github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-12 05:21:58 +00:00
Code Issues Projects Releases Wiki Activity

Went through the review notes

Browse Source 
- Adapt tweaks to be clearer
- Use intstr.fromInt and intstr.fromStr
- Added more tests to invalid ports

Signed-off-by: Daniela Lins <danielamlins@gmail.com>
This commit is contained in:
Daniela Lins 2021-02-21 12:22:17 +01:00
parent c9a5bf14d8
commit f7482a6766
1 changed files with 207 additions and 278 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

485
pkg/apis/networking/validation/validation_test.go
View File

@ -59,29 +59,40 @@ func TestValidateNetworkPolicy(t *testing.T) {
protocolSCTP := api.ProtocolSCTP protocolSCTP := api.ProtocolSCTP
endPort := int32(32768) endPort := int32(32768)
// Ports
port80 := intstr.FromInt(80)
port443 := intstr.FromInt(443)
portDns := intstr.FromString("dns")
port7777 := intstr.FromInt(7777)
port32768 := intstr.FromInt(32768)
port30000 := intstr.FromInt(30000)
port32000 := intstr.FromInt(32000)
port35000 := intstr.FromInt(35000)
portInvalidInt := intstr.FromInt(123456789)
portInvalidStr := intstr.FromString("!@#$")
portHttps := intstr.FromString("https")
// Tweaks used below. // Tweaks used below.
setIngressEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { setIngressEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{{}} networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{{}}
} }
setIngressEmptyFrom := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From = []networking.NetworkPolicyPeer{}
}
setIngressFromEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) { setIngressFromEmptyFirstElement := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From = []networking.NetworkPolicyPeer{{}} networkPolicy.Spec.Ingress[0].From = []networking.NetworkPolicyPeer{{}}
} }
setIngressEmptyPorts := func(networkPolicy *networking.NetworkPolicy) { setIngressEmptyPorts := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{} networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{
{
Ports: []networking.NetworkPolicyPort{{}},
},
}
} }
setIngressPorts := func(networkPolicy *networking.NetworkPolicy) { setIngressPorts := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{ networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{
{ {
Protocol: nil, Protocol: nil,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, Port: &port80,
}, },
{ {
Protocol: &protocolTCP, Protocol: &protocolTCP,
@ -89,15 +100,15 @@ func TestValidateNetworkPolicy(t *testing.T) {
}, },
{ {
Protocol: &protocolTCP, Protocol: &protocolTCP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 443}, Port: &port443,
}, },
{ {
Protocol: &protocolUDP, Protocol: &protocolUDP,
Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"}, Port: &portDns,
}, },
{ {
Protocol: &protocolSCTP, Protocol: &protocolSCTP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 7777}, Port: &port7777,
}, },
} }
} }
@ -106,24 +117,19 @@ func TestValidateNetworkPolicy(t *testing.T) {
networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{ networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{
{ {
Protocol: &protocolTCP, Protocol: &protocolTCP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32768}, Port: &port32768,
EndPort: &endPort, EndPort: &endPort,
}, },
} }
} }
setIngressFromPodSelector := func(networkPolicy *networking.NetworkPolicy) { setIngressFromPodSelector := func(k, v string) func(*networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{ return func(networkPolicy *networking.NetworkPolicy) {
MatchLabels: map[string]string{"c": "d"}, networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{
MatchLabels: map[string]string{k: v},
}
} }
} }
setAlternativeIngressFromPodSelector := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{
MatchLabels: map[string]string{"e": "f"},
}
}
setIngressFromNamespaceSelector := func(networkPolicy *networking.NetworkPolicy) { setIngressFromNamespaceSelector := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].NamespaceSelector = &metav1.LabelSelector{ networkPolicy.Spec.Ingress[0].From[0].NamespaceSelector = &metav1.LabelSelector{
MatchLabels: map[string]string{"c": "d"}, MatchLabels: map[string]string{"c": "d"},
@ -178,11 +184,19 @@ func TestValidateNetworkPolicy(t *testing.T) {
} }
} }
setEgressEmptyPorts := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress = []networking.NetworkPolicyEgressRule{
{
Ports: []networking.NetworkPolicyPort{{}},
},
}
}
setEgressPorts := func(networkPolicy *networking.NetworkPolicy) { setEgressPorts := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{ {
Protocol: nil, Protocol: nil,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, Port: &port80,
}, },
{ {
Protocol: &protocolTCP, Protocol: &protocolTCP,
@ -190,15 +204,15 @@ func TestValidateNetworkPolicy(t *testing.T) {
}, },
{ {
Protocol: &protocolTCP, Protocol: &protocolTCP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 443}, Port: &port443,
}, },
{ {
Protocol: &protocolUDP, Protocol: &protocolUDP,
Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"}, Port: &portDns,
}, },
{ {
Protocol: &protocolSCTP, Protocol: &protocolSCTP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 7777}, Port: &port7777,
}, },
} }
} }
@ -207,12 +221,12 @@ func TestValidateNetworkPolicy(t *testing.T) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{ {
Protocol: nil, Protocol: nil,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32000}, Port: &port32000,
EndPort: &endPort, EndPort: &endPort,
}, },
{ {
Protocol: &protocolUDP, Protocol: &protocolUDP,
Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"}, Port: &portDns,
}, },
} }
} }
@ -221,12 +235,12 @@ func TestValidateNetworkPolicy(t *testing.T) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{ networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{ {
Protocol: nil, Protocol: nil,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 30000}, Port: &port30000,
EndPort: &endPort, EndPort: &endPort,
}, },
{ {
Protocol: nil, Protocol: nil,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32000}, Port: &port32000,
EndPort: &endPort, EndPort: &endPort,
}, },
} }
@ -242,11 +256,11 @@ func TestValidateNetworkPolicy(t *testing.T) {
successCases := []*networking.NetworkPolicy{ successCases := []*networking.NetworkPolicy{
makeNetworkPolicyCustom(setIngressEmptyFirstElement), makeNetworkPolicyCustom(setIngressEmptyFirstElement),
makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressEmptyFrom, setIngressEmptyPorts), makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressEmptyPorts),
makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressPorts), makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressPorts),
makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromPodSelector), makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromPodSelector("c", "d")),
makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector), makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector),
makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setAlternativeIngressFromPodSelector), makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromPodSelector("e", "f")),
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock), makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock),
makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock), makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock),
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesEgress), makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setPolicyTypesEgress),
@ -257,7 +271,7 @@ func TestValidateNetworkPolicy(t *testing.T) {
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlockIPV6, setPolicyTypesEgress), makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlockIPV6, setPolicyTypesEgress),
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlockIPV6, setPolicyTypesIngressEgress), makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlockIPV6, setPolicyTypesIngressEgress),
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPortsUDPandHigh), makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressPortsUDPandHigh),
makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPortsBothHigh, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setAlternativeIngressFromPodSelector, setIngressPortsHigher), makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressPortsBothHigh, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromPodSelector("e", "f"), setIngressPortsHigher),
} }
// Success cases are expected to pass validation. // Success cases are expected to pass validation.
@ -270,251 +284,166 @@ func TestValidateNetworkPolicy(t *testing.T) {
invalidSelector := map[string]string{"NoUppercaseOrSpecialCharsLike=Equals": "b"} invalidSelector := map[string]string{"NoUppercaseOrSpecialCharsLike=Equals": "b"}
// Error specific tweaks
setMissingFromToType := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress = []networking.NetworkPolicyIngressRule{
{
From: []networking.NetworkPolicyPeer{{}},
},
}
networkPolicy.Spec.Egress = []networking.NetworkPolicyEgressRule{
{
To: []networking.NetworkPolicyPeer{{}},
},
}
}
setInvalidSpecPodselector := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec = networking.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{
MatchLabels: invalidSelector,
},
}
}
setInvalidIngressPortProtocol := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: &protocolICMP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80},
},
}
}
setInvalidIngressPortsPort := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: &protocolTCP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 123456789},
},
}
}
setInvalidIngressPortsPortStr := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: &protocolTCP,
Port: &intstr.IntOrString{Type: intstr.String, StrVal: "!@#$"},
},
}
}
setInvalidIngressFromPodSelector := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{
MatchLabels: invalidSelector,
}
}
setInvalidEgressToPodSelector := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].To[0].PodSelector = &metav1.LabelSelector{
MatchLabels: invalidSelector,
}
}
setInvalidEgressPortProtocol := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: &protocolICMP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80},
},
}
}
setInvalidEgressPortsPort := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: &protocolTCP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 123456789},
},
}
}
setInvalidEgressPortsPortStr := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: &protocolTCP,
Port: &intstr.IntOrString{Type: intstr.String, StrVal: "!@#$"},
},
}
}
setInvalidIngressFromNameSpaceSelector := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].NamespaceSelector = &metav1.LabelSelector{
MatchLabels: invalidSelector,
}
}
unsetCIDR := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = ""
}
setInvalidCIDRFormat := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "192.168.5.6"
}
setInvalidIPV6Format := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "fd00:192:168::"
}
setEmptyExcept := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{"", " "}
}
setExceptOutRange := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{
CIDR: "192.168.8.0/24",
Except: []string{"192.168.9.1/24"},
}
}
setExceptNotStrictlyRange := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{
CIDR: "192.168.0.0/24",
Except: []string{"192.168.0.0/24"},
}
}
setExceptIPV6OutRange := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{
CIDR: "fd00:192:168:1::/64",
Except: []string{"fd00:192:168:2::/64"},
}
}
setInvalidPolicyTypes := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.PolicyTypes = []networking.PolicyType{"foo", "bar"}
}
setTooManyPolicyTypes := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.PolicyTypes = []networking.PolicyType{"foo", "bar", "baz"}
}
setEgressMultiplePortsOneInvalid := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: &protocolUDP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 35000},
EndPort: &endPort,
},
{
Protocol: nil,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32000},
EndPort: &endPort,
},
}
}
setEndPortNamed := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: &protocolUDP,
Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"},
EndPort: &endPort,
},
{
Protocol: nil,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 32000},
EndPort: &endPort,
},
}
}
setEndPortWithoutPort := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: &protocolTCP,
EndPort: &endPort,
},
}
}
setPortGreaterEndPort := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: &protocolSCTP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 33000},
EndPort: &endPort,
},
}
}
setMultipleInvalidPortRanges := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: &protocolUDP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 35000},
EndPort: &endPort,
},
{
Protocol: &protocolTCP,
EndPort: &endPort,
},
{
Protocol: &protocolTCP,
Port: &intstr.IntOrString{Type: intstr.String, StrVal: "https"},
EndPort: &endPort,
},
}
}
setInvalidEndPortRanges := func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: nil,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 30000},
EndPort: utilpointer.Int32Ptr(65537),
},
}
}
errorCases := map[string]*networking.NetworkPolicy{ errorCases := map[string]*networking.NetworkPolicy{
"namespaceSelector and ipBlock": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromIPBlock), "namespaceSelector and ipBlock": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, setIngressFromIPBlock),
"podSelector and ipBlock": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToPodSelector, setEgressToIPBlock), "podSelector and ipBlock": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToPodSelector, setEgressToIPBlock),
"missing from and to type": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setEgressEmptyFirstElement, setMissingFromToType), "missing from and to type": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setEgressEmptyFirstElement, setEgressToEmptyFirstElement),
"invalid spec.podSelector": makeNetworkPolicyCustom(setInvalidSpecPodselector, setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector), "invalid spec.podSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) {
"invalid ingress.ports.protocol": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setInvalidIngressPortProtocol), networkPolicy.Spec = networking.NetworkPolicySpec{
"invalid ingress.ports.port (int)": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setInvalidIngressPortsPort), PodSelector: metav1.LabelSelector{
"invalid ingress.ports.port (str)": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setInvalidIngressPortsPortStr), MatchLabels: invalidSelector,
"invalid ingress.from.podSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setInvalidIngressFromPodSelector), },
"invalid egress.to.podSelector": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setInvalidEgressToPodSelector), }
"invalid egress.ports.protocol": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setInvalidEgressPortProtocol), }),
"invalid egress.ports.port (int)": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setInvalidEgressPortsPort), "invalid ingress.ports.protocol": makeNetworkPolicyCustom(setIngressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) {
"invalid egress.ports.port (str)": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setInvalidEgressPortsPortStr), networkPolicy.Spec.Ingress[0].Ports[0].Protocol = &protocolICMP
"invalid ingress.from.namespaceSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setInvalidIngressFromNameSpaceSelector), }),
"missing cidr field": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, unsetCIDR), "invalid ingress.ports.port (int)": makeNetworkPolicyCustom(setIngressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) {
"invalid cidr format": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, setInvalidCIDRFormat), networkPolicy.Spec.Ingress[0].Ports[0].Port = &portInvalidInt
"invalid ipv6 cidr format": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6, setInvalidIPV6Format), }),
"except field is an empty string": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, setEmptyExcept), "invalid ingress.ports.port (str)": makeNetworkPolicyCustom(setIngressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) {
"except IP is outside of CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, setExceptOutRange), networkPolicy.Spec.Ingress[0].Ports[0].Port = &portInvalidStr
"except IP is not strictly within CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, setExceptNotStrictlyRange), }),
"except IPv6 is outside of CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6, setExceptIPV6OutRange), "invalid ingress.from.podSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) {
"invalid policyTypes": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setInvalidPolicyTypes), networkPolicy.Spec.Ingress[0].From[0].PodSelector = &metav1.LabelSelector{
"too many policyTypes": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, setTooManyPolicyTypes), MatchLabels: invalidSelector,
"multiple ports defined, one port range is invalid": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEgressMultiplePortsOneInvalid), }
"endPort defined with named/string port": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEndPortNamed), }),
"endPort defined without port defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setEndPortWithoutPort), "invalid egress.to.podSelector": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) {
"port is greater than endPort": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setPortGreaterEndPort), networkPolicy.Spec.Egress[0].To[0].PodSelector = &metav1.LabelSelector{
"multiple invalid port ranges defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setMultipleInvalidPortRanges), MatchLabels: invalidSelector,
"invalid endport range defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, setInvalidEndPortRanges), }
}),
"invalid egress.ports.protocol": makeNetworkPolicyCustom(setEgressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports[0].Protocol = &protocolICMP
}),
"invalid egress.ports.port (int)": makeNetworkPolicyCustom(setEgressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports[0].Port = &portInvalidInt
}),
"invalid egress.ports.port (str)": makeNetworkPolicyCustom(setEgressEmptyPorts, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports[0].Port = &portInvalidStr
}),
"invalid ingress.from.namespaceSelector": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].NamespaceSelector = &metav1.LabelSelector{
MatchLabels: invalidSelector,
}
}),
"missing cidr field": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = ""
}),
"invalid cidr format": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "192.168.5.6"
}),
"invalid ipv6 cidr format": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlockIPV6, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].IPBlock.CIDR = "fd00:192:168::"
}),
"except field is an empty string": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{""}
}),
"except field is an space string": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{" "}
}),
"except field is an invalid ip": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, setIngressFromIPBlock, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].IPBlock.Except = []string{"300.300.300.300"}
}),
"except IP is outside of CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{
CIDR: "192.168.8.0/24",
Except: []string{"192.168.9.1/24"},
}
}),
"except IP is not strictly within CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{
CIDR: "192.168.0.0/24",
Except: []string{"192.168.0.0/24"},
}
}),
"except IPv6 is outside of CIDR range": makeNetworkPolicyCustom(setIngressEmptyFirstElement, setIngressFromEmptyFirstElement, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Ingress[0].From[0].IPBlock = &networking.IPBlock{
CIDR: "fd00:192:168:1::/64",
Except: []string{"fd00:192:168:2::/64"},
}
}),
"invalid policyTypes": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.PolicyTypes = []networking.PolicyType{"foo", "bar"}
}),
"too many policyTypes": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToIPBlock, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.PolicyTypes = []networking.PolicyType{"foo", "bar", "baz"}
}),
"multiple ports defined, one port range is invalid": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: &protocolUDP,
Port: &port35000,
EndPort: &endPort,
},
{
Protocol: nil,
Port: &port32000,
EndPort: &endPort,
},
}
}),
"endPort defined with named/string port": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: &protocolUDP,
Port: &portDns,
EndPort: &endPort,
},
{
Protocol: nil,
Port: &port32000,
EndPort: &endPort,
},
}
}),
"endPort defined without port defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: &protocolTCP,
EndPort: &endPort,
},
}
}),
"port is greater than endPort": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: &protocolSCTP,
Port: &port35000,
EndPort: &endPort,
},
}
}),
"multiple invalid port ranges defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: &protocolUDP,
Port: &port35000,
EndPort: &endPort,
},
{
Protocol: &protocolTCP,
EndPort: &endPort,
},
{
Protocol: &protocolTCP,
Port: &portHttps,
EndPort: &endPort,
},
}
}),
"invalid endport range defined": makeNetworkPolicyCustom(setEgressEmptyFirstElement, setEgressToEmptyFirstElement, setEgressToNamespaceSelector, func(networkPolicy *networking.NetworkPolicy) {
networkPolicy.Spec.Egress[0].Ports = []networking.NetworkPolicyPort{
{
Protocol: nil,
Port: &port30000,
EndPort: utilpointer.Int32Ptr(65537),
},
}
}),
} }
// Error cases are not expected to pass validation. // Error cases are not expected to pass validation.