From b0ebcaf8f0e1ada6f812887a385d3153e2a5c666 Mon Sep 17 00:00:00 2001 From: xiangpengzhao Date: Wed, 1 Nov 2017 15:32:35 +0800 Subject: [PATCH] Add unit test coverage for network policy validation. --- .../networking/validation/validation_test.go | 110 ++++++++++++++++++ 1 file changed, 110 insertions(+) diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index 401eb43b6c7..66d1088378a 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -215,6 +215,36 @@ func TestValidateNetworkPolicy(t *testing.T) { PolicyTypes: []networking.PolicyType{networking.PolicyTypeIngress, networking.PolicyTypeEgress}, }, }, + { + ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, + Spec: networking.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{ + MatchLabels: map[string]string{"a": "b"}, + }, + Egress: []networking.NetworkPolicyEgressRule{ + { + Ports: []networking.NetworkPolicyPort{ + { + Protocol: nil, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, + }, + { + Protocol: &protocolTCP, + Port: nil, + }, + { + Protocol: &protocolTCP, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 443}, + }, + { + Protocol: &protocolUDP, + Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"}, + }, + }, + }, + }, + }, + }, } // Success cases are expected to pass validation. @@ -246,6 +276,38 @@ func TestValidateNetworkPolicy(t *testing.T) { }, }, }, + Egress: []networking.NetworkPolicyEgressRule{ + { + To: []networking.NetworkPolicyPeer{ + { + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"c": "d"}, + }, + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"c": "d"}, + }, + }, + }, + }, + }, + }, + }, + "missing from and to type": { + ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, + Spec: networking.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{ + MatchLabels: map[string]string{"a": "b"}, + }, + Ingress: []networking.NetworkPolicyIngressRule{ + { + From: []networking.NetworkPolicyPeer{{}}, + }, + }, + Egress: []networking.NetworkPolicyEgressRule{ + { + To: []networking.NetworkPolicyPeer{{}}, + }, + }, }, }, "invalid spec.podSelector": { @@ -349,6 +411,54 @@ func TestValidateNetworkPolicy(t *testing.T) { }, }, }, + "invalid egress.ports.protocol": { + ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, + Spec: networking.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{}, + Egress: []networking.NetworkPolicyEgressRule{ + { + Ports: []networking.NetworkPolicyPort{ + { + Protocol: &protocolICMP, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, + }, + }, + }, + }, + }, + }, + "invalid egress.ports.port (int)": { + ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, + Spec: networking.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{}, + Egress: []networking.NetworkPolicyEgressRule{ + { + Ports: []networking.NetworkPolicyPort{ + { + Protocol: &protocolTCP, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 123456789}, + }, + }, + }, + }, + }, + }, + "invalid egress.ports.port (str)": { + ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, + Spec: networking.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{}, + Egress: []networking.NetworkPolicyEgressRule{ + { + Ports: []networking.NetworkPolicyPort{ + { + Protocol: &protocolTCP, + Port: &intstr.IntOrString{Type: intstr.String, StrVal: "!@#$"}, + }, + }, + }, + }, + }, + }, "invalid ingress.from.namespaceSelector": { ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, Spec: networking.NetworkPolicySpec{