mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 04:06:03 +00:00
Refactored setIngressPorts and setEgressPorts
Signed-off-by: Daniela Lins <danielamlins@gmail.com>
This commit is contained in:
Daniela Lins
parent
611f061c45
commit
6d330d9738
@ -44,7 +44,9 @@ func makeValidNetworkPolicy() *networking.NetworkPolicy {
|
||||
}
|
||||
}
|
||||
|
||||
func makeNetworkPolicyCustom(tweaks ...func(networkPolicy *networking.NetworkPolicy)) *networking.NetworkPolicy {
|
||||
type netpolTweak func(networkPolicy *networking.NetworkPolicy)
|
||||
|
||||
func makeNetworkPolicyCustom(tweaks ...netpolTweak) *networking.NetworkPolicy {
|
||||
networkPolicy := makeValidNetworkPolicy()
|
||||
for _, fn := range tweaks {
|
||||
fn(networkPolicy)
|
||||
@ -52,25 +54,25 @@ func makeNetworkPolicyCustom(tweaks ...func(networkPolicy *networking.NetworkPol
|
||||
return networkPolicy
|
||||
}
|
||||
|
||||
func makePort(proto *api.Protocol, port intstr.IntOrString, endPort int32) networking.NetworkPolicyPort {
|
||||
r := networking.NetworkPolicyPort{
|
||||
Protocol: proto,
|
||||
Port: nil,
|
||||
}
|
||||
if port != intstr.FromInt(0) {
|
||||
r.Port = &port
|
||||
}
|
||||
if endPort != 0 {
|
||||
r.EndPort = utilpointer.Int32Ptr(endPort)
|
||||
}
|
||||
return r
|
||||
}
|
||||
|
||||
func TestValidateNetworkPolicy(t *testing.T) {
|
||||
protocolTCP := api.ProtocolTCP
|
||||
protocolUDP := api.ProtocolUDP
|
||||
protocolICMP := api.Protocol("ICMP")
|
||||
protocolSCTP := api.ProtocolSCTP
|
||||
endPort := int32(32768)
|
||||
|
||||
// Ports
|
||||
port80 := intstr.FromInt(80)
|
||||
port443 := intstr.FromInt(443)
|
||||
portDns := intstr.FromString("dns")
|
||||
port7777 := intstr.FromInt(7777)
|
||||
port32768 := intstr.FromInt(32768)
|
||||
port30000 := intstr.FromInt(30000)
|
||||
port32000 := intstr.FromInt(32000)
|
||||
port35000 := intstr.FromInt(35000)
|
||||
portInvalidInt := intstr.FromInt(123456789)
|
||||
portInvalidStr := intstr.FromString("!@#$")
|
||||
portHttps := intstr.FromString("https")
|
||||
|
||||
// Tweaks used below.
|
||||
setIngressEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) {
|
||||
@ -78,7 +80,11 @@ func TestValidateNetworkPolicy(t *testing.T) {
|
||||
}
|
||||
|
||||
setIngressFromEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Ingress[0].From = []networking.NetworkPolicyPeer{{}}
|
||||
networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{
|
||||
{
|
||||
From: []networking.NetworkPolicyPeer{{}},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
setIngressEmptyPorts := func(networkPolicy *networking.NetworkPolicy) {
|
||||
@ -88,38 +94,13 @@ func TestValidateNetworkPolicy(t *testing.T) {
|
||||
},
|
||||
}
|
||||
}
|
||||
setIngressPorts := func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{
|
||||
{
|
||||
Protocol: nil,
|
||||
Port: &port80,
|
||||
},
|
||||
{
|
||||
Protocol: &protocolTCP,
|
||||
Port: nil,
|
||||
},
|
||||
{
|
||||
Protocol: &protocolTCP,
|
||||
Port: &port443,
|
||||
},
|
||||
{
|
||||
Protocol: &protocolUDP,
|
||||
Port: &portDns,
|
||||
},
|
||||
{
|
||||
Protocol: &protocolSCTP,
|
||||
Port: &port7777,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
setIngressPortsHigher := func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{
|
||||
{
|
||||
Protocol: &protocolTCP,
|
||||
Port: &port32768,
|
||||
EndPort: &endPort,
|
||||
},
|
||||
setIngressPorts := func(ports ...networking.NetworkPolicyPort) netpolTweak {
|
||||
return func(np *networking.NetworkPolicy) {
|
||||
np.Spec.Ingress[0].Ports = make([]networking.NetworkPolicyPort, len(ports))
|
||||
for i, p := range ports {
|
||||
np.Spec.Ingress[0].Ports[i] = p
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -192,57 +173,12 @@ func TestValidateNetworkPolicy(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
setEgressPorts := func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
|
||||
{
|
||||
Protocol: nil,
|
||||
Port: &port80,
|
||||
},
|
||||
{
|
||||
Protocol: &protocolTCP,
|
||||
Port: nil,
|
||||
},
|
||||
{
|
||||
Protocol: &protocolTCP,
|
||||
Port: &port443,
|
||||
},
|
||||
{
|
||||
Protocol: &protocolUDP,
|
||||
Port: &portDns,
|
||||
},
|
||||
{
|
||||
Protocol: &protocolSCTP,
|
||||
Port: &port7777,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
setEgressPortsUDPandHigh := func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
|
||||
{
|
||||
Protocol: nil,
|
||||
Port: &port32000,
|
||||
EndPort: &endPort,
|
||||
},
|
||||
{
|
||||
Protocol: &protocolUDP,
|
||||
Port: &portDns,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
setEgressPortsBothHigh := func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
|
||||
{
|
||||
Protocol: nil,
|
||||
Port: &port30000,
|
||||
EndPort: &endPort,
|
||||
},
|
||||
{
|
||||
Protocol: nil,
|
||||
Port: &port32000,
|
||||
EndPort: &endPort,
|
||||
},
|
||||
setEgressPorts := func(ports ...networking.NetworkPolicyPort) netpolTweak {
|
||||
return func(np *networking.NetworkPolicy) {
|
||||
np.Spec.Egress[0].Ports = make([]networking.NetworkPolicyPort, len(ports))
|
||||
for i, p := range ports {
|
||||
np.Spec.Egress[0].Ports[i] = p
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -258,37 +194,37 @@ func TestValidateNetworkPolicy(t *testing.T) {
|
||||
// Success Test Number 1
|
||||
makeNetworkPolicyCustom(setIngressEmptyFirstElement),
|
||||
// Success Test Number 2
|
||||
makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressEmptyPorts),
|
||||
makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressEmptyPorts),
|
||||
// Success Test Number 3
|
||||
makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressPorts),
|
||||
makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressPorts(makePort(nil, intstr.FromInt(80), 0), makePort(&protocolTCP, intstr.FromInt(0), 0), makePort(&protocolTCP, intstr.FromInt(443), 0), makePort(&protocolUDP, intstr.FromString("dns"), 0), makePort(&protocolSCTP, intstr.FromInt(7777), 0))),
|
||||
// Success Test Number 4
|
||||
makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromPodSelector("c", "d")),
|
||||
makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromPodSelector("c", "d")),
|
||||
// Success Test Number 5
|
||||
makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector),
|
||||
makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector),
|
||||
// Success Test Number 6
|
||||
makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromPodSelector("e", "f")),
|
||||
makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromPodSelector("e", "f")),
|
||||
// Success Test Number 7
|
||||
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock),
|
||||
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressFromEmptyFirstElement, setIngressFromIPBlock),
|
||||
// Success Test Number 8
|
||||
makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock),
|
||||
makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock),
|
||||
// Success Test Number 9
|
||||
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesEgress),
|
||||
// Success Test Number 10
|
||||
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesIngressEgress),
|
||||
// Success Test Number 11
|
||||
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPorts),
|
||||
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPorts(makePort(nil, intstr.FromInt(80), 0), makePort(&protocolTCP, intstr.FromInt(0), 0), makePort(&protocolTCP, intstr.FromInt(443), 0), makePort(&protocolUDP, intstr.FromString("dns"), 0), makePort(&protocolSCTP, intstr.FromInt(7777), 0))),
|
||||
// Success Test Number 12
|
||||
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6),
|
||||
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6),
|
||||
// Success Test Number 13
|
||||
makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6),
|
||||
makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6),
|
||||
// Success Test Number 14
|
||||
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlockIPV6, setPolicyTypesEgress),
|
||||
// Success Test Number 15
|
||||
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlockIPV6, setPolicyTypesIngressEgress),
|
||||
// Success Test Number 16
|
||||
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPortsUDPandHigh),
|
||||
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPorts(makePort(nil, intstr.FromInt(32000), 32768), makePort(&protocolUDP, intstr.FromString("dns"), 0))),
|
||||
// Success Test Number 17
|
||||
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPortsBothHigh, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromPodSelector("e", "f"), setIngressPortsHigher),
|
||||
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(nil, intstr.FromInt(30000), 32768), makePort(nil, intstr.FromInt(32000), 32768)), setIngressFromEmptyFirstElement, setIngressFromPodSelector("e", "f"), setIngressPorts(makePort(&protocolTCP, intstr.FromInt(32768), 32768))),
|
||||
}
|
||||
|
||||
// Success cases are expected to pass validation.
|
||||
@ -302,10 +238,10 @@ func TestValidateNetworkPolicy(t *testing.T) {
|
||||
invalidSelector := map[string]string{"NoUppercaseOrSpecialCharsLike=Equals": "b"}
|
||||
|
||||
errorCases := map[string]*networking.NetworkPolicy{
|
||||
"namespaceSelector and ipBlock": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromIPBlock),
|
||||
"namespaceSelector and ipBlock": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromIPBlock),
|
||||
"podSelector and ipBlock": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToPodSelector, setEgressToIPBlock),
|
||||
"missing from and to type": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setEgressEmptyFirstElement, setEgressToEmptyFirstElement),
|
||||
"invalid spec.podSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) {
|
||||
"missing from and to type": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setEgressEmptyFirstElement, setEgressToEmptyFirstElement),
|
||||
"invalid spec.podSelector": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec = networking.NetworkPolicySpec{
|
||||
PodSelector: metav1.LabelSelector{
|
||||
MatchLabels: invalidSelector,
|
||||
@ -315,13 +251,10 @@ func TestValidateNetworkPolicy(t *testing.T) {
|
||||
"invalid ingress.ports.protocol": makeNetworkPolicyCustom(setIngressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Ingress[0].Ports[0].Protocol = &protocolICMP
|
||||
}),
|
||||
"invalid ingress.ports.port (int)": makeNetworkPolicyCustom(setIngressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Ingress[0].Ports[0].Port = &portInvalidInt
|
||||
}),
|
||||
"invalid ingress.ports.port (str)": makeNetworkPolicyCustom(setIngressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Ingress[0].Ports[0].Port = &portInvalidStr
|
||||
}),
|
||||
"invalid ingress.from.podSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) {
|
||||
"invalid ingress.ports.port (int)": makeNetworkPolicyCustom(setIngressEmptyPorts, setIngressPorts(makePort(&protocolTCP, intstr.FromInt(123456789), 0))),
|
||||
"invalid ingress.ports.port (str)": makeNetworkPolicyCustom(setIngressEmptyPorts,
|
||||
setIngressPorts(makePort(&protocolTCP, intstr.FromString("!@#$"), 0))),
|
||||
"invalid ingress.from.podSelector": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{
|
||||
MatchLabels: invalidSelector,
|
||||
}
|
||||
@ -331,51 +264,46 @@ func TestValidateNetworkPolicy(t *testing.T) {
|
||||
MatchLabels: invalidSelector,
|
||||
}
|
||||
}),
|
||||
"invalid egress.ports.protocol": makeNetworkPolicyCustom(setEgressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Egress[0].Ports[0].Protocol = &protocolICMP
|
||||
}),
|
||||
"invalid egress.ports.port (int)": makeNetworkPolicyCustom(setEgressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Egress[0].Ports[0].Port = &portInvalidInt
|
||||
}),
|
||||
"invalid egress.ports.port (str)": makeNetworkPolicyCustom(setEgressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Egress[0].Ports[0].Port = &portInvalidStr
|
||||
}),
|
||||
"invalid ingress.from.namespaceSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) {
|
||||
"invalid egress.ports.protocol": makeNetworkPolicyCustom(setEgressEmptyPorts, setEgressPorts(makePort(&protocolICMP, intstr.FromInt(80), 0))),
|
||||
|
||||
"invalid egress.ports.port (int)": makeNetworkPolicyCustom(setEgressEmptyPorts, setEgressPorts(makePort(&protocolTCP, intstr.FromInt(123456789), 0))),
|
||||
"invalid egress.ports.port (str)": makeNetworkPolicyCustom(setEgressEmptyPorts, setEgressPorts(makePort(&protocolTCP, intstr.FromString("!@#$"), 0))),
|
||||
"invalid ingress.from.namespaceSelector": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Ingress[0].From[0].NamespaceSelector = &metav1.LabelSelector{
|
||||
MatchLabels: invalidSelector,
|
||||
}
|
||||
}),
|
||||
"missing cidr field": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) {
|
||||
"missing cidr field": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = ""
|
||||
}),
|
||||
"invalid cidr format": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) {
|
||||
"invalid cidr format": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "192.168.5.6"
|
||||
}),
|
||||
"invalid ipv6 cidr format": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6, func(networkPolicy *networking.NetworkPolicy) {
|
||||
"invalid ipv6 cidr format": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "fd00:192:168::"
|
||||
}),
|
||||
"except field is an empty string": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) {
|
||||
"except field is an empty string": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{""}
|
||||
}),
|
||||
"except field is an space string": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) {
|
||||
"except field is an space string": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{" "}
|
||||
}),
|
||||
"except field is an invalid ip": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) {
|
||||
"except field is an invalid ip": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{"300.300.300.300"}
|
||||
}),
|
||||
"except IP is outside of CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) {
|
||||
"except IP is outside of CIDR range": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{
|
||||
CIDR: "192.168.8.0/24",
|
||||
Except: []string{"192.168.9.1/24"},
|
||||
}
|
||||
}),
|
||||
"except IP is not strictly within CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) {
|
||||
"except IP is not strictly within CIDR range": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{
|
||||
CIDR: "192.168.0.0/24",
|
||||
Except: []string{"192.168.0.0/24"},
|
||||
}
|
||||
}),
|
||||
"except IPv6 is outside of CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) {
|
||||
"except IPv6 is outside of CIDR range": makeNetworkPolicyCustom(setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{
|
||||
CIDR: "fd00:192:168:1::/64",
|
||||
Except: []string{"fd00:192:168:2::/64"},
|
||||
@ -387,80 +315,13 @@ func TestValidateNetworkPolicy(t *testing.T) {
|
||||
"too many policyTypes": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.PolicyTypes = []networking.PolicyType{"foo", "bar", "baz"}
|
||||
}),
|
||||
"multiple ports defined, one port range is invalid": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
|
||||
{
|
||||
Protocol: &protocolUDP,
|
||||
Port: &port35000,
|
||||
EndPort: &endPort,
|
||||
},
|
||||
{
|
||||
Protocol: nil,
|
||||
Port: &port32000,
|
||||
EndPort: &endPort,
|
||||
},
|
||||
}
|
||||
}),
|
||||
"endPort defined with named/string port": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
|
||||
{
|
||||
Protocol: &protocolUDP,
|
||||
Port: &portDns,
|
||||
EndPort: &endPort,
|
||||
},
|
||||
{
|
||||
Protocol: nil,
|
||||
Port: &port32000,
|
||||
EndPort: &endPort,
|
||||
},
|
||||
}
|
||||
}),
|
||||
"endPort defined without port defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
|
||||
{
|
||||
Protocol: &protocolTCP,
|
||||
EndPort: &endPort,
|
||||
},
|
||||
}
|
||||
}),
|
||||
"port is greater than endPort": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
|
||||
{
|
||||
Protocol: &protocolSCTP,
|
||||
Port: &port35000,
|
||||
EndPort: &endPort,
|
||||
},
|
||||
}
|
||||
}),
|
||||
"multiple ports defined, one port range is invalid": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolUDP, intstr.FromInt(35000), 32768), makePort(nil, intstr.FromInt(32000), 32768))),
|
||||
"endPort defined with named/string port": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolUDP, intstr.FromString("dns"), 32768), makePort(nil, intstr.FromInt(32000), 32768))),
|
||||
"endPort defined without port defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolTCP, intstr.FromInt(0), 32768))),
|
||||
"port is greater than endPort": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolSCTP, intstr.FromInt(35000), 32768))),
|
||||
"multiple invalid port ranges defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolUDP, intstr.FromInt(35000), 32768), makePort(&protocolTCP, intstr.FromInt(0), 32768), makePort(&protocolTCP, intstr.FromString("https"), 32768))),
|
||||
|
||||
"multiple invalid port ranges defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
|
||||
{
|
||||
Protocol: &protocolUDP,
|
||||
Port: &port35000,
|
||||
EndPort: &endPort,
|
||||
},
|
||||
{
|
||||
Protocol: &protocolTCP,
|
||||
EndPort: &endPort,
|
||||
},
|
||||
{
|
||||
Protocol: &protocolTCP,
|
||||
Port: &portHttps,
|
||||
EndPort: &endPort,
|
||||
},
|
||||
}
|
||||
}),
|
||||
|
||||
"invalid endport range defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) {
|
||||
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
|
||||
{
|
||||
Protocol: nil,
|
||||
Port: &port30000,
|
||||
EndPort: utilpointer.Int32Ptr(65537),
|
||||
},
|
||||
}
|
||||
}),
|
||||
"invalid endport range defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPorts(makePort(&protocolTCP, intstr.FromInt(30000), 65537))),
|
||||
}
|
||||
|
||||
// Error cases are not expected to pass validation.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user