Add conformance tests for PortRange and NamespaceSelector omission

conformance/base/admin_tier/standard-egress-sctp-port-range-rules.yaml

@@ -0,0 +1,30 @@
+apiVersion: policy.networking.k8s.io/v1alpha2
+kind: ClusterNetworkPolicy
+metadata:
+  name: egress-sctp-port-range
+spec:
+  tier: Admin
+  priority: 8
+  subject:
+    namespaces:
+      matchLabels:
+        kubernetes.io/metadata.name: network-policy-conformance-durmstrang
+  egress:
+  - name: "allow-to-hufflepuff-at-port-range-9003-9005"
+    action: "Accept"
+    to:
+    - namespaces:
+        matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-hufflepuff
+    protocols:
+      - sctp:
+          destinationPort:
+            range:
+              start: 9003
+              end: 9005
+  - name: "deny-to-hufflepuff-everything-else"
+    action: "Deny"
+    to:
+    - namespaces:
+        matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-hufflepuff

conformance/base/admin_tier/standard-egress-tcp-port-range-rules.yaml

@@ -0,0 +1,30 @@
+apiVersion: policy.networking.k8s.io/v1alpha2
+kind: ClusterNetworkPolicy
+metadata:
+  name: egress-tcp-port-range
+spec:
+  tier: Admin
+  priority: 3
+  subject:
+    namespaces:
+      matchLabels:
+        kubernetes.io/metadata.name: network-policy-conformance-durmstrang
+  egress:
+  - name: "allow-to-hufflepuff-at-port-range-80-8080"
+    action: "Accept"
+    to:
+    - namespaces:
+        matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-hufflepuff
+    protocols:
+      - tcp:
+          destinationPort:
+            range:
+              start: 80
+              end: 8080
+  - name: "deny-to-hufflepuff-everything-else"
+    action: "Deny"
+    to:
+    - namespaces:
+        matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-hufflepuff

conformance/base/admin_tier/standard-egress-udp-port-range-rules.yaml

@@ -0,0 +1,30 @@
+apiVersion: policy.networking.k8s.io/v1alpha2
+kind: ClusterNetworkPolicy
+metadata:
+  name: egress-udp-port-range
+spec:
+  tier: Admin
+  priority: 7
+  subject:
+    namespaces:
+      matchLabels:
+        kubernetes.io/metadata.name: network-policy-conformance-durmstrang
+  egress:
+  - name: "allow-to-gryffindor-at-port-range-53-5353"
+    action: "Accept"
+    to:
+    - namespaces:
+        matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+    protocols:
+      - udp:
+          destinationPort:
+            range:
+              start: 53
+              end: 5353
+  - name: "deny-to-gryffindor-everything-else"
+    action: "Deny"
+    to:
+    - namespaces:
+        matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-gryffindor

conformance/base/admin_tier/standard-gress-omitted-namespaceselector.yaml

@@ -0,0 +1,20 @@
+apiVersion: policy.networking.k8s.io/v1alpha2
+kind: ClusterNetworkPolicy
+metadata:
+  name: gress-omitted-namespaceselector
+spec:
+  tier: Admin
+  priority: 3
+  subject:
+    namespaces:
+      matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-durmstrang
+  ingress:
+  - name: "deny-from-all-conformance-pods"
+    action: "Deny"
+    from:
+    - pods:
+        podSelector:
+          matchExpressions:
+          - key: conformance-house
+            operator: Exists

conformance/base/admin_tier/standard-ingress-sctp-port-range-rules.yaml

@@ -0,0 +1,30 @@
+apiVersion: policy.networking.k8s.io/v1alpha2
+kind: ClusterNetworkPolicy
+metadata:
+  name: ingress-sctp-port-range
+spec:
+  tier: Admin
+  priority: 8
+  subject:
+    namespaces:
+      matchLabels:
+        kubernetes.io/metadata.name: network-policy-conformance-durmstrang
+  ingress:
+  - name: "allow-from-hufflepuff-at-port-range-9003-9005"
+    action: "Accept"
+    from:
+    - namespaces:
+        matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-hufflepuff
+    protocols:
+      - sctp:
+          destinationPort:
+            range:
+              start: 9003
+              end: 9005
+  - name: "deny-from-hufflepuff-everything-else"
+    action: "Deny"
+    from:
+    - namespaces:
+        matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-hufflepuff

conformance/base/admin_tier/standard-ingress-tcp-port-range-rules.yaml

@@ -0,0 +1,30 @@
+apiVersion: policy.networking.k8s.io/v1alpha2
+kind: ClusterNetworkPolicy
+metadata:
+  name: ingress-tcp-port-range
+spec:
+  tier: Admin
+  priority: 3
+  subject:
+    namespaces:
+      matchLabels:
+        kubernetes.io/metadata.name: network-policy-conformance-durmstrang
+  ingress:
+  - name: "allow-from-hufflepuff-at-port-range-80-8080"
+    action: "Accept"
+    from:
+    - namespaces:
+        matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-hufflepuff
+    protocols:
+      - tcp:
+          destinationPort:
+            range:
+              start: 80
+              end: 8080
+  - name: "deny-from-hufflepuff-everything-else"
+    action: "Deny"
+    from:
+    - namespaces:
+        matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-hufflepuff

conformance/base/admin_tier/standard-ingress-udp-port-range-rules.yaml

@@ -0,0 +1,30 @@
+apiVersion: policy.networking.k8s.io/v1alpha2
+kind: ClusterNetworkPolicy
+metadata:
+  name: ingress-udp-port-range
+spec:
+  tier: Admin
+  priority: 7
+  subject:
+    namespaces:
+      matchLabels:
+        kubernetes.io/metadata.name: network-policy-conformance-durmstrang
+  ingress:
+  - name: "allow-from-hufflepuff-at-port-range-53-5353"
+    action: "Accept"
+    from:
+    - namespaces:
+        matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-hufflepuff
+    protocols:
+      - udp:
+          destinationPort:
+            range:
+              start: 53
+              end: 5353
+  - name: "deny-from-hufflepuff-everything-else"
+    action: "Deny"
+    from:
+    - namespaces:
+        matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-hufflepuff

conformance/base/manifests.yaml

@@ -36,6 +36,13 @@ metadata:
   name: network-policy-conformance-forbidden-forrest
   labels:
     conformance-house: forbidden-forrest
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: network-policy-conformance-durmstrang
+  labels:
+    conformance-house: durmstrang
 # Create 4 deployments; 2 pods each under these namespaces
 ---
 apiVersion: apps/v1
@@ -313,3 +320,62 @@ spec:
           env:
           - name: SERVE_SCTP_PORT_{{ index .HostNetworkPorts 7 }}
             value: "foo"
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: viktor-krum
+  namespace: network-policy-conformance-durmstrang
+spec:
+  selector:
+    matchLabels:
+      conformance-house: durmstrang
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        conformance-house: durmstrang
+    spec:
+      containers:
+        - name: viktor-krum-client
+          image: registry.k8s.io/e2e-test-images/agnhost:2.45
+        - name: viktor-krum-80
+          image: registry.k8s.io/e2e-test-images/agnhost:2.45
+          command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"]
+          ports:
+            - containerPort: 80
+              protocol: TCP
+              name: web
+        - name: viktor-krum-8080
+          image: registry.k8s.io/e2e-test-images/agnhost:2.45
+          command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"]
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+              name: web-8080
+        - name: viktor-krum-53
+          image: registry.k8s.io/e2e-test-images/agnhost:2.45
+          command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"]
+          ports:
+            - containerPort: 53
+              protocol: UDP
+              name: dns
+        - name: viktor-krum-5353
+          image: registry.k8s.io/e2e-test-images/agnhost:2.45
+          command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"]
+          ports:
+            - containerPort: 5353
+              protocol: UDP
+              name: dns-sd
+        - name: viktor-krum-9003
+          image: registry.k8s.io/e2e-test-images/agnhost:2.45
+          command: ["/bin/bash", "-c", "/agnhost porter"]
+          env:
+          - name: SERVE_SCTP_PORT_9003
+            value: "foo"
+        - name: viktor-krum-9005
+          image: registry.k8s.io/e2e-test-images/agnhost:2.45
+          command: ["/bin/bash", "-c", "/agnhost porter"]
+          env:
+          - name: SERVE_SCTP_PORT_9005
+            value: "foo"

conformance/tests/admin-network-policy-standard-egress-sctp-rules.go

@@ -35,7 +35,10 @@ var CNPAdminTierEgressSCTP = suite.ConformanceTest{
 	Features: []suite.SupportedFeature{
 		suite.SupportClusterNetworkPolicy,
 	},
-	Manifests: []string{"base/admin_tier/standard-egress-sctp-rules.yaml"},
+	Manifests: []string{
+		"base/admin_tier/standard-egress-sctp-rules.yaml",
+		"base/admin_tier/standard-egress-sctp-port-range-rules.yaml",
+	},
 	Test: func(t *testing.T, s *suite.ConformanceTestSuite) {
 
 		t.Run("Should support an 'allow-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) {
@@ -66,6 +69,23 @@ var CNPAdminTierEgressSCTP = suite.ConformanceTest{
 				serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, false)
 		})
 
+		t.Run("Should support an 'allow-egress' policy for SCTP protocol at the specified port range", func(t *testing.T) {
+			// This test uses `egress-sctp-port-range` admin CNP
+			// cedric-diggory-1 is our server pod in hufflepuff namespace
+			serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout)
+			// viktor-krum-0 is our client pod in durmstrang namespace
+			// ensure egress is ALLOWED to hufflepuff from durmstrang at port 9003 (in range); egressRule at index0 should take effect
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-0", "sctp",
+				serverPod.Status.PodIP, int32(9003), s.TimeoutConfig, true)
+			// ensure egress is ALLOWED to hufflepuff from durmstrang at port 9005 (in range); egressRule at index0 should take effect
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-0", "sctp",
+				serverPod.Status.PodIP, int32(9005), s.TimeoutConfig, true)
+			// viktor-krum-1 is our client pod in durmstrang namespace
+			// ensure egress is DENIED to hufflepuff from durmstrang for rest of the traffic (e.g. port 9006, outside range); egressRule at index1 should take effect
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-1", "sctp",
+				serverPod.Status.PodIP, int32(9006), s.TimeoutConfig, false)
+		})
+
 		t.Run("Should support an 'deny-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) {
 			// This test uses `egress-sctp` admin CNP
 			// harry-potter-0 is our server pod in gryffindor namespace

conformance/tests/admin-network-policy-standard-egress-tcp-rules.go

@@ -35,7 +35,10 @@ var CNPAdminTierEgressTCP = suite.ConformanceTest{
 	Features: []suite.SupportedFeature{
 		suite.SupportClusterNetworkPolicy,
 	},
-	Manifests: []string{"base/admin_tier/standard-egress-tcp-rules.yaml"},
+	Manifests: []string{
+		"base/admin_tier/standard-egress-tcp-rules.yaml",
+		"base/admin_tier/standard-egress-tcp-port-range-rules.yaml",
+	},
 	Test: func(t *testing.T, s *suite.ConformanceTestSuite) {
 
 		t.Run("Should support an 'allow-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) {
@@ -65,6 +68,23 @@ var CNPAdminTierEgressTCP = suite.ConformanceTest{
 				serverPod.Status.PodIP, int32(80), s.TimeoutConfig, false)
 		})
 
+		t.Run("Should support an 'allow-egress' policy for TCP protocol at the specified port range", func(t *testing.T) {
+			// This test uses `egress-tcp-port-range` admin CNP
+			// cedric-diggory-1 is our server pod in hufflepuff namespace
+			serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-hufflepuff", "cedric-diggory-1", s.TimeoutConfig.GetTimeout)
+			// viktor-krum-0 is our client pod in durmstrang namespace
+			// ensure egress is ALLOWED to hufflepuff from durmstrang at port 8080 (in range); egressRule at index0 should take effect
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-0", "tcp",
+				serverPod.Status.PodIP, int32(8080), s.TimeoutConfig, true)
+			// ensure egress is ALLOWED to hufflepuff from durmstrang at port 80 (in range); egressRule at index0 should take effect
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-0", "tcp",
+				serverPod.Status.PodIP, int32(80), s.TimeoutConfig, true)
+			// viktor-krum-1 is our client pod in durmstrang namespace
+			// ensure egress is DENIED to hufflepuff from durmstrang for rest of the traffic (e.g. port 8081, outside range); egressRule at index1 should take effect
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-1", "tcp",
+				serverPod.Status.PodIP, int32(8081), s.TimeoutConfig, false)
+		})
+
 		t.Run("Should support an 'deny-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) {
 			// This test uses `egress-tcp` admin CNP
 			// luna-lovegood-1 is our server pod in ravenclaw namespace

conformance/tests/admin-network-policy-standard-egress-udp-rules.go

@@ -35,7 +35,10 @@ var CNPAdminTierEgressUDP = suite.ConformanceTest{
 	Features: []suite.SupportedFeature{
 		suite.SupportClusterNetworkPolicy,
 	},
-	Manifests: []string{"base/admin_tier/standard-egress-udp-rules.yaml"},
+	Manifests: []string{
+		"base/admin_tier/standard-egress-udp-rules.yaml",
+		"base/admin_tier/standard-egress-udp-port-range-rules.yaml",
+	},
 	Test: func(t *testing.T, s *suite.ConformanceTestSuite) {
 
 		t.Run("Should support an 'allow-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) {
@@ -66,6 +69,23 @@ var CNPAdminTierEgressUDP = suite.ConformanceTest{
 				serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, false)
 		})
 
+		t.Run("Should support an 'allow-egress' policy for UDP protocol at the specified port range", func(t *testing.T) {
+			// This test uses `egress-udp-port-range` admin CNP
+			// harry-potter-1 is our server pod in gryffindor namespace
+			serverPod := kubernetes.GetPod(t, s.Client, "network-policy-conformance-gryffindor", "harry-potter-1", s.TimeoutConfig.GetTimeout)
+			// viktor-krum-0 is our client pod in durmstrang namespace
+			// ensure egress is ALLOWED to gryffindor from durmstrang at port 53 (in range); egressRule at index0 should take effect
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-0", "udp",
+				serverPod.Status.PodIP, int32(53), s.TimeoutConfig, true)
+			// ensure egress is ALLOWED to gryffindor from durmstrang at port 5353 (in range); egressRule at index0 should take effect
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-0", "udp",
+				serverPod.Status.PodIP, int32(5353), s.TimeoutConfig, true)
+			// viktor-krum-1 is our client pod in durmstrang namespace
+			// ensure egress is DENIED to gryffindor from durmstrang for rest of the traffic (e.g. port 5354, outside range); egressRule at index1 should take effect
+			kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-durmstrang", "viktor-krum-1", "udp",
+				serverPod.Status.PodIP, int32(5354), s.TimeoutConfig, false)
+		})
+
 		t.Run("Should support an 'deny-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) {
 			// This test uses `egress-udp` admin CNP
 			// luna-lovegood-1 is our server pod in ravenclaw namespace