From f2d6941ee335fbc9cb1e6f481d965ad1ed6c187d Mon Sep 17 00:00:00 2001 From: Blaz Zupan Date: Wed, 17 Jun 2026 14:29:54 -0700 Subject: [PATCH] Add conformance tests for PortRange and NamespaceSelector omission --- ...standard-egress-sctp-port-range-rules.yaml | 30 +++++++++ .../standard-egress-tcp-port-range-rules.yaml | 30 +++++++++ .../standard-egress-udp-port-range-rules.yaml | 30 +++++++++ ...ndard-gress-omitted-namespaceselector.yaml | 20 ++++++ ...tandard-ingress-sctp-port-range-rules.yaml | 30 +++++++++ ...standard-ingress-tcp-port-range-rules.yaml | 30 +++++++++ ...standard-ingress-udp-port-range-rules.yaml | 30 +++++++++ conformance/base/manifests.yaml | 66 +++++++++++++++++++ ...twork-policy-standard-egress-sctp-rules.go | 22 ++++++- ...etwork-policy-standard-egress-tcp-rules.go | 22 ++++++- ...etwork-policy-standard-egress-udp-rules.go | 22 ++++++- ...min-network-policy-standard-gress-rules.go | 20 +++++- ...work-policy-standard-ingress-sctp-rules.go | 22 ++++++- ...twork-policy-standard-ingress-tcp-rules.go | 22 ++++++- ...twork-policy-standard-ingress-udp-rules.go | 22 ++++++- conformance/utils/suite/suite.go | 2 + 16 files changed, 413 insertions(+), 7 deletions(-) create mode 100644 conformance/base/admin_tier/standard-egress-sctp-port-range-rules.yaml create mode 100644 conformance/base/admin_tier/standard-egress-tcp-port-range-rules.yaml create mode 100644 conformance/base/admin_tier/standard-egress-udp-port-range-rules.yaml create mode 100644 conformance/base/admin_tier/standard-gress-omitted-namespaceselector.yaml create mode 100644 conformance/base/admin_tier/standard-ingress-sctp-port-range-rules.yaml create mode 100644 conformance/base/admin_tier/standard-ingress-tcp-port-range-rules.yaml create mode 100644 conformance/base/admin_tier/standard-ingress-udp-port-range-rules.yaml diff --git a/conformance/base/admin_tier/standard-egress-sctp-port-range-rules.yaml b/conformance/base/admin_tier/standard-egress-sctp-port-range-rules.yaml new file mode 100644 index 00000000..7ce5be93 --- /dev/null +++ b/conformance/base/admin_tier/standard-egress-sctp-port-range-rules.yaml @@ -0,0 +1,30 @@ +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy +metadata: + name: egress-sctp-port-range +spec: + tier: Admin + priority: 8 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-durmstrang + egress: + - name: "allow-to-hufflepuff-at-port-range-9003-9005" + action: "Accept" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + protocols: + - sctp: + destinationPort: + range: + start: 9003 + end: 9005 + - name: "deny-to-hufflepuff-everything-else" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff diff --git a/conformance/base/admin_tier/standard-egress-tcp-port-range-rules.yaml b/conformance/base/admin_tier/standard-egress-tcp-port-range-rules.yaml new file mode 100644 index 00000000..efed4b61 --- /dev/null +++ b/conformance/base/admin_tier/standard-egress-tcp-port-range-rules.yaml @@ -0,0 +1,30 @@ +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy +metadata: + name: egress-tcp-port-range +spec: + tier: Admin + priority: 3 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-durmstrang + egress: + - name: "allow-to-hufflepuff-at-port-range-80-8080" + action: "Accept" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + protocols: + - tcp: + destinationPort: + range: + start: 80 + end: 8080 + - name: "deny-to-hufflepuff-everything-else" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff diff --git a/conformance/base/admin_tier/standard-egress-udp-port-range-rules.yaml b/conformance/base/admin_tier/standard-egress-udp-port-range-rules.yaml new file mode 100644 index 00000000..488e4a9c --- /dev/null +++ b/conformance/base/admin_tier/standard-egress-udp-port-range-rules.yaml @@ -0,0 +1,30 @@ +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy +metadata: + name: egress-udp-port-range +spec: + tier: Admin + priority: 7 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-durmstrang + egress: + - name: "allow-to-gryffindor-at-port-range-53-5353" + action: "Accept" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + protocols: + - udp: + destinationPort: + range: + start: 53 + end: 5353 + - name: "deny-to-gryffindor-everything-else" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor diff --git a/conformance/base/admin_tier/standard-gress-omitted-namespaceselector.yaml b/conformance/base/admin_tier/standard-gress-omitted-namespaceselector.yaml new file mode 100644 index 00000000..28a862e9 --- /dev/null +++ b/conformance/base/admin_tier/standard-gress-omitted-namespaceselector.yaml @@ -0,0 +1,20 @@ +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy +metadata: + name: gress-omitted-namespaceselector +spec: + tier: Admin + priority: 3 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-durmstrang + ingress: + - name: "deny-from-all-conformance-pods" + action: "Deny" + from: + - pods: + podSelector: + matchExpressions: + - key: conformance-house + operator: Exists diff --git a/conformance/base/admin_tier/standard-ingress-sctp-port-range-rules.yaml b/conformance/base/admin_tier/standard-ingress-sctp-port-range-rules.yaml new file mode 100644 index 00000000..431605e7 --- /dev/null +++ b/conformance/base/admin_tier/standard-ingress-sctp-port-range-rules.yaml @@ -0,0 +1,30 @@ +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy +metadata: + name: ingress-sctp-port-range +spec: + tier: Admin + priority: 8 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-durmstrang + ingress: + - name: "allow-from-hufflepuff-at-port-range-9003-9005" + action: "Accept" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + protocols: + - sctp: + destinationPort: + range: + start: 9003 + end: 9005 + - name: "deny-from-hufflepuff-everything-else" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff diff --git a/conformance/base/admin_tier/standard-ingress-tcp-port-range-rules.yaml b/conformance/base/admin_tier/standard-ingress-tcp-port-range-rules.yaml new file mode 100644 index 00000000..986b10eb --- /dev/null +++ b/conformance/base/admin_tier/standard-ingress-tcp-port-range-rules.yaml @@ -0,0 +1,30 @@ +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy +metadata: + name: ingress-tcp-port-range +spec: + tier: Admin + priority: 3 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-durmstrang + ingress: + - name: "allow-from-hufflepuff-at-port-range-80-8080" + action: "Accept" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + protocols: + - tcp: + destinationPort: + range: + start: 80 + end: 8080 + - name: "deny-from-hufflepuff-everything-else" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff diff --git a/conformance/base/admin_tier/standard-ingress-udp-port-range-rules.yaml b/conformance/base/admin_tier/standard-ingress-udp-port-range-rules.yaml new file mode 100644 index 00000000..6303bd43 --- /dev/null +++ b/conformance/base/admin_tier/standard-ingress-udp-port-range-rules.yaml @@ -0,0 +1,30 @@ +apiVersion: policy.networking.k8s.io/v1alpha2 +kind: ClusterNetworkPolicy +metadata: + name: ingress-udp-port-range +spec: + tier: Admin + priority: 7 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-durmstrang + ingress: + - name: "allow-from-hufflepuff-at-port-range-53-5353" + action: "Accept" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + protocols: + - udp: + destinationPort: + range: + start: 53 + end: 5353 + - name: "deny-from-hufflepuff-everything-else" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff diff --git a/conformance/base/manifests.yaml b/conformance/base/manifests.yaml index 8bbe2ae2..b1afe531 100644 --- a/conformance/base/manifests.yaml +++ b/conformance/base/manifests.yaml @@ -36,6 +36,13 @@ metadata: name: network-policy-conformance-forbidden-forrest labels: conformance-house: forbidden-forrest +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-durmstrang + labels: + conformance-house: durmstrang # Create 4 deployments; 2 pods each under these namespaces --- apiVersion: apps/v1 @@ -313,3 +320,62 @@ spec: env: - name: SERVE_SCTP_PORT_{{ index .HostNetworkPorts 7 }} value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: viktor-krum + namespace: network-policy-conformance-durmstrang +spec: + selector: + matchLabels: + conformance-house: durmstrang + replicas: 2 + template: + metadata: + labels: + conformance-house: durmstrang + spec: + containers: + - name: viktor-krum-client + image: registry.k8s.io/e2e-test-images/agnhost:2.45 + - name: viktor-krum-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.45 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + ports: + - containerPort: 80 + protocol: TCP + name: web + - name: viktor-krum-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.45 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + ports: + - containerPort: 8080 + protocol: TCP + name: web-8080 + - name: viktor-krum-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.45 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + ports: + - containerPort: 53 + protocol: UDP + name: dns + - name: viktor-krum-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.45 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + ports: + - containerPort: 5353 + protocol: UDP + name: dns-sd + - name: viktor-krum-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.45 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: viktor-krum-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.45 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" diff --git a/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go b/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go index f8b40c2b..ab00bcd5 100644 --- a/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-sctp-rules.go @@ -35,7 +35,10 @@ var CNPAdminTierEgressSCTP = suite.ConformanceTest{ Features: []suite.SupportedFeature{ suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/admin_tier/standard-egress-sctp-rules.yaml"}, + Manifests: []string{ + "base/admin_tier/standard-egress-sctp-rules.yaml", + "base/admin_tier/standard-egress-sctp-port-range-rules.yaml", + }, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { @@ -66,6 +69,23 @@ var CNPAdminTierEgressSCTP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) }) + t.Run("Should support an 'allow-egress' policy for SCTP protocol at the specified port range", func(t *testing.T) { + // This test uses `egress-sctp-port-range` admin CNP + // cedric-diggory-1 is our server pod in hufflepuff namespace + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout) + // viktor-krum-0 is our client pod in durmstrang namespace + // ensure egress is ALLOWED to hufflepuff from durmstrang at port 9003 (in range); egressRule at index0 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) + // ensure egress is ALLOWED to hufflepuff from durmstrang at port 9005 (in range); egressRule at index0 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-0", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) + // viktor-krum-1 is our client pod in durmstrang namespace + // ensure egress is DENIED to hufflepuff from durmstrang for rest of the traffic (e.g. port 9006, outside range); egressRule at index1 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-1", "sctp", + serverPod.Status.PodIP, int32(9006), s.TimeoutConfig, false) + }) + t.Run("Should support an 'deny-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { // This test uses `egress-sctp` admin CNP // harry-potter-0 is our server pod in gryffindor namespace diff --git a/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go b/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go index a5d58e25..c4094c33 100644 --- a/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-tcp-rules.go @@ -35,7 +35,10 @@ var CNPAdminTierEgressTCP = suite.ConformanceTest{ Features: []suite.SupportedFeature{ suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/admin_tier/standard-egress-tcp-rules.yaml"}, + Manifests: []string{ + "base/admin_tier/standard-egress-tcp-rules.yaml", + "base/admin_tier/standard-egress-tcp-port-range-rules.yaml", + }, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { @@ -65,6 +68,23 @@ var CNPAdminTierEgressTCP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) }) + t.Run("Should support an 'allow-egress' policy for TCP protocol at the specified port range", func(t *testing.T) { + // This test uses `egress-tcp-port-range` admin CNP + // cedric-diggory-1 is our server pod in hufflepuff namespace + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout) + // viktor-krum-0 is our client pod in durmstrang namespace + // ensure egress is ALLOWED to hufflepuff from durmstrang at port 8080 (in range); egressRule at index0 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-0", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) + // ensure egress is ALLOWED to hufflepuff from durmstrang at port 80 (in range); egressRule at index0 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + // viktor-krum-1 is our client pod in durmstrang namespace + // ensure egress is DENIED to hufflepuff from durmstrang for rest of the traffic (e.g. port 8081, outside range); egressRule at index1 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-1", "tcp", + serverPod.Status.PodIP, int32(8081), s.TimeoutConfig, false) + }) + t.Run("Should support an 'deny-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { // This test uses `egress-tcp` admin CNP // luna-lovegood-1 is our server pod in ravenclaw namespace diff --git a/conformance/tests/admin-network-policy-standard-egress-udp-rules.go b/conformance/tests/admin-network-policy-standard-egress-udp-rules.go index 82a4502f..fe2af69b 100644 --- a/conformance/tests/admin-network-policy-standard-egress-udp-rules.go +++ b/conformance/tests/admin-network-policy-standard-egress-udp-rules.go @@ -35,7 +35,10 @@ var CNPAdminTierEgressUDP = suite.ConformanceTest{ Features: []suite.SupportedFeature{ suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/admin_tier/standard-egress-udp-rules.yaml"}, + Manifests: []string{ + "base/admin_tier/standard-egress-udp-rules.yaml", + "base/admin_tier/standard-egress-udp-port-range-rules.yaml", + }, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { @@ -66,6 +69,23 @@ var CNPAdminTierEgressUDP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) }) + t.Run("Should support an 'allow-egress' policy for UDP protocol at the specified port range", func(t *testing.T) { + // This test uses `egress-udp-port-range` admin CNP + // harry-potter-1 is our server pod in gryffindor namespace + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-1", s.TimeoutConfig.GetTimeout) + // viktor-krum-0 is our client pod in durmstrang namespace + // ensure egress is ALLOWED to gryffindor from durmstrang at port 53 (in range); egressRule at index0 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) + // ensure egress is ALLOWED to gryffindor from durmstrang at port 5353 (in range); egressRule at index0 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-0", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) + // viktor-krum-1 is our client pod in durmstrang namespace + // ensure egress is DENIED to gryffindor from durmstrang for rest of the traffic (e.g. port 5354, outside range); egressRule at index1 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-1", "udp", + serverPod.Status.PodIP, int32(5354), s.TimeoutConfig, false) + }) + t.Run("Should support an 'deny-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { // This test uses `egress-udp` admin CNP // luna-lovegood-1 is our server pod in ravenclaw namespace diff --git a/conformance/tests/admin-network-policy-standard-gress-rules.go b/conformance/tests/admin-network-policy-standard-gress-rules.go index b32fb97f..7873ff40 100644 --- a/conformance/tests/admin-network-policy-standard-gress-rules.go +++ b/conformance/tests/admin-network-policy-standard-gress-rules.go @@ -35,7 +35,10 @@ var CNPAdminTierGress = suite.ConformanceTest{ Features: []suite.SupportedFeature{ suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/admin_tier/standard-gress-rules-combined.yaml"}, + Manifests: []string{ + "base/admin_tier/standard-gress-rules-combined.yaml", + "base/admin_tier/standard-gress-omitted-namespaceselector.yaml", + }, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-gress' policy across different protocols", func(t *testing.T) { @@ -345,5 +348,20 @@ var CNPAdminTierGress = suite.ConformanceTest{ kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) }) + + t.Run("Should support matching pods across namespaces when namespaceSelector is omitted", func(t *testing.T) { + // This test uses `gress-omitted-namespaceselector` admin CNP + // viktor-krum-0 is our server pod in durmstrang namespace (subject of CNP) + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-durmstrang", "viktor-krum-0", s.TimeoutConfig.GetTimeout) + + // Verify connectivity: + // luna-lovegood-0 (in ravenclaw) -> viktor-krum-0 on port 80 should FAIL (blocked by deny rule) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) + + // cedric-diggory-0 (in hufflepuff) -> viktor-krum-0 on port 80 should FAIL (blocked by deny rule) + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false) + }) }, } diff --git a/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go b/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go index b912e8fc..5b58605d 100644 --- a/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go +++ b/conformance/tests/admin-network-policy-standard-ingress-sctp-rules.go @@ -35,7 +35,10 @@ var CNPAdminTierIngressSCTP = suite.ConformanceTest{ Features: []suite.SupportedFeature{ suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/admin_tier/standard-ingress-sctp-rules.yaml"}, + Manifests: []string{ + "base/admin_tier/standard-ingress-sctp-rules.yaml", + "base/admin_tier/standard-ingress-sctp-port-range-rules.yaml", + }, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { @@ -65,6 +68,23 @@ var CNPAdminTierIngressSCTP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false) }) + t.Run("Should support an 'allow-ingress' policy for SCTP protocol at the specified port range", func(t *testing.T) { + // This test uses `ingress-sctp-port-range` admin CNP + // viktor-krum-0 is our server pod in durmstrang namespace + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-durmstrang", "viktor-krum-0", s.TimeoutConfig.GetTimeout) + // cedric-diggory-0 is our client pod in hufflepuff namespace + // ensure ingress is ALLOWED from hufflepuff to durmstrang at port 9003 (in range); ingressRule at index0 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "sctp", + serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true) + // ensure ingress is ALLOWED from hufflepuff to durmstrang at port 9005 (in range); ingressRule at index0 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "sctp", + serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true) + // cedric-diggory-1 is our client pod in hufflepuff namespace + // ensure ingress is DENIED from hufflepuff to durmstrang for rest of the traffic (e.g. port 9006, outside range); ingressRule at index1 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "sctp", + serverPod.Status.PodIP, int32(9006), s.TimeoutConfig, false) + }) + t.Run("Should support an 'deny-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { // This test uses `ingress-sctp` admin CNP // luna-lovegood-1 is our server pod in ravenclaw namespace diff --git a/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go b/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go index 2d34dcba..2cb7ed57 100644 --- a/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go +++ b/conformance/tests/admin-network-policy-standard-ingress-tcp-rules.go @@ -35,7 +35,10 @@ var CNPAdminTierIngressTCP = suite.ConformanceTest{ Features: []suite.SupportedFeature{ suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/admin_tier/standard-ingress-tcp-rules.yaml"}, + Manifests: []string{ + "base/admin_tier/standard-ingress-tcp-rules.yaml", + "base/admin_tier/standard-ingress-tcp-port-range-rules.yaml", + }, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { @@ -65,6 +68,23 @@ var CNPAdminTierIngressTCP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, false) }) + t.Run("Should support an 'allow-ingress' policy for TCP protocol at the specified port range", func(t *testing.T) { + // This test uses `ingress-tcp-port-range` admin CNP + // viktor-krum-0 is our server pod in durmstrang namespace + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-durmstrang", "viktor-krum-0", s.TimeoutConfig.GetTimeout) + // cedric-diggory-0 is our client pod in hufflepuff namespace + // ensure ingress is ALLOWED from hufflepuff to durmstrang at port 80 (in range); ingressRule at index0 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", + serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true) + // ensure ingress is ALLOWED from hufflepuff to durmstrang at port 8080 (in range); ingressRule at index0 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", + serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true) + // cedric-diggory-1 is our client pod in hufflepuff namespace + // ensure ingress is DENIED from hufflepuff to durmstrang for rest of the traffic (e.g. port 8081, outside range); ingressRule at index1 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "tcp", + serverPod.Status.PodIP, int32(8081), s.TimeoutConfig, false) + }) + t.Run("Should support an 'deny-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { // This test uses `ingress-tcp` admin CNP // harry-potter-1 is our server pod in gryffindor namespace diff --git a/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go b/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go index e4bcbf66..62a6bbba 100644 --- a/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go +++ b/conformance/tests/admin-network-policy-standard-ingress-udp-rules.go @@ -36,7 +36,10 @@ var CNPAdminTierIngressUDP = suite.ConformanceTest{ Features: []suite.SupportedFeature{ suite.SupportClusterNetworkPolicy, }, - Manifests: []string{"base/admin_tier/standard-ingress-udp-rules.yaml"}, + Manifests: []string{ + "base/admin_tier/standard-ingress-udp-rules.yaml", + "base/admin_tier/standard-ingress-udp-port-range-rules.yaml", + }, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { @@ -66,6 +69,23 @@ var CNPAdminTierIngressUDP = suite.ConformanceTest{ serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false) }) + t.Run("Should support an 'allow-ingress' policy for UDP protocol at the specified port range", func(t *testing.T) { + // This test uses `ingress-udp-port-range` admin CNP + // viktor-krum-0 is our server pod in durmstrang namespace + serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-durmstrang", "viktor-krum-0", s.TimeoutConfig.GetTimeout) + // cedric-diggory-0 is our client pod in hufflepuff namespace + // ensure ingress is ALLOWED from hufflepuff to durmstrang at port 53 (in range); ingressRule at index0 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", + serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true) + // ensure ingress is ALLOWED from hufflepuff to durmstrang at port 5353 (in range); ingressRule at index0 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", + serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true) + // cedric-diggory-1 is our client pod in hufflepuff namespace + // ensure ingress is DENIED from hufflepuff to durmstrang for rest of the traffic (e.g. port 5354, outside range); ingressRule at index1 should take effect + kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", + serverPod.Status.PodIP, int32(5354), s.TimeoutConfig, false) + }) + t.Run("Should support an 'deny-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { // This test uses `ingress-udp` admin CNP // cedric-diggory-1 is our server pod in hufflepuff namespace diff --git a/conformance/utils/suite/suite.go b/conformance/utils/suite/suite.go index 08ffbf6c..d136271a 100644 --- a/conformance/utils/suite/suite.go +++ b/conformance/utils/suite/suite.go @@ -164,6 +164,7 @@ func (suite *ConformanceTestSuite) Setup(t *testing.T) { "network-policy-conformance-hufflepuff", "network-policy-conformance-ravenclaw", "network-policy-conformance-forbidden-forrest", + "network-policy-conformance-durmstrang", } statefulSets := []string{ "harry-potter", @@ -171,6 +172,7 @@ func (suite *ConformanceTestSuite) Setup(t *testing.T) { "cedric-diggory", "luna-lovegood", "centaur", + "viktor-krum", } kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, namespaces, statefulSets) }