Fix bad CIDRs in a NetworkPolicy test

It was writing out IPBlock CIDRs like "192.168.0.5/4" rather than "192.0.0.0/4". Also, simplify a bit by basing the `cidr` and the `except` both on podB, rather than one on podA and one on podB. (This is even theoretically a bugfix, since it's not _required_ that podA and podB be in the same /4.) Also reorganize the code to make the two test cases more consistent with each other.
2025-07-29 22:46:12 +00:00 · 2025-02-24 17:53:41 -05:00 · 2025-02-24 17:53:41 -05:00 · f2e8fe93fb
commit f2e8fe93fb
parent ffad281e3e
1 changed files with 23 additions and 14 deletions
--- a/test/e2e/network/netpol/network_policy.go
+++ b/test/e2e/network/netpol/network_policy.go
@ -19,6 +19,7 @@ package netpol
 import (
 	"context"
 	"fmt"
+	"net"
 	"time"

 	"k8s.io/apimachinery/pkg/util/intstr"
@ -1022,16 +1023,15 @@ var _ = common.SIGDescribe("Netpol", func() {
 			ports := []int32{80}
 			k8s = initializeResources(ctx, f, protocols, ports)
 			nsX, _, _ := getK8sNamespaces(k8s)
-			podList, err := f.ClientSet.CoreV1().Pods(nsX).List(ctx, metav1.ListOptions{LabelSelector: "pod=a"})
-			framework.ExpectNoError(err, "Failing to find pod x/a")
-			podA := podList.Items[0]

-			podServerAllowCIDR := fmt.Sprintf("%s/4", podA.Status.PodIP)
-
-			podList, err = f.ClientSet.CoreV1().Pods(nsX).List(ctx, metav1.ListOptions{LabelSelector: "pod=b"})
+			podList, err := f.ClientSet.CoreV1().Pods(nsX).List(ctx, metav1.ListOptions{LabelSelector: "pod=b"})
 			framework.ExpectNoError(err, "Failing to find pod x/b")
 			podB := podList.Items[0]

+			// Create a rule that allows egress to a large set of IPs around
+			// podB, but not podB itself.
+
+			podServerAllowCIDR := makeLargeCIDRForIP(podB.Status.PodIP)
 			hostMask := 32
 			if utilnet.IsIPv6String(podB.Status.PodIP) {
 				hostMask = 128
@ -1056,21 +1056,19 @@ var _ = common.SIGDescribe("Netpol", func() {
 			ports := []int32{80}
 			k8s = initializeResources(ctx, f, protocols, ports)
 			nsX, _, _ := getK8sNamespaces(k8s)
-			podList, err := f.ClientSet.CoreV1().Pods(nsX).List(ctx, metav1.ListOptions{LabelSelector: "pod=a"})
-			framework.ExpectNoError(err, "Failing to find pod x/a")
-			podA := podList.Items[0]

-			podList, err = f.ClientSet.CoreV1().Pods(nsX).List(ctx, metav1.ListOptions{LabelSelector: "pod=b"})
+			podList, err := f.ClientSet.CoreV1().Pods(nsX).List(ctx, metav1.ListOptions{LabelSelector: "pod=b"})
 			framework.ExpectNoError(err, "Failing to find pod x/b")
 			podB := podList.Items[0]

-			// Exclude podServer's IP with an Except clause
+			// Create a rule that allows egress to a large set of IPs around
+			// podB, but not podB itself.
+
+			podServerAllowCIDR := makeLargeCIDRForIP(podB.Status.PodIP)
 			hostMask := 32
 			if utilnet.IsIPv6String(podB.Status.PodIP) {
 				hostMask = 128
 			}
-
-			podServerAllowCIDR := fmt.Sprintf("%s/4", podA.Status.PodIP)
 			podServerExceptList := []string{fmt.Sprintf("%s/%d", podB.Status.PodIP, hostMask)}
 			egressRule1 := networkingv1.NetworkPolicyEgressRule{}
 			egressRule1.To = append(egressRule1.To, networkingv1.NetworkPolicyPeer{IPBlock: &networkingv1.IPBlock{CIDR: podServerAllowCIDR, Except: podServerExceptList}})
@ -1083,8 +1081,8 @@ var _ = common.SIGDescribe("Netpol", func() {

 			ValidateOrFail(k8s, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachability})

+			// Create a second NetworkPolicy which allows access to podB
 			podBIP := fmt.Sprintf("%s/%d", podB.Status.PodIP, hostMask)
-			//// Create NetworkPolicy which allows access to the podServer using podServer's IP in allow CIDR.
 			egressRule3 := networkingv1.NetworkPolicyEgressRule{}
 			egressRule3.To = append(egressRule3.To, networkingv1.NetworkPolicyPeer{IPBlock: &networkingv1.IPBlock{CIDR: podBIP}})
 			allowPolicy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-cidr-egress-rule",
@ -1465,3 +1463,14 @@ func initializeResources(ctx context.Context, f *framework.Framework, protocols
 	framework.ExpectNoError(err, "unable to initialize resources")
 	return k8s
 }
+
+// makeLargeCIDRForIP returns a CIDR that matches the given IP and many many many other
+// IPs. (Specifically, it returns the /4 that contains the IP.)
+func makeLargeCIDRForIP(ip string) string {
+	podIP := utilnet.ParseIPSloppy(ip)
+	if ip4 := podIP.To4(); ip4 != nil {
+		podIP = ip4
+	}
+	cidrBase := podIP.Mask(net.CIDRMask(4, 8*len(podIP)))
+	return fmt.Sprintf("%s/4", cidrBase.String())
+}