Merge pull request #97616 from knabben/netpol-2a-allow

Netpol E2E test should allow traffic to an application
2025-07-22 19:31:44 +00:00 · 2021-02-10 16:56:16 -08:00 · 2021-02-10 16:56:16 -08:00 · 8a8caf317b
commit 8a8caf317b
parent 838bb6a567 c8031e5b13
2 changed files with 46 additions and 0 deletions
--- a/test/e2e/network/netpol/network_policy.go
+++ b/test/e2e/network/netpol/network_policy.go
@ -176,6 +176,27 @@ var _ = SIGDescribeCopy("Netpol [LinuxOnly]", func() {
 			ValidateOrFail(k8s, model, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachability})
 		})

+		ginkgo.It("should enforce policy to allow ingress traffic for a target [Feature:NetworkPolicy] ", func() {
+			nsX, _, _, model, k8s := getK8SModel(f)
+
+			ginkgo.By("having a deny all ingress policy", func() {
+				// Deny all Ingress traffic policy to pods on namespace nsX
+				policy := GetDenyIngress("deny-all")
+				CreatePolicy(k8s, policy, nsX)
+			})
+
+			// Allow Ingress traffic only to pod x/a from any pod
+			allowPolicy := GetAllowIngressForTarget("allow-all-to-a", map[string]string{"pod": "a"})
+			CreatePolicy(k8s, allowPolicy, nsX)
+
+			reachability := NewReachability(model.AllPods(), true)
+			reachability.ExpectAllIngress(NewPodString(nsX, "a"), true)
+			reachability.ExpectAllIngress(NewPodString(nsX, "b"), false)
+			reachability.ExpectAllIngress(NewPodString(nsX, "c"), false)
+
+			ValidateOrFail(k8s, model, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachability})
+		})
+
 		ginkgo.It("should enforce policy to allow traffic only from a different namespace, based on NamespaceSelector [Feature:NetworkPolicy]", func() {
 			nsX, nsY, nsZ, model, k8s := getK8SModel(f)
 			allowedLabels := &metav1.LabelSelector{
--- a/test/e2e/network/netpol/policies.go
+++ b/test/e2e/network/netpol/policies.go
@ -237,6 +237,31 @@ func GetAllowIngressByPod(name string, targetLabels map[string]string, peerPodSe
 	return policy
 }

+// GetAllowIngressForTarget allows ingress for target
+func GetAllowIngressForTarget(name string, targetLabels map[string]string) *networkingv1.NetworkPolicy {
+	return &networkingv1.NetworkPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Spec: networkingv1.NetworkPolicySpec{
+			PodSelector: metav1.LabelSelector{
+				MatchLabels: targetLabels,
+			},
+			PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},
+			Ingress: []networkingv1.NetworkPolicyIngressRule{
+				{
+					From: []networkingv1.NetworkPolicyPeer{
+						{
+							PodSelector:       &metav1.LabelSelector{},
+							NamespaceSelector: &metav1.LabelSelector{},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
 // GetDenyIngressForTarget denies all ingress for target
 func GetDenyIngressForTarget(targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy {
 	return &networkingv1.NetworkPolicy{