diff --git a/test/e2e/network/netpol/network_policy.go b/test/e2e/network/netpol/network_policy.go index b5965f3804d..c86e8662de0 100644 --- a/test/e2e/network/netpol/network_policy.go +++ b/test/e2e/network/netpol/network_policy.go @@ -59,9 +59,6 @@ var ( protocolTCP = v1.ProtocolTCP protocolUDP = v1.ProtocolUDP protocolSCTP = v1.ProtocolSCTP - - // addSCTPContainers is a flag to enable SCTP containers on bootstrap. - addSCTPContainers = false ) /* @@ -122,9 +119,6 @@ var _ = common.SIGDescribe("Netpol", func() { var model *Model ginkgo.Context("NetworkPolicy between server and client", func() { - ginkgo.BeforeEach(func() { - model = initializeResourcesByFixedNS(f) - }) ginkgo.AfterEach(func() { if !useFixedNamespaces { @@ -135,6 +129,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should support a 'default-deny-ingress' policy [Feature:NetworkPolicy]", func() { nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) policy := GenNetworkPolicyWithNameAndPodSelector("deny-ingress", metav1.LabelSelector{}, SetSpecIngressRules()) CreatePolicy(k8s, policy, nsX) @@ -148,6 +144,8 @@ var _ = common.SIGDescribe("Netpol", func() { policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules(), SetSpecEgressRules()) nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -168,6 +166,8 @@ var _ = common.SIGDescribe("Netpol", func() { policy := GenNetworkPolicyWithNameAndPodMatchLabel("x-a-allows-x-b", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -179,6 +179,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should enforce policy to allow ingress traffic for a target [Feature:NetworkPolicy] ", func() { nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) ginkgo.By("having a deny all ingress policy", func() { // Deny all Ingress traffic policy to pods on namespace nsX policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules()) @@ -201,6 +203,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should enforce policy to allow ingress traffic from pods in all namespaces [Feature:NetworkPolicy]", func() { nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) ingressRule := networkingv1.NetworkPolicyIngressRule{} ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{}}}) policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-from-another-ns", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) @@ -212,6 +216,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should enforce policy to allow traffic only from a different namespace, based on NamespaceSelector [Feature:NetworkPolicy]", func() { nsX, nsY, nsZ, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) ingressRule := networkingv1.NetworkPolicyIngressRule{} ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"ns": nsY}}}) policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-ns-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) @@ -238,6 +244,8 @@ var _ = common.SIGDescribe("Netpol", func() { policy := GenNetworkPolicyWithNameAndPodMatchLabel("x-a-allows-x-b", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -249,6 +257,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should enforce policy based on NamespaceSelector with MatchExpressions[Feature:NetworkPolicy]", func() { nsX, nsY, nsZ, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) allowedNamespaces := &metav1.LabelSelector{ MatchExpressions: []metav1.LabelSelectorRequirement{{ Key: "ns", @@ -271,6 +281,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should enforce policy based on PodSelector or NamespaceSelector [Feature:NetworkPolicy]", func() { nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) allowedNamespaces := &metav1.LabelSelector{ MatchExpressions: []metav1.LabelSelectorRequirement{{ Key: "ns", @@ -297,6 +309,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should enforce policy based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() { nsX, nsY, nsZ, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) allowedNamespaces := &metav1.LabelSelector{ MatchExpressions: []metav1.LabelSelectorRequirement{{ Key: "ns", @@ -324,6 +338,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should enforce policy based on Multiple PodSelectors and NamespaceSelectors [Feature:NetworkPolicy]", func() { nsX, nsY, nsZ, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) allowedNamespaces := &metav1.LabelSelector{ MatchExpressions: []metav1.LabelSelectorRequirement{{ Key: "ns", @@ -354,6 +370,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should enforce policy based on any PodSelectors [Feature:NetworkPolicy]", func() { nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) ingressRule := networkingv1.NetworkPolicyIngressRule{} for _, label := range []map[string]string{{"pod": "b"}, {"pod": "c"}} { ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{PodSelector: &metav1.LabelSelector{MatchLabels: label}}) @@ -373,6 +391,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should enforce policy to allow traffic only from a pod in a different namespace based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() { nsX, nsY, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) allowedNamespaces := &metav1.LabelSelector{ MatchLabels: map[string]string{ "ns": nsY, @@ -398,6 +418,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should enforce policy based on Ports [Feature:NetworkPolicy]", func() { ginkgo.By("Creating a network allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)") nsX, nsY, nsZ, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) allowedLabels := &metav1.LabelSelector{ MatchLabels: map[string]string{ "ns": nsY, @@ -420,6 +442,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should enforce multiple, stacked policies with overlapping podSelectors [Feature:NetworkPolicy]", func() { ginkgo.By("Creating a network allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)") nsX, nsY, nsZ, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) allowedLabels := &metav1.LabelSelector{ MatchLabels: map[string]string{ "ns": nsY, @@ -460,6 +484,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.By("Creating a network policy which allows all traffic.") policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all", map[string]string{}, SetSpecIngressRules(networkingv1.NetworkPolicyIngressRule{})) nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) CreatePolicy(k8s, policy, nsX) ginkgo.By("Testing pods can connect to both ports when an 'allow-all' policy is present.") @@ -473,6 +499,8 @@ var _ = common.SIGDescribe("Netpol", func() { IngressRules.Ports = append(IngressRules.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{Type: intstr.String, StrVal: "serve-81-tcp"}}) policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all", map[string]string{}, SetSpecIngressRules(IngressRules)) nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) CreatePolicy(k8s, policy, nsX) ginkgo.By("Blocking all ports other then 81 in the entire namespace") @@ -488,6 +516,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should allow ingress access from namespace on one named port [Feature:NetworkPolicy]", func() { nsX, nsY, nsZ, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) allowedLabels := &metav1.LabelSelector{ MatchLabels: map[string]string{ "ns": nsY, @@ -520,6 +550,8 @@ var _ = common.SIGDescribe("Netpol", func() { policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-egress", map[string]string{}, SetSpecEgressRules(egressRule)) nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) CreatePolicy(k8s, policy, nsX) reachabilityPort80 := NewReachability(model.AllPods(), true) @@ -536,6 +568,8 @@ var _ = common.SIGDescribe("Netpol", func() { // part 1) allow all policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all-mutate-to-deny-all", map[string]string{}, SetSpecIngressRules(networkingv1.NetworkPolicyIngressRule{})) nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -552,6 +586,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should allow ingress access from updated namespace [Feature:NetworkPolicy]", func() { nsX, nsY, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) defer ResetNamespaceLabels(k8s, nsY) allowedLabels := &metav1.LabelSelector{ @@ -584,6 +620,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should allow ingress access from updated pod [Feature:NetworkPolicy]", func() { nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) podXB, err := model.FindPod(nsX, "b") framework.ExpectNoError(err, "find pod x/b") defer ResetPodLabels(k8s, podXB) @@ -613,6 +651,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should deny ingress from pods on other namespaces [Feature:NetworkPolicy]", func() { nsX, nsY, nsZ, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) IngressRules := networkingv1.NetworkPolicyIngressRule{} IngressRules.From = append(IngressRules.From, networkingv1.NetworkPolicyPeer{PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{}}}) @@ -628,6 +668,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should deny ingress access to updated pod [Feature:NetworkPolicy]", func() { nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) podXA, err := model.FindPod(nsX, "a") framework.ExpectNoError(err, "find pod x/a") defer ResetPodLabels(k8s, podXA) @@ -649,6 +691,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should deny egress from pods based on PodSelector [Feature:NetworkPolicy] ", func() { nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) policy := GenNetworkPolicyWithNameAndPodSelector("deny-egress-pod-a", metav1.LabelSelector{MatchLabels: map[string]string{"pod": "a"}}, SetSpecEgressRules()) CreatePolicy(k8s, policy, nsX) @@ -660,6 +704,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should deny egress from all pods in a namespace [Feature:NetworkPolicy] ", func() { nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) policy := GenNetworkPolicyWithNameAndPodSelector("deny-egress-ns-x", metav1.LabelSelector{}, SetSpecEgressRules()) CreatePolicy(k8s, policy, nsX) @@ -688,6 +734,8 @@ var _ = common.SIGDescribe("Netpol", func() { } policy.Spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress} nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) CreatePolicy(k8s, policy, nsX) reachabilityPort80 := NewReachability(model.AllPods(), true) @@ -711,6 +759,8 @@ var _ = common.SIGDescribe("Netpol", func() { // Expectation: traffic from x/a to y/a allowed only, traffic from x/a to y/b denied by egress policy nsX, nsY, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) // Building egress policy for x/a to y/a only allowedEgressNamespaces := &metav1.LabelSelector{ @@ -799,6 +849,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should enforce egress policy allowing traffic to a server in a different namespace based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() { nsX, nsY, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) allowedNamespaces := &metav1.LabelSelector{ MatchLabels: map[string]string{ "ns": nsY, @@ -822,6 +874,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should enforce ingress policy allowing any port traffic to a server on a specific protocol [Feature:NetworkPolicy] [Feature:UDP]", func() { nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP, protocolUDP} + model = initializeResourcesByFixedNS(f, protocols) ingressRule := networkingv1.NetworkPolicyIngressRule{} ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Protocol: &protocolTCP}) policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ingress-by-proto", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) @@ -837,6 +891,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should enforce multiple ingress policies with ingress allow-all policy taking precedence [Feature:NetworkPolicy]", func() { nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) IngressRules := networkingv1.NetworkPolicyIngressRule{} IngressRules.Ports = append(IngressRules.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}}) policyAllowOnlyPort80 := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ingress-port-80", map[string]string{}, SetSpecIngressRules(IngressRules)) @@ -862,6 +918,8 @@ var _ = common.SIGDescribe("Netpol", func() { egressRule.Ports = append(egressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}}) policyAllowPort80 := GenNetworkPolicyWithNameAndPodMatchLabel("allow-egress-port-80", map[string]string{}, SetSpecEgressRules(egressRule)) nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) CreatePolicy(k8s, policyAllowPort80, nsX) ginkgo.By("Making sure ingress doesn't work other than port 80") @@ -885,6 +943,8 @@ var _ = common.SIGDescribe("Netpol", func() { // Deny all traffic into and out of "x". policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules(), SetSpecEgressRules()) nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) CreatePolicy(k8s, policy, nsX) reachability := NewReachability(model.AllPods(), true) @@ -907,6 +967,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should allow egress access to server in CIDR block [Feature:NetworkPolicy]", func() { // Getting podServer's status to get podServer's IP, to create the CIDR nsX, nsY, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) podList, err := f.ClientSet.CoreV1().Pods(nsY).List(context.TODO(), metav1.ListOptions{LabelSelector: "pod=b"}) framework.ExpectNoError(err, "Failing to list pods in namespace y") pod := podList.Items[0] @@ -931,6 +993,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should enforce except clause while egress access to server in CIDR block [Feature:NetworkPolicy]", func() { // Getting podServer's status to get podServer's IP, to create the CIDR with except clause nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) podList, err := f.ClientSet.CoreV1().Pods(nsX).List(context.TODO(), metav1.ListOptions{LabelSelector: "pod=a"}) framework.ExpectNoError(err, "Failing to find pod x/a") podA := podList.Items[0] @@ -962,6 +1026,8 @@ var _ = common.SIGDescribe("Netpol", func() { ginkgo.It("should ensure an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed [Feature:NetworkPolicy]", func() { // Getting podServer's status to get podServer's IP, to create the CIDR with except clause nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) podList, err := f.ClientSet.CoreV1().Pods(nsX).List(context.TODO(), metav1.ListOptions{LabelSelector: "pod=a"}) framework.ExpectNoError(err, "Failing to find pod x/a") podA := podList.Items[0] @@ -1021,6 +1087,8 @@ var _ = common.SIGDescribe("Netpol", func() { allowEgressPolicy := GenNetworkPolicyWithNameAndPodSelector("allow-egress-for-target", metav1.LabelSelector{MatchLabels: targetLabels}, SetSpecEgressRules(networkingv1.NetworkPolicyEgressRule{})) nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) CreatePolicy(k8s, allowEgressPolicy, nsX) allowEgressReachability := NewReachability(model.AllPods(), true) @@ -1041,6 +1109,8 @@ var _ = common.SIGDescribe("Netpol", func() { // traffic that is supposed to be blocked. ginkgo.It("should not mistakenly treat 'protocol: SCTP' as 'protocol: TCP', even if the plugin doesn't support SCTP [Feature:NetworkPolicy]", func() { nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) ginkgo.By("Creating a default-deny ingress policy.") // Empty podSelector blocks the entire namespace @@ -1068,6 +1138,8 @@ var _ = common.SIGDescribe("Netpol", func() { ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 80}, Protocol: &protocolSCTP}) policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-only-sctp-ingress-on-port-80", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) CreatePolicy(k8s, policy, nsX) ginkgo.By("Trying to connect to TCP port 81, which should be blocked by implicit isolation.") @@ -1081,6 +1153,8 @@ var _ = common.SIGDescribe("Netpol", func() { ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 81}, Protocol: &protocolUDP}) policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-only-udp-ingress-on-port-81", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) CreatePolicy(k8s, policy, nsX) ginkgo.By("Creating a network policy for the server which allows traffic only via UDP on port 81.") @@ -1094,6 +1168,8 @@ var _ = common.SIGDescribe("Netpol", func() { // Note that this default ns functionality is maintained by the APIMachinery group, but we test it here anyways because its an important feature. ginkgo.It("should enforce policy to allow traffic based on NamespaceSelector with MatchLabels using default ns label [Feature:NetworkPolicy]", func() { nsX, nsY, nsZ, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) allowedLabels := &metav1.LabelSelector{ MatchLabels: map[string]string{ v1.LabelMetadataName: nsY, @@ -1114,6 +1190,8 @@ var _ = common.SIGDescribe("Netpol", func() { // Note that this default ns functionality is maintained by the APIMachinery group, but we test it here anyways because its an important feature. ginkgo.It("should enforce policy based on NamespaceSelector with MatchExpressions using default ns label [Feature:NetworkPolicy]", func() { nsX, nsY, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolTCP} + model = initializeResourcesByFixedNS(f, protocols) allowedNamespaces := &metav1.LabelSelector{ MatchExpressions: []metav1.LabelSelectorRequirement{{ Key: v1.LabelMetadataName, @@ -1142,9 +1220,6 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { }) ginkgo.Context("NetworkPolicy between server and client using UDP", func() { - ginkgo.BeforeEach(func() { - model = initializeResourcesByFixedNS(f) - }) ginkgo.AfterEach(func() { if !useFixedNamespaces { @@ -1155,6 +1230,8 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.It("should support a 'default-deny-ingress' policy [Feature:NetworkPolicy]", func() { nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolUDP} + model = initializeResourcesByFixedNS(f, protocols) policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules()) CreatePolicy(k8s, policy, nsX) @@ -1167,6 +1244,8 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.It("should enforce policy based on Ports [Feature:NetworkPolicy]", func() { ginkgo.By("Creating a network policy allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)") nsX, nsY, nsZ, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolUDP} + model = initializeResourcesByFixedNS(f, protocols) allowedLabels := &metav1.LabelSelector{ MatchLabels: map[string]string{ "ns": nsY, @@ -1188,6 +1267,8 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { ginkgo.It("should enforce policy to allow traffic only from a pod in a different namespace based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() { nsX, nsY, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolUDP} + model = initializeResourcesByFixedNS(f, protocols) allowedNamespaces := &metav1.LabelSelector{ MatchLabels: map[string]string{ "ns": nsY, @@ -1221,10 +1302,6 @@ var _ = common.SIGDescribe("Netpol [Feature:SCTPConnectivity][LinuxOnly][Disrupt }) ginkgo.Context("NetworkPolicy between server and client using SCTP", func() { - ginkgo.BeforeEach(func() { - addSCTPContainers = true - model = initializeResourcesByFixedNS(f) - }) ginkgo.AfterEach(func() { if !useFixedNamespaces { @@ -1235,6 +1312,8 @@ var _ = common.SIGDescribe("Netpol [Feature:SCTPConnectivity][LinuxOnly][Disrupt ginkgo.It("should support a 'default-deny-ingress' policy [Feature:NetworkPolicy]", func() { nsX, _, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolSCTP} + model = initializeResourcesByFixedNS(f, protocols) policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules()) CreatePolicy(k8s, policy, nsX) @@ -1247,6 +1326,8 @@ var _ = common.SIGDescribe("Netpol [Feature:SCTPConnectivity][LinuxOnly][Disrupt ginkgo.It("should enforce policy based on Ports [Feature:NetworkPolicy]", func() { ginkgo.By("Creating a network allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)") nsX, nsY, nsZ, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolSCTP} + model = initializeResourcesByFixedNS(f, protocols) allowedLabels := &metav1.LabelSelector{ MatchLabels: map[string]string{ "ns": nsY, @@ -1267,6 +1348,8 @@ var _ = common.SIGDescribe("Netpol [Feature:SCTPConnectivity][LinuxOnly][Disrupt ginkgo.It("should enforce policy to allow traffic only from a pod in a different namespace based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() { nsX, nsY, _, k8s := getK8sNamespaces(f) + protocols := []v1.Protocol{protocolSCTP} + model = initializeResourcesByFixedNS(f, protocols) allowedNamespaces := &metav1.LabelSelector{ MatchLabels: map[string]string{ "ns": nsY, @@ -1306,12 +1389,7 @@ func getNamespaces(rootNs string) (string, string, string, []string) { // defaultModel creates a new "model" pod system under namespaces (x,y,z) which has pods a, b, and c. Thus resulting in the // truth table matrix that is identical for all tests, comprising 81 total connections between 9 pods (x/a, x/b, x/c, ..., z/c). -func defaultModel(namespaces []string, dnsDomain string) *Model { - protocols := []v1.Protocol{v1.ProtocolTCP, v1.ProtocolUDP} - if addSCTPContainers { - protocols = append(protocols, v1.ProtocolSCTP) - } - +func defaultModel(namespaces []string, dnsDomain string, protocols []v1.Protocol) *Model { if framework.NodeOSDistroIs("windows") { return NewWindowsModel(namespaces, []string{"a", "b", "c"}, []int32{80, 81}, dnsDomain) } @@ -1326,9 +1404,9 @@ func getK8sNamespaces(f *framework.Framework) (string, string, string, *kubeMana // initializeResourcesByFixedNS uses the e2e framework to create all necessary namespace resources, cleaning up // network policies from the namespace if useFixedNamespace is set true, avoiding policies overlap of new tests. -func initializeResourcesByFixedNS(f *framework.Framework) *Model { +func initializeResourcesByFixedNS(f *framework.Framework, protocols []v1.Protocol) *Model { if useFixedNamespaces { - model, _ := initializeResources(f) + model, _ := initializeResources(f, protocols) k8s := newKubeManager(f) framework.ExpectNoError(k8s.cleanNetworkPolicies(model.NamespaceNames), "unable to clean network policies") err := wait.Poll(waitInterval, waitTimeout, func() (done bool, err error) { @@ -1345,7 +1423,7 @@ func initializeResourcesByFixedNS(f *framework.Framework) *Model { return model } else { framework.Logf("Using %v as the default dns domain for this cluster... ", framework.TestContext.ClusterDNSDomain) - model, err := initializeResources(f) + model, err := initializeResources(f, protocols) framework.ExpectNoError(err, "unable to initialize resources") return model } @@ -1354,12 +1432,12 @@ func initializeResourcesByFixedNS(f *framework.Framework) *Model { // initializeResources uses the e2e framework to create all necessary namespace resources, based on the network policy // model derived from the framework. It then waits for the resources described by the model to be up and running // (i.e. all pods are ready and running in their namespaces). -func initializeResources(f *framework.Framework) (*Model, error) { +func initializeResources(f *framework.Framework, protocols []v1.Protocol) (*Model, error) { k8s := newKubeManager(f) rootNs := f.Namespace.GetName() _, _, _, namespaces := getNamespaces(rootNs) - model := defaultModel(namespaces, framework.TestContext.ClusterDNSDomain) + model := defaultModel(namespaces, framework.TestContext.ClusterDNSDomain, protocols) framework.Logf("initializing cluster: ensuring namespaces, deployments, and pods exist and are ready") diff --git a/test/e2e/network/netpol/test_helper.go b/test/e2e/network/netpol/test_helper.go index 5e7825a1b28..9f9eefaf948 100644 --- a/test/e2e/network/netpol/test_helper.go +++ b/test/e2e/network/netpol/test_helper.go @@ -19,6 +19,8 @@ package netpol import ( "context" "fmt" + "time" + "github.com/onsi/ginkgo" "github.com/pkg/errors" networkingv1 "k8s.io/api/networking/v1" @@ -26,7 +28,6 @@ import ( "k8s.io/apimachinery/pkg/util/wait" "k8s.io/kubernetes/test/e2e/framework" "sigs.k8s.io/yaml" - "time" ) const (