diff --git a/test/e2e/network/netpol/network_policy.go b/test/e2e/network/netpol/network_policy.go index 256f88f2c11..0059c5fc7eb 100644 --- a/test/e2e/network/netpol/network_policy.go +++ b/test/e2e/network/netpol/network_policy.go @@ -1088,6 +1088,44 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { reachability.ExpectAllIngress(NewPodString(nsX, "a"), false) ValidateOrFail(k8s, model, &TestCase{ToPort: 81, Protocol: v1.ProtocolTCP, Reachability: reachability}) }) + + ginkgo.It("should enforce policy to allow traffic based on NamespaceSelector with MatchLabels using default ns label [Feature:NetworkPolicy]", func() { + nsX, nsY, nsZ, model, k8s := getK8SModel(f) + allowedLabels := &metav1.LabelSelector{ + MatchLabels: map[string]string{ + v1.LabelMetadataName: nsY, + }, + } + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedLabels}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-ns-selector-for-immutable-ns-label", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) + CreatePolicy(k8s, policy, nsX) + + reachability := NewReachability(model.AllPods(), true) + reachability.ExpectPeer(&Peer{Namespace: nsX}, &Peer{Namespace: nsX, Pod: "a"}, false) + reachability.ExpectPeer(&Peer{Namespace: nsZ}, &Peer{Namespace: nsX, Pod: "a"}, false) + + ValidateOrFail(k8s, model, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachability}) + }) + + ginkgo.It("should enforce policy based on NamespaceSelector with MatchExpressions using default ns label [Feature:NetworkPolicy]", func() { + nsX, nsY, _, model, k8s := getK8SModel(f) + allowedNamespaces := &metav1.LabelSelector{ + MatchExpressions: []metav1.LabelSelectorRequirement{{ + Key: v1.LabelMetadataName, + Operator: metav1.LabelSelectorOpNotIn, + Values: []string{nsY}, + }}, + } + egressRule := networkingv1.NetworkPolicyEgressRule{} + egressRule.To = append(egressRule.To, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedNamespaces}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ns-y-match-selector-for-immutable-ns-label", map[string]string{"pod": "a"}, SetSpecEgressRules(egressRule)) + CreatePolicy(k8s, policy, nsX) + + reachability := NewReachability(model.AllPods(), true) + reachability.ExpectPeer(&Peer{Namespace: nsX, Pod: "a"}, &Peer{Namespace: nsY}, false) + ValidateOrFail(k8s, model, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachability}) + }) }) })