWithoutPort := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: &protocolTCP, - EndPort: &endPort, - }, - } - } - - setPortGreaterEndPort := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: &protocolSCTP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 33000}, - EndPort: &endPort, - }, - } - } - - setMultipleInvalidPortRanges := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: &protocolUDP, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 35000}, - EndPort: &endPort, - }, - { - Protocol: &protocolTCP, - EndPort: &endPort, - }, - { - Protocol: &protocolTCP, - Port: &intstr.IntOrString{Type: intstr.String, StrVal: "https"}, - EndPort: &endPort, - }, - } - } - - setInvalidEndPortRanges := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: nil, - Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 30000}, - EndPort: utilpointer.Int32Ptr(65537), - }, - } - } - errorCases := map[string]*networking.NetworkPolicy{ - "namespaceSelector and ipBlock": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromIPBlock), - "podSelector and ipBlock": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToPodSelector, setEgressToIPBlock), - "missing from and to type": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setEgressEmptyFirstElement, setMissingFromToType), - "invalid spec.podSelector": makeNetworkPolicyCustom(setInvalidSpecPodselector, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector), - "invalid ingress.ports.protocol": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setInvalidIngressPortProtocol), - "invalid ingress.ports.port (int)": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setInvalidIngressPortsPort), - "invalid ingress.ports.port (str)": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setInvalidIngressPortsPortStr), - "invalid ingress.from.podSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setInvalidIngressFromPodSelector), - "invalid egress.to.podSelector": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setInvalidEgressToPodSelector), - "invalid egress.ports.protocol": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setInvalidEgressPortProtocol), - "invalid egress.ports.port (int)": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setInvalidEgressPortsPort), - "invalid egress.ports.port (str)": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setInvalidEgressPortsPortStr), - "invalid ingress.from.namespaceSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setInvalidIngressFromNameSpaceSelector), - "missing cidr field": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, unsetCIDR), - "invalid cidr format": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, setInvalidCIDRFormat), - "invalid ipv6 cidr format": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6, setInvalidIPV6Format), - "except field is an empty string": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, setEmptyExcept), - "except IP is outside of CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, setExceptOutRange), - "except IP is not strictly within CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, setExceptNotStrictlyRange), - "except IPv6 is outside of CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6, setExceptIPV6OutRange), - "invalid policyTypes": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setInvalidPolicyTypes), - "too many policyTypes": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setTooManyPolicyTypes), - "multiple ports defined, one port range is invalid": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressMultiplePortsOneInvalid), - "endPort defined with named/string port": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEndPortNamed), - "endPort defined without port defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEndPortWithoutPort), - "port is greater than endPort": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setPortGreaterEndPort), - "multiple invalid port ranges defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setMultipleInvalidPortRanges), - "invalid endport range defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setInvalidEndPortRanges), + "namespaceSelector and ipBlock": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromIPBlock), + "podSelector and ipBlock": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToPodSelector, setEgressToIPBlock), + "missing from and to type": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setEgressEmptyFirstElement, setEgressToEmptyFirstElement), + "invalid spec.podSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec = networking.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{ + MatchLabels: invalidSelector, + }, + } + }), + "invalid ingress.ports.protocol": makeNetworkPolicyCustom(setIngressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].Ports[0].Protocol = &protocolICMP + }), + "invalid ingress.ports.port (int)": makeNetworkPolicyCustom(setIngressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].Ports[0].Port = &portInvalidInt + }), + "invalid ingress.ports.port (str)": makeNetworkPolicyCustom(setIngressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].Ports[0].Port = &portInvalidStr + }), + "invalid ingress.from.podSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{ + MatchLabels: invalidSelector, + } + }), + "invalid egress.to.podSelector": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].To[0].PodSelector = &metav1.LabelSelector{ + MatchLabels: invalidSelector, + } + }), + "invalid egress.ports.protocol": makeNetworkPolicyCustom(setEgressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports[0].Protocol = &protocolICMP + }), + "invalid egress.ports.port (int)": makeNetworkPolicyCustom(setEgressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports[0].Port = &portInvalidInt + }), + "invalid egress.ports.port (str)": makeNetworkPolicyCustom(setEgressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports[0].Port = &portInvalidStr + }), + "invalid ingress.from.namespaceSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].NamespaceSelector = &metav1.LabelSelector{ + MatchLabels: invalidSelector, + } + }), + "missing cidr field": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "" + }), + "invalid cidr format": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "192.168.5.6" + }), + "invalid ipv6 cidr format": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "fd00:192:168::" + }), + "except field is an empty string": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{""} + }), + "except field is an space string": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{" "} + }), + "except field is an invalid ip": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{"300.300.300.300"} + }), + "except IP is outside of CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ + CIDR: "192.168.8.0/24", + Except: []string{"192.168.9.1/24"}, + } + }), + "except IP is not strictly within CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ + CIDR: "192.168.0.0/24", + Except: []string{"192.168.0.0/24"}, + } + }), + "except IPv6 is outside of CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ + CIDR: "fd00:192:168:1::/64", + Except: []string{"fd00:192:168:2::/64"}, + } + }), + "invalid policyTypes": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.PolicyTypes = []networking.PolicyType{"foo", "bar"} + }), + "too many policyTypes": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.PolicyTypes = []networking.PolicyType{"foo", "bar", "baz"} + }), + "multiple ports defined, one port range is invalid": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: &protocolUDP, + Port: &port35000, + EndPort: &endPort, + }, + { + Protocol: nil, + Port: &port32000, + EndPort: &endPort, + }, + } + }), + "endPort defined with named/string port": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: &protocolUDP, + Port: &portDns, + EndPort: &endPort, + }, + { + Protocol: nil, + Port: &port32000, + EndPort: &endPort, + }, + } + }), + "endPort defined without port defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: &protocolTCP, + EndPort: &endPort, + }, + } + }), + "port is greater than endPort": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: &protocolSCTP, + Port: &port35000, + EndPort: &endPort, + }, + } + }), + + "multiple invalid port ranges defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: &protocolUDP, + Port: &port35000, + EndPort: &endPort, + }, + { + Protocol: &protocolTCP, + EndPort: &endPort, + }, + { + Protocol: &protocolTCP, + Port: &portHttps, + EndPort: &endPort, + }, + } + }), + + "invalid endport range defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { + networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ + { + Protocol: nil, + Port: &port30000, + EndPort: utilpointer.Int32Ptr(65537), + }, + } + }), } // Error cases are not expected to pass validation. From 611f061c45eebfb56bf617753dbe3d125b2ac860 Mon Sep 17 00:00:00 2001 From: Daniela Lins Date: Wed, 24 Feb 2021 13:09:13 +0100 Subject: [PATCH 06/16] Change error msg and comments to easily find test Signed-off-by: Daniela Lins --- .../networking/validation/validation_test.go | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index 06d629f58b9..a8b24ca6d4b 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -255,22 +255,39 @@ func TestValidateNetworkPolicy(t *testing.T) { } successCases := []*networking.NetworkPolicy{ + // Success Test Number 1 makeNetworkPolicyCustom(setIngressEmptyFirstElement), + // Success Test Number 2 makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressEmptyPorts), + // Success Test Number 3 makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressPorts), + // Success Test Number 4 makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromPodSelector("c", "d")), + // Success Test Number 5 makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector), + // Success Test Number 6 makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromPodSelector("e", "f")), + // Success Test Number 7 makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock), + // Success Test Number 8 makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock), + // Success Test Number 9 makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesEgress), + // Success Test Number 10 makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesIngressEgress), + // Success Test Number 11 makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPorts), + // Success Test Number 12 makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6), + // Success Test Number 13 makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6), + // Success Test Number 14 makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlockIPV6, setPolicyTypesEgress), + // Success Test Number 15 makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlockIPV6, setPolicyTypesIngressEgress), + // Success Test Number 16 makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPortsUDPandHigh), + // Success Test Number 17 makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPortsBothHigh, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromPodSelector("e", "f"), setIngressPortsHigher), } @@ -278,7 +295,7 @@ func TestValidateNetworkPolicy(t *testing.T) { for k, v := range successCases { if errs := ValidateNetworkPolicy(v); len(errs) != 0 { - t.Errorf("Expected success for %d, got %v", k, errs) + t.Errorf("Expected success for the success validation test number %d, got %v", (k + 1), errs) } } From 6d330d973853a05c02d895f1ee0dbbaa9c399629 Mon Sep 17 00:00:00 2001 From: Daniela Lins Date: Sat, 6 Mar 2021 16:51:35 +0100 Subject: [PATCH 07/16] Refactored setIngressPorts and setEgressPorts Signed-off-by: Daniela Lins --- .../networking/validation/validation_test.go | 285 +++++------------- 1 file changed, 73 insertions(+), 212 deletions(-) diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index a8b24ca6d4b..3afb32feede 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -44,7 +44,9 @@ func makeValidNetworkPolicy() *networking.NetworkPolicy { } } -func makeNetworkPolicyCustom(tweaks ...func(networkPolicy *networking.NetworkPolicy)) *networking.NetworkPolicy { +type netpolTweak func(networkPolicy *networking.NetworkPolicy) + +func makeNetworkPolicyCustom(tweaks ...netpolTweak) *networking.NetworkPolicy { networkPolicy := makeValidNetworkPolicy() for _, fn := range tweaks { fn(networkPolicy) @@ -52,25 +54,25 @@ func makeNetworkPolicyCustom(tweaks ...func(networkPolicy *networking.NetworkPol return networkPolicy } +func makePort(proto *api.Protocol, port intstr.IntOrString, endPort int32) networking.NetworkPolicyPort { + r := networking.NetworkPolicyPort{ + Protocol: proto, + Port: nil, + } + if port != intstr.FromInt(0) { + r.Port = &port + } + if endPort != 0 { + r.EndPort = utilpointer.Int32Ptr(endPort) + } + return r +} + func TestValidateNetworkPolicy(t *testing.T) { protocolTCP := api.ProtocolTCP protocolUDP := api.ProtocolUDP protocolICMP := api.Protocol("ICMP") protocolSCTP := api.ProtocolSCTP - endPort := int32(32768) - - // Ports - port80 := intstr.FromInt(80) - port443 := intstr.FromInt(443) - portDns := intstr.FromString("dns") - port7777 := intstr.FromInt(7777) - port32768 := intstr.FromInt(32768) - port30000 := intstr.FromInt(30000) - port32000 := intstr.FromInt(32000) - port35000 := intstr.FromInt(35000) - portInvalidInt := intstr.FromInt(123456789) - portInvalidStr := intstr.FromString("!@#$") - portHttps := intstr.FromString("https") // Tweaks used below. setIngressEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { @@ -78,7 +80,11 @@ func TestValidateNetworkPolicy(t *testing.T) { } setIngressFromEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].From = []networking.NetworkPolicyPeer{{}} + networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{ + { + From: []networking.NetworkPolicyPeer{{}}, + }, + } } setIngressEmptyPorts := func(networkPolicy *networking.NetworkPolicy) { @@ -88,38 +94,13 @@ func TestValidateNetworkPolicy(t *testing.T) { }, } } - setIngressPorts := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: nil, - Port: &port80, - }, - { - Protocol: &protocolTCP, - Port: nil, - }, - { - Protocol: &protocolTCP, - Port: &port443, - }, - { - Protocol: &protocolUDP, - Port: &portDns, - }, - { - Protocol: &protocolSCTP, - Port: &port7777, - }, - } - } - setIngressPortsHigher := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: &protocolTCP, - Port: &port32768, - EndPort: &endPort, - }, + setIngressPorts := func(ports ...networking.NetworkPolicyPort) netpolTweak { + return func(np *networking.NetworkPolicy) { + np.Spec.Ingress[0].Ports = make([]networking.NetworkPolicyPort, len(ports)) + for i, p := range ports { + np.Spec.Ingress[0].Ports[i] = p + } } } @@ -192,57 +173,12 @@ func TestValidateNetworkPolicy(t *testing.T) { } } - setEgressPorts := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: nil, - Port: &port80, - }, - { - Protocol: &protocolTCP, - Port: nil, - }, - { - Protocol: &protocolTCP, - Port: &port443, - }, - { - Protocol: &protocolUDP, - Port: &portDns, - }, - { - Protocol: &protocolSCTP, - Port: &port7777, - }, - } - } - - setEgressPortsUDPandHigh := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: nil, - Port: &port32000, - EndPort: &endPort, - }, - { - Protocol: &protocolUDP, - Port: &portDns, - }, - } - } - - setEgressPortsBothHigh := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: nil, - Port: &port30000, - EndPort: &endPort, - }, - { - Protocol: nil, - Port: &port32000, - EndPort: &endPort, - }, + setEgressPorts := func(ports ...networking.NetworkPolicyPort) netpolTweak { + return func(np *networking.NetworkPolicy) { + np.Spec.Egress[0].Ports = make([]networking.NetworkPolicyPort, len(ports)) + for i, p := range ports { + np.Spec.Egress[0].Ports[i] = p + } } } @@ -258,37 +194,37 @@ func TestValidateNetworkPolicy(t *testing.T) { // Success Test Number 1 makeNetworkPolicyCustom(setIngressEmptyFirstElement), // Success Test Number 2 - makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressEmptyPorts), + makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressEmptyPorts), // Success Test Number 3 - makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressPorts), + makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressPorts(makePort(nil, intstr.FromInt(80), 0), makePort(&protocolTCP, intstr.FromInt(0), 0), makePort(&protocolTCP, intstr.FromInt(443), 0), makePort(&protocolUDP, intstr.FromString("dns"), 0), makePort(&protocolSCTP, intstr.FromInt(7777), 0))), // Success Test Number 4 - makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromPodSelector("c", "d")), + makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromPodSelector("c", "d")), // Success Test Number 5 - makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector), + makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector), // Success Test Number 6 - makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromPodSelector("e", "f")), + makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromPodSelector("e", "f")), // Success Test Number 7 - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressFromEmptyFirstElement, setIngressFromIPBlock), // Success Test Number 8 - makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock), + makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock), // Success Test Number 9 makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesEgress), // Success Test Number 10 makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesIngressEgress), // Success Test Number 11 - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPorts), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPorts(makePort(nil, intstr.FromInt(80), 0), makePort(&protocolTCP, intstr.FromInt(0), 0), makePort(&protocolTCP, intstr.FromInt(443), 0), makePort(&protocolUDP, intstr.FromString("dns"), 0), makePort(&protocolSCTP, intstr.FromInt(7777), 0))), // Success Test Number 12 - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6), // Success Test Number 13 - makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6), + makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6), // Success Test Number 14 makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlockIPV6, setPolicyTypesEgress), // Success Test Number 15 makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlockIPV6, setPolicyTypesIngressEgress), // Success Test Number 16 - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPortsUDPandHigh), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPorts(makePort(nil, intstr.FromInt(32000), 32768), makePort(&protocolUDP, intstr.FromString("dns"), 0))), // Success Test Number 17 - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPortsBothHigh, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromPodSelector("e", "f"), setIngressPortsHigher), + makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(nil, intstr.FromInt(30000), 32768), makePort(nil, intstr.FromInt(32000), 32768)), setIngressFromEmptyFirstElement, setIngressFromPodSelector("e", "f"), setIngressPorts(makePort(&protocolTCP, intstr.FromInt(32768), 32768))), } // Success cases are expected to pass validation. @@ -302,10 +238,10 @@ func TestValidateNetworkPolicy(t *testing.T) { invalidSelector := map[string]string{"NoUppercaseOrSpecialCharsLike=Equals": "b"} errorCases := map[string]*networking.NetworkPolicy{ - "namespaceSelector and ipBlock": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromIPBlock), + "namespaceSelector and ipBlock": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromIPBlock), "podSelector and ipBlock": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToPodSelector, setEgressToIPBlock), - "missing from and to type": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setEgressEmptyFirstElement, setEgressToEmptyFirstElement), - "invalid spec.podSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { + "missing from and to type": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setEgressEmptyFirstElement, setEgressToEmptyFirstElement), + "invalid spec.podSelector": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec = networking.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{ MatchLabels: invalidSelector, @@ -315,13 +251,10 @@ func TestValidateNetworkPolicy(t *testing.T) { "invalid ingress.ports.protocol": makeNetworkPolicyCustom(setIngressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].Ports[0].Protocol = &protocolICMP }), - "invalid ingress.ports.port (int)": makeNetworkPolicyCustom(setIngressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].Ports[0].Port = &portInvalidInt - }), - "invalid ingress.ports.port (str)": makeNetworkPolicyCustom(setIngressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].Ports[0].Port = &portInvalidStr - }), - "invalid ingress.from.podSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { + "invalid ingress.ports.port (int)": makeNetworkPolicyCustom(setIngressEmptyPorts, setIngressPorts(makePort(&protocolTCP, intstr.FromInt(123456789), 0))), + "invalid ingress.ports.port (str)": makeNetworkPolicyCustom(setIngressEmptyPorts, + setIngressPorts(makePort(&protocolTCP, intstr.FromString("!@#$"), 0))), + "invalid ingress.from.podSelector": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{ MatchLabels: invalidSelector, } @@ -331,51 +264,46 @@ func TestValidateNetworkPolicy(t *testing.T) { MatchLabels: invalidSelector, } }), - "invalid egress.ports.protocol": makeNetworkPolicyCustom(setEgressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports[0].Protocol = &protocolICMP - }), - "invalid egress.ports.port (int)": makeNetworkPolicyCustom(setEgressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports[0].Port = &portInvalidInt - }), - "invalid egress.ports.port (str)": makeNetworkPolicyCustom(setEgressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports[0].Port = &portInvalidStr - }), - "invalid ingress.from.namespaceSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { + "invalid egress.ports.protocol": makeNetworkPolicyCustom(setEgressEmptyPorts, setEgressPorts(makePort(&protocolICMP, intstr.FromInt(80), 0))), + + "invalid egress.ports.port (int)": makeNetworkPolicyCustom(setEgressEmptyPorts, setEgressPorts(makePort(&protocolTCP, intstr.FromInt(123456789), 0))), + "invalid egress.ports.port (str)": makeNetworkPolicyCustom(setEgressEmptyPorts, setEgressPorts(makePort(&protocolTCP, intstr.FromString("!@#$"), 0))), + "invalid ingress.from.namespaceSelector": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].NamespaceSelector = &metav1.LabelSelector{ MatchLabels: invalidSelector, } }), - "missing cidr field": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "missing cidr field": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "" }), - "invalid cidr format": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "invalid cidr format": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "192.168.5.6" }), - "invalid ipv6 cidr format": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6, func(networkPolicy *networking.NetworkPolicy) { + "invalid ipv6 cidr format": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "fd00:192:168::" }), - "except field is an empty string": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "except field is an empty string": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{""} }), - "except field is an space string": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "except field is an space string": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{" "} }), - "except field is an invalid ip": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "except field is an invalid ip": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{"300.300.300.300"} }), - "except IP is outside of CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { + "except IP is outside of CIDR range": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ CIDR: "192.168.8.0/24", Except: []string{"192.168.9.1/24"}, } }), - "except IP is not strictly within CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { + "except IP is not strictly within CIDR range": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ CIDR: "192.168.0.0/24", Except: []string{"192.168.0.0/24"}, } }), - "except IPv6 is outside of CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { + "except IPv6 is outside of CIDR range": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ CIDR: "fd00:192:168:1::/64", Except: []string{"fd00:192:168:2::/64"}, @@ -387,80 +315,13 @@ func TestValidateNetworkPolicy(t *testing.T) { "too many policyTypes": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.PolicyTypes = []networking.PolicyType{"foo", "bar", "baz"} }), - "multiple ports defined, one port range is invalid": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: &protocolUDP, - Port: &port35000, - EndPort: &endPort, - }, - { - Protocol: nil, - Port: &port32000, - EndPort: &endPort, - }, - } - }), - "endPort defined with named/string port": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: &protocolUDP, - Port: &portDns, - EndPort: &endPort, - }, - { - Protocol: nil, - Port: &port32000, - EndPort: &endPort, - }, - } - }), - "endPort defined without port defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: &protocolTCP, - EndPort: &endPort, - }, - } - }), - "port is greater than endPort": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: &protocolSCTP, - Port: &port35000, - EndPort: &endPort, - }, - } - }), + "multiple ports defined, one port range is invalid": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolUDP, intstr.FromInt(35000), 32768), makePort(nil, intstr.FromInt(32000), 32768))), + "endPort defined with named/string port": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolUDP, intstr.FromString("dns"), 32768), makePort(nil, intstr.FromInt(32000), 32768))), + "endPort defined without port defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolTCP, intstr.FromInt(0), 32768))), + "port is greater than endPort": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolSCTP, intstr.FromInt(35000), 32768))), + "multiple invalid port ranges defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolUDP, intstr.FromInt(35000), 32768), makePort(&protocolTCP, intstr.FromInt(0), 32768), makePort(&protocolTCP, intstr.FromString("https"), 32768))), - "multiple invalid port ranges defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: &protocolUDP, - Port: &port35000, - EndPort: &endPort, - }, - { - Protocol: &protocolTCP, - EndPort: &endPort, - }, - { - Protocol: &protocolTCP, - Port: &portHttps, - EndPort: &endPort, - }, - } - }), - - "invalid endport range defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ - { - Protocol: nil, - Port: &port30000, - EndPort: utilpointer.Int32Ptr(65537), - }, - } - }), + "invalid endport range defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolTCP, intstr.FromInt(30000), 65537))), } // Error cases are not expected to pass validation. From f8e7d30e46e9401777c2ab4841643fb5653bd06b Mon Sep 17 00:00:00 2001 From: Daniela Lins Date: Sat, 6 Mar 2021 18:58:33 +0100 Subject: [PATCH 08/16] Make tweaks only reset slices if empty Signed-off-by: Daniela Lins --- .../networking/validation/validation_test.go | 139 ++++++++++++------ 1 file changed, 90 insertions(+), 49 deletions(-) diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index 3afb32feede..508ae1596ff 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -76,7 +76,7 @@ func TestValidateNetworkPolicy(t *testing.T) { // Tweaks used below. setIngressEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{{}} + networkPolicy.Spec.Ingress = make([]networking.NetworkPolicyIngressRule, 1) } setIngressFromEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { @@ -87,6 +87,14 @@ func TestValidateNetworkPolicy(t *testing.T) { } } + setIngressFromIfEmpty := func(networkPolicy *networking.NetworkPolicy) { + if networkPolicy.Spec.Ingress == nil { + setIngressEmptyFirstElement(networkPolicy) + } + if networkPolicy.Spec.Ingress[0].From == nil { + setIngressFromEmptyFirstElement(networkPolicy) + } + } setIngressEmptyPorts := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{ { @@ -97,6 +105,9 @@ func TestValidateNetworkPolicy(t *testing.T) { setIngressPorts := func(ports ...networking.NetworkPolicyPort) netpolTweak { return func(np *networking.NetworkPolicy) { + if np.Spec.Ingress == nil { + setIngressEmptyFirstElement(np) + } np.Spec.Ingress[0].Ports = make([]networking.NetworkPolicyPort, len(ports)) for i, p := range ports { np.Spec.Ingress[0].Ports[i] = p @@ -106,18 +117,30 @@ func TestValidateNetworkPolicy(t *testing.T) { setIngressFromPodSelector := func(k, v string) func(*networking.NetworkPolicy) { return func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{ - MatchLabels: map[string]string{k: v}, + setIngressFromIfEmpty(networkPolicy) + networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{ + { + From: []networking.NetworkPolicyPeer{ + { + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{k: v}, + }, + }, + }, + }, } } + } setIngressFromNamespaceSelector := func(networkPolicy *networking.NetworkPolicy) { + setIngressFromIfEmpty(networkPolicy) networkPolicy.Spec.Ingress[0].From[0].NamespaceSelector = &metav1.LabelSelector{ MatchLabels: map[string]string{"c": "d"}, } } setIngressFromIPBlock := func(networkPolicy *networking.NetworkPolicy) { + setIngressFromIfEmpty(networkPolicy) networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ CIDR: "192.168.0.0/16", Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, @@ -125,6 +148,7 @@ func TestValidateNetworkPolicy(t *testing.T) { } setIngressFromIPBlockIPV6 := func(networkPolicy *networking.NetworkPolicy) { + setIngressFromIfEmpty(networkPolicy) networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ CIDR: "fd00:192:168::/48", Except: []string{"fd00:192:168:3::/64", "fd00:192:168:4::/64"}, @@ -132,26 +156,41 @@ func TestValidateNetworkPolicy(t *testing.T) { } setEgressEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress = []networking.NetworkPolicyEgressRule{{}} + networkPolicy.Spec.Egress = make([]networking.NetworkPolicyEgressRule, 1) } setEgressToEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress[0].To = []networking.NetworkPolicyPeer{{}} + networkPolicy.Spec.Egress = []networking.NetworkPolicyEgressRule{ + { + To: []networking.NetworkPolicyPeer{{}}, + }, + } } + setEgressToIfEmpty := func(networkPolicy *networking.NetworkPolicy) { + if networkPolicy.Spec.Egress == nil { + setEgressEmptyFirstElement(networkPolicy) + } + if networkPolicy.Spec.Egress[0].To == nil { + setEgressToEmptyFirstElement(networkPolicy) + } + } setEgressToNamespaceSelector := func(networkPolicy *networking.NetworkPolicy) { + setEgressToIfEmpty(networkPolicy) networkPolicy.Spec.Egress[0].To[0].NamespaceSelector = &metav1.LabelSelector{ MatchLabels: map[string]string{"c": "d"}, } } setEgressToPodSelector := func(networkPolicy *networking.NetworkPolicy) { + setEgressToIfEmpty(networkPolicy) networkPolicy.Spec.Egress[0].To[0].PodSelector = &metav1.LabelSelector{ MatchLabels: map[string]string{"c": "d"}, } } setEgressToIPBlock := func(networkPolicy *networking.NetworkPolicy) { + setEgressToIfEmpty(networkPolicy) networkPolicy.Spec.Egress[0].To[0].IPBlock = &networking.IPBlock{ CIDR: "192.168.0.0/16", Except: []string{"192.168.3.0/24", "192.168.4.0/24"}, @@ -159,6 +198,7 @@ func TestValidateNetworkPolicy(t *testing.T) { } setEgressToIPBlockIPV6 := func(networkPolicy *networking.NetworkPolicy) { + setEgressToIfEmpty(networkPolicy) networkPolicy.Spec.Egress[0].To[0].IPBlock = &networking.IPBlock{ CIDR: "fd00:192:168::/48", Except: []string{"fd00:192:168:3::/64", "fd00:192:168:4::/64"}, @@ -175,6 +215,9 @@ func TestValidateNetworkPolicy(t *testing.T) { setEgressPorts := func(ports ...networking.NetworkPolicyPort) netpolTweak { return func(np *networking.NetworkPolicy) { + if np.Spec.Egress == nil { + setEgressEmptyFirstElement(np) + } np.Spec.Egress[0].Ports = make([]networking.NetworkPolicyPort, len(ports)) for i, p := range ports { np.Spec.Egress[0].Ports[i] = p @@ -194,37 +237,37 @@ func TestValidateNetworkPolicy(t *testing.T) { // Success Test Number 1 makeNetworkPolicyCustom(setIngressEmptyFirstElement), // Success Test Number 2 - makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressEmptyPorts), + makeNetworkPolicyCustom(setIngressEmptyPorts), // Success Test Number 3 - makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressPorts(makePort(nil, intstr.FromInt(80), 0), makePort(&protocolTCP, intstr.FromInt(0), 0), makePort(&protocolTCP, intstr.FromInt(443), 0), makePort(&protocolUDP, intstr.FromString("dns"), 0), makePort(&protocolSCTP, intstr.FromInt(7777), 0))), + makeNetworkPolicyCustom(setIngressPorts(makePort(nil, intstr.FromInt(80), 0), makePort(&protocolTCP, intstr.FromInt(0), 0), makePort(&protocolTCP, intstr.FromInt(443), 0), makePort(&protocolUDP, intstr.FromString("dns"), 0), makePort(&protocolSCTP, intstr.FromInt(7777), 0))), // Success Test Number 4 - makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromPodSelector("c", "d")), + makeNetworkPolicyCustom(setIngressFromPodSelector("c", "d")), // Success Test Number 5 - makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector), + makeNetworkPolicyCustom(setIngressFromNamespaceSelector), // Success Test Number 6 - makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromPodSelector("e", "f")), + makeNetworkPolicyCustom(setIngressFromPodSelector("e", "f"), setIngressFromNamespaceSelector), // Success Test Number 7 - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressFromEmptyFirstElement, setIngressFromIPBlock), + makeNetworkPolicyCustom(setEgressToNamespaceSelector, setIngressFromIPBlock), // Success Test Number 8 - makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock), + makeNetworkPolicyCustom(setIngressFromIPBlock), // Success Test Number 9 - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesEgress), + makeNetworkPolicyCustom(setEgressToIPBlock, setPolicyTypesEgress), // Success Test Number 10 - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesIngressEgress), + makeNetworkPolicyCustom(setEgressToIPBlock, setPolicyTypesIngressEgress), // Success Test Number 11 - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPorts(makePort(nil, intstr.FromInt(80), 0), makePort(&protocolTCP, intstr.FromInt(0), 0), makePort(&protocolTCP, intstr.FromInt(443), 0), makePort(&protocolUDP, intstr.FromString("dns"), 0), makePort(&protocolSCTP, intstr.FromInt(7777), 0))), + makeNetworkPolicyCustom(setEgressPorts(makePort(nil, intstr.FromInt(80), 0), makePort(&protocolTCP, intstr.FromInt(0), 0), makePort(&protocolTCP, intstr.FromInt(443), 0), makePort(&protocolUDP, intstr.FromString("dns"), 0), makePort(&protocolSCTP, intstr.FromInt(7777), 0))), // Success Test Number 12 - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6), + makeNetworkPolicyCustom(setEgressToNamespaceSelector, setIngressFromIPBlockIPV6), // Success Test Number 13 - makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6), + makeNetworkPolicyCustom(setIngressFromIPBlockIPV6), // Success Test Number 14 - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlockIPV6, setPolicyTypesEgress), + makeNetworkPolicyCustom(setEgressToIPBlockIPV6, setPolicyTypesEgress), // Success Test Number 15 - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlockIPV6, setPolicyTypesIngressEgress), + makeNetworkPolicyCustom(setEgressToIPBlockIPV6, setPolicyTypesIngressEgress), // Success Test Number 16 - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPorts(makePort(nil, intstr.FromInt(32000), 32768), makePort(&protocolUDP, intstr.FromString("dns"), 0))), + makeNetworkPolicyCustom(setEgressPorts(makePort(nil, intstr.FromInt(32000), 32768), makePort(&protocolUDP, intstr.FromString("dns"), 0))), // Success Test Number 17 - makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(nil, intstr.FromInt(30000), 32768), makePort(nil, intstr.FromInt(32000), 32768)), setIngressFromEmptyFirstElement, setIngressFromPodSelector("e", "f"), setIngressPorts(makePort(&protocolTCP, intstr.FromInt(32768), 32768))), + makeNetworkPolicyCustom(setEgressToNamespaceSelector, setEgressPorts(makePort(nil, intstr.FromInt(30000), 32768), makePort(nil, intstr.FromInt(32000), 32768)), setIngressFromPodSelector("e", "f"), setIngressPorts(makePort(&protocolTCP, intstr.FromInt(32768), 32768))), } // Success cases are expected to pass validation. @@ -238,57 +281,55 @@ func TestValidateNetworkPolicy(t *testing.T) { invalidSelector := map[string]string{"NoUppercaseOrSpecialCharsLike=Equals": "b"} errorCases := map[string]*networking.NetworkPolicy{ - "namespaceSelector and ipBlock": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromIPBlock), - "podSelector and ipBlock": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToPodSelector, setEgressToIPBlock), - "missing from and to type": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setEgressEmptyFirstElement, setEgressToEmptyFirstElement), - "invalid spec.podSelector": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { + "namespaceSelector and ipBlock": makeNetworkPolicyCustom(setIngressFromNamespaceSelector, setIngressFromIPBlock), + "podSelector and ipBlock": makeNetworkPolicyCustom(setEgressToPodSelector, setEgressToIPBlock), + "missing from and to type": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setEgressToEmptyFirstElement), + "invalid spec.podSelector": makeNetworkPolicyCustom(setIngressFromNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec = networking.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{ MatchLabels: invalidSelector, }, } }), - "invalid ingress.ports.protocol": makeNetworkPolicyCustom(setIngressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress[0].Ports[0].Protocol = &protocolICMP - }), - "invalid ingress.ports.port (int)": makeNetworkPolicyCustom(setIngressEmptyPorts, setIngressPorts(makePort(&protocolTCP, intstr.FromInt(123456789), 0))), - "invalid ingress.ports.port (str)": makeNetworkPolicyCustom(setIngressEmptyPorts, + "invalid ingress.ports.protocol": makeNetworkPolicyCustom(setIngressEmptyPorts, + setIngressPorts(makePort(&protocolICMP, intstr.FromInt(80), 0))), + "invalid ingress.ports.port (int)": makeNetworkPolicyCustom(setIngressPorts(makePort(&protocolTCP, intstr.FromInt(123456789), 0))), + "invalid ingress.ports.port (str)": makeNetworkPolicyCustom( setIngressPorts(makePort(&protocolTCP, intstr.FromString("!@#$"), 0))), "invalid ingress.from.podSelector": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{ MatchLabels: invalidSelector, } }), - "invalid egress.to.podSelector": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { + "invalid egress.to.podSelector": makeNetworkPolicyCustom(setEgressToEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Egress[0].To[0].PodSelector = &metav1.LabelSelector{ MatchLabels: invalidSelector, } }), - "invalid egress.ports.protocol": makeNetworkPolicyCustom(setEgressEmptyPorts, setEgressPorts(makePort(&protocolICMP, intstr.FromInt(80), 0))), - - "invalid egress.ports.port (int)": makeNetworkPolicyCustom(setEgressEmptyPorts, setEgressPorts(makePort(&protocolTCP, intstr.FromInt(123456789), 0))), - "invalid egress.ports.port (str)": makeNetworkPolicyCustom(setEgressEmptyPorts, setEgressPorts(makePort(&protocolTCP, intstr.FromString("!@#$"), 0))), + "invalid egress.ports.protocol": makeNetworkPolicyCustom(setEgressEmptyPorts, setEgressPorts(makePort(&protocolICMP, intstr.FromInt(80), 0))), + "invalid egress.ports.port (int)": makeNetworkPolicyCustom(setEgressPorts(makePort(&protocolTCP, intstr.FromInt(123456789), 0))), + "invalid egress.ports.port (str)": makeNetworkPolicyCustom(setEgressPorts(makePort(&protocolTCP, intstr.FromString("!@#$"), 0))), "invalid ingress.from.namespaceSelector": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].NamespaceSelector = &metav1.LabelSelector{ MatchLabels: invalidSelector, } }), - "missing cidr field": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "missing cidr field": makeNetworkPolicyCustom(setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "" }), - "invalid cidr format": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "invalid cidr format": makeNetworkPolicyCustom(setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "192.168.5.6" }), - "invalid ipv6 cidr format": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6, func(networkPolicy *networking.NetworkPolicy) { + "invalid ipv6 cidr format": makeNetworkPolicyCustom(setIngressFromIPBlockIPV6, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "fd00:192:168::" }), - "except field is an empty string": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "except field is an empty string": makeNetworkPolicyCustom(setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{""} }), - "except field is an space string": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "except field is an space string": makeNetworkPolicyCustom(setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{" "} }), - "except field is an invalid ip": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "except field is an invalid ip": makeNetworkPolicyCustom(setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{"300.300.300.300"} }), "except IP is outside of CIDR range": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { @@ -309,19 +350,19 @@ func TestValidateNetworkPolicy(t *testing.T) { Except: []string{"fd00:192:168:2::/64"}, } }), - "invalid policyTypes": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "invalid policyTypes": makeNetworkPolicyCustom(setEgressToIPBlock, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.PolicyTypes = []networking.PolicyType{"foo", "bar"} }), - "too many policyTypes": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "too many policyTypes": makeNetworkPolicyCustom(setEgressToIPBlock, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.PolicyTypes = []networking.PolicyType{"foo", "bar", "baz"} }), - "multiple ports defined, one port range is invalid": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolUDP, intstr.FromInt(35000), 32768), makePort(nil, intstr.FromInt(32000), 32768))), - "endPort defined with named/string port": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolUDP, intstr.FromString("dns"), 32768), makePort(nil, intstr.FromInt(32000), 32768))), - "endPort defined without port defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolTCP, intstr.FromInt(0), 32768))), - "port is greater than endPort": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolSCTP, intstr.FromInt(35000), 32768))), - "multiple invalid port ranges defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolUDP, intstr.FromInt(35000), 32768), makePort(&protocolTCP, intstr.FromInt(0), 32768), makePort(&protocolTCP, intstr.FromString("https"), 32768))), + "multiple ports defined, one port range is invalid": makeNetworkPolicyCustom(setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolUDP, intstr.FromInt(35000), 32768), makePort(nil, intstr.FromInt(32000), 32768))), + "endPort defined with named/string port": makeNetworkPolicyCustom(setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolUDP, intstr.FromString("dns"), 32768), makePort(nil, intstr.FromInt(32000), 32768))), + "endPort defined without port defined": makeNetworkPolicyCustom(setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolTCP, intstr.FromInt(0), 32768))), + "port is greater than endPort": makeNetworkPolicyCustom(setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolSCTP, intstr.FromInt(35000), 32768))), + "multiple invalid port ranges defined": makeNetworkPolicyCustom(setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolUDP, intstr.FromInt(35000), 32768), makePort(&protocolTCP, intstr.FromInt(0), 32768), makePort(&protocolTCP, intstr.FromString("https"), 32768))), - "invalid endport range defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolTCP, intstr.FromInt(30000), 65537))), + "invalid endport range defined": makeNetworkPolicyCustom(setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolTCP, intstr.FromInt(30000), 65537))), } // Error cases are not expected to pass validation. From 0444bdc944c2f4c7517429f852d605192d0de5a4 Mon Sep 17 00:00:00 2001 From: Daniela Lins Date: Sat, 6 Mar 2021 18:59:59 +0100 Subject: [PATCH 09/16] Remove success case comments Signed-off-by: Daniela Lins --- .../networking/validation/validation_test.go | 24 +++---------------- 1 file changed, 3 insertions(+), 21 deletions(-) diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index 508ae1596ff..423c92309ab 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -234,39 +234,22 @@ func TestValidateNetworkPolicy(t *testing.T) { } successCases := []*networking.NetworkPolicy{ - // Success Test Number 1 makeNetworkPolicyCustom(setIngressEmptyFirstElement), - // Success Test Number 2 - makeNetworkPolicyCustom(setIngressEmptyPorts), - // Success Test Number 3 + makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressEmptyPorts), makeNetworkPolicyCustom(setIngressPorts(makePort(nil, intstr.FromInt(80), 0), makePort(&protocolTCP, intstr.FromInt(0), 0), makePort(&protocolTCP, intstr.FromInt(443), 0), makePort(&protocolUDP, intstr.FromString("dns"), 0), makePort(&protocolSCTP, intstr.FromInt(7777), 0))), - // Success Test Number 4 makeNetworkPolicyCustom(setIngressFromPodSelector("c", "d")), - // Success Test Number 5 makeNetworkPolicyCustom(setIngressFromNamespaceSelector), - // Success Test Number 6 makeNetworkPolicyCustom(setIngressFromPodSelector("e", "f"), setIngressFromNamespaceSelector), - // Success Test Number 7 makeNetworkPolicyCustom(setEgressToNamespaceSelector, setIngressFromIPBlock), - // Success Test Number 8 makeNetworkPolicyCustom(setIngressFromIPBlock), - // Success Test Number 9 makeNetworkPolicyCustom(setEgressToIPBlock, setPolicyTypesEgress), - // Success Test Number 10 makeNetworkPolicyCustom(setEgressToIPBlock, setPolicyTypesIngressEgress), - // Success Test Number 11 makeNetworkPolicyCustom(setEgressPorts(makePort(nil, intstr.FromInt(80), 0), makePort(&protocolTCP, intstr.FromInt(0), 0), makePort(&protocolTCP, intstr.FromInt(443), 0), makePort(&protocolUDP, intstr.FromString("dns"), 0), makePort(&protocolSCTP, intstr.FromInt(7777), 0))), - // Success Test Number 12 makeNetworkPolicyCustom(setEgressToNamespaceSelector, setIngressFromIPBlockIPV6), - // Success Test Number 13 makeNetworkPolicyCustom(setIngressFromIPBlockIPV6), - // Success Test Number 14 makeNetworkPolicyCustom(setEgressToIPBlockIPV6, setPolicyTypesEgress), - // Success Test Number 15 makeNetworkPolicyCustom(setEgressToIPBlockIPV6, setPolicyTypesIngressEgress), - // Success Test Number 16 makeNetworkPolicyCustom(setEgressPorts(makePort(nil, intstr.FromInt(32000), 32768), makePort(&protocolUDP, intstr.FromString("dns"), 0))), - // Success Test Number 17 makeNetworkPolicyCustom(setEgressToNamespaceSelector, setEgressPorts(makePort(nil, intstr.FromInt(30000), 32768), makePort(nil, intstr.FromInt(32000), 32768)), setIngressFromPodSelector("e", "f"), setIngressPorts(makePort(&protocolTCP, intstr.FromInt(32768), 32768))), } @@ -274,7 +257,7 @@ func TestValidateNetworkPolicy(t *testing.T) { for k, v := range successCases { if errs := ValidateNetworkPolicy(v); len(errs) != 0 { - t.Errorf("Expected success for the success validation test number %d, got %v", (k + 1), errs) + t.Errorf("Expected success for the success validation test number %d, got %v", k, errs) } } @@ -291,8 +274,7 @@ func TestValidateNetworkPolicy(t *testing.T) { }, } }), - "invalid ingress.ports.protocol": makeNetworkPolicyCustom(setIngressEmptyPorts, - setIngressPorts(makePort(&protocolICMP, intstr.FromInt(80), 0))), + "invalid ingress.ports.protocol": makeNetworkPolicyCustom(setIngressPorts(makePort(&protocolICMP, intstr.FromInt(80), 0))), "invalid ingress.ports.port (int)": makeNetworkPolicyCustom(setIngressPorts(makePort(&protocolTCP, intstr.FromInt(123456789), 0))), "invalid ingress.ports.port (str)": makeNetworkPolicyCustom( setIngressPorts(makePort(&protocolTCP, intstr.FromString("!@#$"), 0))), From 36e040f86edbcda9ed9d55050f677959cac42627 Mon Sep 17 00:00:00 2001 From: Daniela Lins Date: Sun, 7 Mar 2021 13:04:10 +0100 Subject: [PATCH 10/16] Fix empty setter logic Signed-off-by: Daniela Lins --- .../networking/validation/validation_test.go | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index 423c92309ab..6e2ddfbbf58 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -76,15 +76,14 @@ func TestValidateNetworkPolicy(t *testing.T) { // Tweaks used below. setIngressEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress = make([]networking.NetworkPolicyIngressRule, 1) + networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{{}} } setIngressFromEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{{}}, - }, + if networkPolicy.Spec.Ingress == nil { + setIngressEmptyFirstElement(networkPolicy) } + networkPolicy.Spec.Ingress[0].From = []networking.NetworkPolicyPeer{{}} } setIngressFromIfEmpty := func(networkPolicy *networking.NetworkPolicy) { @@ -95,6 +94,7 @@ func TestValidateNetworkPolicy(t *testing.T) { setIngressFromEmptyFirstElement(networkPolicy) } } + setIngressEmptyPorts := func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{ { @@ -130,8 +130,8 @@ func TestValidateNetworkPolicy(t *testing.T) { }, } } - } + setIngressFromNamespaceSelector := func(networkPolicy *networking.NetworkPolicy) { setIngressFromIfEmpty(networkPolicy) networkPolicy.Spec.Ingress[0].From[0].NamespaceSelector = &metav1.LabelSelector{ @@ -156,15 +156,14 @@ func TestValidateNetworkPolicy(t *testing.T) { } setEgressEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress = make([]networking.NetworkPolicyEgressRule, 1) + networkPolicy.Spec.Egress = []networking.NetworkPolicyEgressRule{{}} } setEgressToEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress = []networking.NetworkPolicyEgressRule{ - { - To: []networking.NetworkPolicyPeer{{}}, - }, + if networkPolicy.Spec.Egress == nil { + setEgressEmptyFirstElement(networkPolicy) } + networkPolicy.Spec.Egress[0].To = []networking.NetworkPolicyPeer{{}} } setEgressToIfEmpty := func(networkPolicy *networking.NetworkPolicy) { @@ -175,6 +174,7 @@ func TestValidateNetworkPolicy(t *testing.T) { setEgressToEmptyFirstElement(networkPolicy) } } + setEgressToNamespaceSelector := func(networkPolicy *networking.NetworkPolicy) { setEgressToIfEmpty(networkPolicy) networkPolicy.Spec.Egress[0].To[0].NamespaceSelector = &metav1.LabelSelector{ From 853d2a6a0afd79c517db5fec0cf786b671f305b8 Mon Sep 17 00:00:00 2001 From: Daniela Lins Date: Mon, 8 Mar 2021 15:03:12 +0100 Subject: [PATCH 11/16] Delete not used tweak Signed-off-by: Daniela Lins --- pkg/apis/networking/validation/validation_test.go | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index 6e2ddfbbf58..45441b0fec5 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -205,14 +205,6 @@ func TestValidateNetworkPolicy(t *testing.T) { } } - setEgressEmptyPorts := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Egress = []networking.NetworkPolicyEgressRule{ - { - Ports: []networking.NetworkPolicyPort{{}}, - }, - } - } - setEgressPorts := func(ports ...networking.NetworkPolicyPort) netpolTweak { return func(np *networking.NetworkPolicy) { if np.Spec.Egress == nil { @@ -288,7 +280,7 @@ func TestValidateNetworkPolicy(t *testing.T) { MatchLabels: invalidSelector, } }), - "invalid egress.ports.protocol": makeNetworkPolicyCustom(setEgressEmptyPorts, setEgressPorts(makePort(&protocolICMP, intstr.FromInt(80), 0))), + "invalid egress.ports.protocol": makeNetworkPolicyCustom(setEgressPorts(makePort(&protocolICMP, intstr.FromInt(80), 0))), "invalid egress.ports.port (int)": makeNetworkPolicyCustom(setEgressPorts(makePort(&protocolTCP, intstr.FromInt(123456789), 0))), "invalid egress.ports.port (str)": makeNetworkPolicyCustom(setEgressPorts(makePort(&protocolTCP, intstr.FromString("!@#$"), 0))), "invalid ingress.from.namespaceSelector": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { From cb48e3cfca2015c40d34793dcb22f9435a82013d Mon Sep 17 00:00:00 2001 From: Daniela Lins Date: Thu, 25 Mar 2021 16:35:23 +0100 Subject: [PATCH 12/16] Handle int and string port in makePort Signed-off-by: Daniela Lins --- pkg/apis/networking/validation/validation_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index 45441b0fec5..e56c8f7d556 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -59,7 +59,7 @@ func makePort(proto *api.Protocol, port intstr.IntOrString, endPort int32) netwo Protocol: proto, Port: nil, } - if port != intstr.FromInt(0) { + if port != intstr.FromInt(0) && port != intstr.FromString("") && port != intstr.FromString("0") { r.Port = &port } if endPort != 0 { From 5f47d0e8ef93ed457aca030d9ad566e3cb7ab2a5 Mon Sep 17 00:00:00 2001 From: Daniela Lins Date: Thu, 25 Mar 2021 16:41:06 +0100 Subject: [PATCH 13/16] Reduce vertical space Signed-off-by: Daniela Lins --- .../networking/validation/validation_test.go | 24 +++++++------------ 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index e56c8f7d556..db88f7cfd49 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -96,11 +96,9 @@ func TestValidateNetworkPolicy(t *testing.T) { } setIngressEmptyPorts := func(networkPolicy *networking.NetworkPolicy) { - networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{ - { - Ports: []networking.NetworkPolicyPort{{}}, - }, - } + networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{{ + Ports: []networking.NetworkPolicyPort{{}}, + }} } setIngressPorts := func(ports ...networking.NetworkPolicyPort) netpolTweak { @@ -118,17 +116,13 @@ func TestValidateNetworkPolicy(t *testing.T) { setIngressFromPodSelector := func(k, v string) func(*networking.NetworkPolicy) { return func(networkPolicy *networking.NetworkPolicy) { setIngressFromIfEmpty(networkPolicy) - networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{ - { - From: []networking.NetworkPolicyPeer{ - { - PodSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{k: v}, - }, + networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{{ + From: []networking.NetworkPolicyPeer{{ + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{k: v}, }, - }, - }, - } + }}, + }} } } From f4e469ee1452f269ebb3f83400221900f6eff341 Mon Sep 17 00:00:00 2001 From: Daniela Lins Date: Thu, 25 Mar 2021 16:50:28 +0100 Subject: [PATCH 14/16] Standardize Namespace and Podselector tweaks Signed-off-by: Daniela Lins --- pkg/apis/networking/validation/validation_test.go | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index db88f7cfd49..15cbe7fd3dc 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -116,13 +116,9 @@ func TestValidateNetworkPolicy(t *testing.T) { setIngressFromPodSelector := func(k, v string) func(*networking.NetworkPolicy) { return func(networkPolicy *networking.NetworkPolicy) { setIngressFromIfEmpty(networkPolicy) - networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{{ - From: []networking.NetworkPolicyPeer{{ - PodSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{k: v}, - }, - }}, - }} + networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{ + MatchLabels: map[string]string{k: v}, + } } } From 22cc8dc3a890828139771a822660e481c267549e Mon Sep 17 00:00:00 2001 From: Daniela Lins Date: Thu, 25 Mar 2021 16:57:11 +0100 Subject: [PATCH 15/16] Specify IPV4 on tweak names Signed-off-by: Daniela Lins --- .../networking/validation/validation_test.go | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index 15cbe7fd3dc..4946381ade8 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -129,7 +129,7 @@ func TestValidateNetworkPolicy(t *testing.T) { } } - setIngressFromIPBlock := func(networkPolicy *networking.NetworkPolicy) { + setIngressFromIPBlockIPV4 := func(networkPolicy *networking.NetworkPolicy) { setIngressFromIfEmpty(networkPolicy) networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{ CIDR: "192.168.0.0/16", @@ -179,7 +179,7 @@ func TestValidateNetworkPolicy(t *testing.T) { } } - setEgressToIPBlock := func(networkPolicy *networking.NetworkPolicy) { + setEgressToIPBlockIPV4 := func(networkPolicy *networking.NetworkPolicy) { setEgressToIfEmpty(networkPolicy) networkPolicy.Spec.Egress[0].To[0].IPBlock = &networking.IPBlock{ CIDR: "192.168.0.0/16", @@ -222,10 +222,10 @@ func TestValidateNetworkPolicy(t *testing.T) { makeNetworkPolicyCustom(setIngressFromPodSelector("c", "d")), makeNetworkPolicyCustom(setIngressFromNamespaceSelector), makeNetworkPolicyCustom(setIngressFromPodSelector("e", "f"), setIngressFromNamespaceSelector), - makeNetworkPolicyCustom(setEgressToNamespaceSelector, setIngressFromIPBlock), - makeNetworkPolicyCustom(setIngressFromIPBlock), - makeNetworkPolicyCustom(setEgressToIPBlock, setPolicyTypesEgress), - makeNetworkPolicyCustom(setEgressToIPBlock, setPolicyTypesIngressEgress), + makeNetworkPolicyCustom(setEgressToNamespaceSelector, setIngressFromIPBlockIPV4), + makeNetworkPolicyCustom(setIngressFromIPBlockIPV4), + makeNetworkPolicyCustom(setEgressToIPBlockIPV4, setPolicyTypesEgress), + makeNetworkPolicyCustom(setEgressToIPBlockIPV4, setPolicyTypesIngressEgress), makeNetworkPolicyCustom(setEgressPorts(makePort(nil, intstr.FromInt(80), 0), makePort(&protocolTCP, intstr.FromInt(0), 0), makePort(&protocolTCP, intstr.FromInt(443), 0), makePort(&protocolUDP, intstr.FromString("dns"), 0), makePort(&protocolSCTP, intstr.FromInt(7777), 0))), makeNetworkPolicyCustom(setEgressToNamespaceSelector, setIngressFromIPBlockIPV6), makeNetworkPolicyCustom(setIngressFromIPBlockIPV6), @@ -246,8 +246,8 @@ func TestValidateNetworkPolicy(t *testing.T) { invalidSelector := map[string]string{"NoUppercaseOrSpecialCharsLike=Equals": "b"} errorCases := map[string]*networking.NetworkPolicy{ - "namespaceSelector and ipBlock": makeNetworkPolicyCustom(setIngressFromNamespaceSelector, setIngressFromIPBlock), - "podSelector and ipBlock": makeNetworkPolicyCustom(setEgressToPodSelector, setEgressToIPBlock), + "namespaceSelector and ipBlock": makeNetworkPolicyCustom(setIngressFromNamespaceSelector, setIngressFromIPBlockIPV4), + "podSelector and ipBlock": makeNetworkPolicyCustom(setEgressToPodSelector, setEgressToIPBlockIPV4), "missing from and to type": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setEgressToEmptyFirstElement), "invalid spec.podSelector": makeNetworkPolicyCustom(setIngressFromNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec = networking.NetworkPolicySpec{ @@ -278,22 +278,22 @@ func TestValidateNetworkPolicy(t *testing.T) { MatchLabels: invalidSelector, } }), - "missing cidr field": makeNetworkPolicyCustom(setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "missing cidr field": makeNetworkPolicyCustom(setIngressFromIPBlockIPV4, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "" }), - "invalid cidr format": makeNetworkPolicyCustom(setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "invalid cidr format": makeNetworkPolicyCustom(setIngressFromIPBlockIPV4, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "192.168.5.6" }), "invalid ipv6 cidr format": makeNetworkPolicyCustom(setIngressFromIPBlockIPV6, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "fd00:192:168::" }), - "except field is an empty string": makeNetworkPolicyCustom(setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "except field is an empty string": makeNetworkPolicyCustom(setIngressFromIPBlockIPV4, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{""} }), - "except field is an space string": makeNetworkPolicyCustom(setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "except field is an space string": makeNetworkPolicyCustom(setIngressFromIPBlockIPV4, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{" "} }), - "except field is an invalid ip": makeNetworkPolicyCustom(setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "except field is an invalid ip": makeNetworkPolicyCustom(setIngressFromIPBlockIPV4, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{"300.300.300.300"} }), "except IP is outside of CIDR range": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) { @@ -314,10 +314,10 @@ func TestValidateNetworkPolicy(t *testing.T) { Except: []string{"fd00:192:168:2::/64"}, } }), - "invalid policyTypes": makeNetworkPolicyCustom(setEgressToIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "invalid policyTypes": makeNetworkPolicyCustom(setEgressToIPBlockIPV4, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.PolicyTypes = []networking.PolicyType{"foo", "bar"} }), - "too many policyTypes": makeNetworkPolicyCustom(setEgressToIPBlock, func(networkPolicy *networking.NetworkPolicy) { + "too many policyTypes": makeNetworkPolicyCustom(setEgressToIPBlockIPV4, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.PolicyTypes = []networking.PolicyType{"foo", "bar", "baz"} }), "multiple ports defined, one port range is invalid": makeNetworkPolicyCustom(setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolUDP, intstr.FromInt(35000), 32768), makePort(nil, intstr.FromInt(32000), 32768))), From 6c105c9e8a14d30573436288e1fd42ba01f4c2d2 Mon Sep 17 00:00:00 2001 From: Daniela Lins Date: Thu, 25 Mar 2021 17:12:02 +0100 Subject: [PATCH 16/16] Linewrap for makePort calls and lint fixes Signed-off-by: Daniela Lins --- .../networking/validation/validation_test.go | 61 ++++++++++++++++--- 1 file changed, 52 insertions(+), 9 deletions(-) diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index 4946381ade8..22af6ed3432 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -218,7 +218,13 @@ func TestValidateNetworkPolicy(t *testing.T) { successCases := []*networking.NetworkPolicy{ makeNetworkPolicyCustom(setIngressEmptyFirstElement), makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressEmptyPorts), - makeNetworkPolicyCustom(setIngressPorts(makePort(nil, intstr.FromInt(80), 0), makePort(&protocolTCP, intstr.FromInt(0), 0), makePort(&protocolTCP, intstr.FromInt(443), 0), makePort(&protocolUDP, intstr.FromString("dns"), 0), makePort(&protocolSCTP, intstr.FromInt(7777), 0))), + makeNetworkPolicyCustom(setIngressPorts( + makePort(nil, intstr.FromInt(80), 0), + makePort(&protocolTCP, intstr.FromInt(0), 0), + makePort(&protocolTCP, intstr.FromInt(443), 0), + makePort(&protocolUDP, intstr.FromString("dns"), 0), + makePort(&protocolSCTP, intstr.FromInt(7777), 0), + )), makeNetworkPolicyCustom(setIngressFromPodSelector("c", "d")), makeNetworkPolicyCustom(setIngressFromNamespaceSelector), makeNetworkPolicyCustom(setIngressFromPodSelector("e", "f"), setIngressFromNamespaceSelector), @@ -226,13 +232,26 @@ func TestValidateNetworkPolicy(t *testing.T) { makeNetworkPolicyCustom(setIngressFromIPBlockIPV4), makeNetworkPolicyCustom(setEgressToIPBlockIPV4, setPolicyTypesEgress), makeNetworkPolicyCustom(setEgressToIPBlockIPV4, setPolicyTypesIngressEgress), - makeNetworkPolicyCustom(setEgressPorts(makePort(nil, intstr.FromInt(80), 0), makePort(&protocolTCP, intstr.FromInt(0), 0), makePort(&protocolTCP, intstr.FromInt(443), 0), makePort(&protocolUDP, intstr.FromString("dns"), 0), makePort(&protocolSCTP, intstr.FromInt(7777), 0))), + makeNetworkPolicyCustom(setEgressPorts( + makePort(nil, intstr.FromInt(80), 0), + makePort(&protocolTCP, intstr.FromInt(0), 0), + makePort(&protocolTCP, intstr.FromInt(443), 0), + makePort(&protocolUDP, intstr.FromString("dns"), 0), + makePort(&protocolSCTP, intstr.FromInt(7777), 0), + )), makeNetworkPolicyCustom(setEgressToNamespaceSelector, setIngressFromIPBlockIPV6), makeNetworkPolicyCustom(setIngressFromIPBlockIPV6), makeNetworkPolicyCustom(setEgressToIPBlockIPV6, setPolicyTypesEgress), makeNetworkPolicyCustom(setEgressToIPBlockIPV6, setPolicyTypesIngressEgress), makeNetworkPolicyCustom(setEgressPorts(makePort(nil, intstr.FromInt(32000), 32768), makePort(&protocolUDP, intstr.FromString("dns"), 0))), - makeNetworkPolicyCustom(setEgressToNamespaceSelector, setEgressPorts(makePort(nil, intstr.FromInt(30000), 32768), makePort(nil, intstr.FromInt(32000), 32768)), setIngressFromPodSelector("e", "f"), setIngressPorts(makePort(&protocolTCP, intstr.FromInt(32768), 32768))), + makeNetworkPolicyCustom( + setEgressToNamespaceSelector, + setEgressPorts( + makePort(nil, intstr.FromInt(30000), 32768), + makePort(nil, intstr.FromInt(32000), 32768), + ), + setIngressFromPodSelector("e", "f"), + setIngressPorts(makePort(&protocolTCP, intstr.FromInt(32768), 32768))), } // Success cases are expected to pass validation. @@ -320,12 +339,36 @@ func TestValidateNetworkPolicy(t *testing.T) { "too many policyTypes": makeNetworkPolicyCustom(setEgressToIPBlockIPV4, func(networkPolicy *networking.NetworkPolicy) { networkPolicy.Spec.PolicyTypes = []networking.PolicyType{"foo", "bar", "baz"} }), - "multiple ports defined, one port range is invalid": makeNetworkPolicyCustom(setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolUDP, intstr.FromInt(35000), 32768), makePort(nil, intstr.FromInt(32000), 32768))), - "endPort defined with named/string port": makeNetworkPolicyCustom(setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolUDP, intstr.FromString("dns"), 32768), makePort(nil, intstr.FromInt(32000), 32768))), - "endPort defined without port defined": makeNetworkPolicyCustom(setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolTCP, intstr.FromInt(0), 32768))), - "port is greater than endPort": makeNetworkPolicyCustom(setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolSCTP, intstr.FromInt(35000), 32768))), - "multiple invalid port ranges defined": makeNetworkPolicyCustom(setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolUDP, intstr.FromInt(35000), 32768), makePort(&protocolTCP, intstr.FromInt(0), 32768), makePort(&protocolTCP, intstr.FromString("https"), 32768))), - + "multiple ports defined, one port range is invalid": makeNetworkPolicyCustom( + setEgressToNamespaceSelector, + setEgressPorts( + makePort(&protocolUDP, intstr.FromInt(35000), 32768), + makePort(nil, intstr.FromInt(32000), 32768), + ), + ), + "endPort defined with named/string port": makeNetworkPolicyCustom( + setEgressToNamespaceSelector, + setEgressPorts( + makePort(&protocolUDP, intstr.FromString("dns"), 32768), + makePort(nil, intstr.FromInt(32000), 32768), + ), + ), + "endPort defined without port defined": makeNetworkPolicyCustom( + setEgressToNamespaceSelector, + setEgressPorts(makePort(&protocolTCP, intstr.FromInt(0), 32768)), + ), + "port is greater than endPort": makeNetworkPolicyCustom( + setEgressToNamespaceSelector, + setEgressPorts(makePort(&protocolSCTP, intstr.FromInt(35000), 32768)), + ), + "multiple invalid port ranges defined": makeNetworkPolicyCustom( + setEgressToNamespaceSelector, + setEgressPorts( + makePort(&protocolUDP, intstr.FromInt(35000), 32768), + makePort(&protocolTCP, intstr.FromInt(0), 32768), + makePort(&protocolTCP, intstr.FromString("https"), 32768), + ), + ), "invalid endport range defined": makeNetworkPolicyCustom(setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolTCP, intstr.FromInt(30000), 65537))), }