Skip to content

Commit 85f553d

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #132 from Dyanngg/named-port-conformance
Add conformance testcases for AdminNetworkPolicy named port feature
2 parents 5f634a1 + 936951c commit 85f553d

9 files changed

+380
-71
lines changed

conformance/base/manifests.yaml

+32
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,10 @@ spec:
5252
- name: harry-potter-80
5353
image: registry.k8s.io/e2e-test-images/agnhost:2.43
5454
command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"]
55+
ports:
56+
- containerPort: 80
57+
protocol: TCP
58+
name: web
5559
- name: harry-potter-8080
5660
image: registry.k8s.io/e2e-test-images/agnhost:2.43
5761
command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"]
@@ -61,6 +65,10 @@ spec:
6165
- name: harry-potter-53
6266
image: registry.k8s.io/e2e-test-images/agnhost:2.43
6367
command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"]
68+
ports:
69+
- containerPort: 53
70+
protocol: UDP
71+
name: dns
6472
- name: harry-potter-9003
6573
image: registry.k8s.io/e2e-test-images/agnhost:2.43
6674
command: ["/bin/bash", "-c", "/agnhost porter"]
@@ -95,6 +103,10 @@ spec:
95103
- name: draco-malfoy-80
96104
image: registry.k8s.io/e2e-test-images/agnhost:2.43
97105
command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"]
106+
ports:
107+
- containerPort: 80
108+
protocol: TCP
109+
name: web
98110
- name: draco-malfoy-8080
99111
image: registry.k8s.io/e2e-test-images/agnhost:2.43
100112
command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"]
@@ -104,6 +116,10 @@ spec:
104116
- name: draco-malfoy-53
105117
image: registry.k8s.io/e2e-test-images/agnhost:2.43
106118
command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"]
119+
ports:
120+
- containerPort: 53
121+
protocol: UDP
122+
name: dns
107123
- name: draco-malfoy-9003
108124
image: registry.k8s.io/e2e-test-images/agnhost:2.43
109125
command: ["/bin/bash", "-c", "/agnhost porter"]
@@ -138,6 +154,10 @@ spec:
138154
- name: cedric-diggory-80
139155
image: registry.k8s.io/e2e-test-images/agnhost:2.43
140156
command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"]
157+
ports:
158+
- containerPort: 80
159+
protocol: TCP
160+
name: web
141161
- name: cedric-diggory-8080
142162
image: registry.k8s.io/e2e-test-images/agnhost:2.43
143163
command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"]
@@ -147,6 +167,10 @@ spec:
147167
- name: cedric-diggory-53
148168
image: registry.k8s.io/e2e-test-images/agnhost:2.43
149169
command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"]
170+
ports:
171+
- containerPort: 53
172+
protocol: UDP
173+
name: dns
150174
- name: cedric-diggory-9003
151175
image: registry.k8s.io/e2e-test-images/agnhost:2.43
152176
command: ["/bin/bash", "-c", "/agnhost porter"]
@@ -181,6 +205,10 @@ spec:
181205
- name: luna-lovegood-80
182206
image: registry.k8s.io/e2e-test-images/agnhost:2.43
183207
command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"]
208+
ports:
209+
- containerPort: 80
210+
protocol: TCP
211+
name: web
184212
- name: luna-lovegood-8080
185213
image: registry.k8s.io/e2e-test-images/agnhost:2.43
186214
command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"]
@@ -190,6 +218,10 @@ spec:
190218
- name: luna-lovegood-53
191219
image: registry.k8s.io/e2e-test-images/agnhost:2.43
192220
command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"]
221+
ports:
222+
- containerPort: 53
223+
protocol: UDP
224+
name: dns
193225
- name: luna-lovegood-9003
194226
image: registry.k8s.io/e2e-test-images/agnhost:2.43
195227
command: ["/bin/bash", "-c", "/agnhost porter"]

conformance/tests/admin-network-policy-core-egress-tcp-rules.go

+14-13
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ import (
3333
func init() {
3434
ConformanceTests = append(ConformanceTests,
3535
AdminNetworkPolicyEgressTCP,
36+
AdminNetworkPolicyEgressNamedPort,
3637
)
3738
}
3839

@@ -61,10 +62,10 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{
6162
// egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered
6263
success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp",
6364
serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true)
64-
assert.Equal(t, true, success)
65+
assert.True(t, success)
6566
success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
6667
serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true)
67-
assert.Equal(t, true, success)
68+
assert.True(t, success)
6869
})
6970

7071
t.Run("Should support an 'allow-egress' policy for TCP protocol at the specified port", func(t *testing.T) {
@@ -79,15 +80,15 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{
7980
}, serverPod)
8081
require.NoErrorf(t, err, "unable to fetch the server pod")
8182
// harry-potter-0 is our client pod in gryffindor namespace
82-
// ensure egress is ALLOWED to hufflepuff from gryffindor at port 80; egressRule at index5 should take effect
83+
// ensure egress is ALLOWED to hufflepuff from gryffindor at port 8080; egressRule at index5 should take effect
8384
success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp",
8485
serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true)
85-
assert.Equal(t, true, success)
86+
assert.True(t, success)
8687
// harry-potter-1 is our client pod in gryffindor namespace
8788
// ensure egress is DENIED to hufflepuff from gryffindor for rest of the traffic; egressRule at index6 should take effect
8889
success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
8990
serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false)
90-
assert.Equal(t, true, success)
91+
assert.True(t, success)
9192
})
9293

9394
t.Run("Should support an 'deny-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) {
@@ -117,11 +118,11 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{
117118
// egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered
118119
success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp",
119120
serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false)
120-
assert.Equal(t, true, success)
121+
assert.True(t, success)
121122
// harry-potter-1 is our client pod in gryffindor namespace
122123
success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
123124
serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false)
124-
assert.Equal(t, true, success)
125+
assert.True(t, success)
125126
})
126127

127128
t.Run("Should support a 'deny-egress' policy for TCP protocol at the specified port", func(t *testing.T) {
@@ -139,12 +140,12 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{
139140
// ensure egress to slytherin is DENIED from gryffindor at port 80; egressRule at index3 should take effect
140141
success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp",
141142
serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false)
142-
assert.Equal(t, true, success)
143+
assert.True(t, success)
143144
// harry-potter-1 is our client pod in gryffindor namespace
144145
// ensure egress to slytherin is ALLOWED from gryffindor for rest of the traffic; matches no rules hence allowed
145146
success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
146147
serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true)
147-
assert.Equal(t, true, success)
148+
assert.True(t, success)
148149
})
149150

150151
t.Run("Should support an 'pass-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) {
@@ -174,11 +175,11 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{
174175
// egressRule at index0 will take precedence over egressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered
175176
success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp",
176177
serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true)
177-
assert.Equal(t, true, success)
178+
assert.True(t, success)
178179
// harry-potter-1 is our server pod in gryffindor namespace
179180
success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
180181
serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true)
181-
assert.Equal(t, true, success)
182+
assert.True(t, success)
182183
})
183184

184185
t.Run("Should support a 'pass-egress' policy for TCP protocol at the specified port", func(t *testing.T) {
@@ -207,12 +208,12 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{
207208
// ensure egress from gryffindor is PASSED to slytherin at port 80; egressRule at index3 should take effect
208209
success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp",
209210
serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true)
210-
assert.Equal(t, true, success)
211+
assert.True(t, success)
211212
// harry-potter-1 is our client pod in gryffindor namespace
212213
// ensure egress from gryffindor is ALLOWED to slytherin for rest of the traffic; matches no rules hence allowed
213214
success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp",
214215
serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true)
215-
assert.Equal(t, true, success)
216+
assert.True(t, success)
216217
})
217218
},
218219
}

conformance/tests/admin-network-policy-core-egress-udp-rules.go

+12-12
Original file line numberDiff line numberDiff line change
@@ -61,11 +61,11 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{
6161
// egressRule at index0 will take precedence over egressRule at index1; thus ALLOW takes precedence over DENY since rules are ordered
6262
success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp",
6363
serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true)
64-
assert.Equal(t, true, success)
64+
assert.True(t, success)
6565
// cedric-diggory-1 is our client pod in hufflepuff namespace
6666
success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp",
6767
serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true)
68-
assert.Equal(t, true, success)
68+
assert.True(t, success)
6969
})
7070

7171
t.Run("Should support an 'allow-egress' policy for UDP protocol at the specified port", func(t *testing.T) {
@@ -83,12 +83,12 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{
8383
// ensure egress is ALLOWED to gryffindor from hufflepuff at port 53; egressRule at index5
8484
success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp",
8585
serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true)
86-
assert.Equal(t, true, success)
86+
assert.True(t, success)
8787
// cedric-diggory-1 is our client pod in hufflepuff namespace
8888
// ensure egress is DENIED to gryffindor from hufflepuff for rest of the traffic; egressRule at index6
8989
success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp",
9090
serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false)
91-
assert.Equal(t, true, success)
91+
assert.True(t, success)
9292
})
9393

9494
t.Run("Should support an 'deny-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) {
@@ -118,11 +118,11 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{
118118
// egressRule at index0 will take precedence over egressRule at index1; thus DENY takes precedence over ALLOW since rules are ordered
119119
success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp",
120120
serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false)
121-
assert.Equal(t, true, success)
121+
assert.True(t, success)
122122
// cedric-diggory-1 is our client pod in hufflepuff namespace
123123
success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp",
124124
serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false)
125-
assert.Equal(t, true, success)
125+
assert.True(t, success)
126126
})
127127

128128
t.Run("Should support a 'deny-egress' policy for UDP protocol at the specified port", func(t *testing.T) {
@@ -140,12 +140,12 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{
140140
// ensure egress to slytherin is DENIED from hufflepuff at port 80; egressRule at index3 should take effect
141141
success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp",
142142
serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false)
143-
assert.Equal(t, true, success)
143+
assert.True(t, success)
144144
// cedric-diggory-0 is our client pod in hufflepuff namespace
145145
// ensure egress to slytherin is ALLOWED from hufflepuff for rest of the traffic; matches no rules hence allowed
146146
success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp",
147147
serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true)
148-
assert.Equal(t, true, success)
148+
assert.True(t, success)
149149
})
150150

151151
t.Run("Should support an 'pass-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) {
@@ -175,11 +175,11 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{
175175
// egressRule at index0 will take precedence over egressRule at index1&index2; thus PASS takes precedence over ALLOW/DENY since rules are ordered
176176
success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp",
177177
serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true)
178-
assert.Equal(t, true, success)
178+
assert.True(t, success)
179179
// cedric-diggory-1 is our client pod in hufflepuff namespace
180180
success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp",
181181
serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true)
182-
assert.Equal(t, true, success)
182+
assert.True(t, success)
183183
})
184184

185185
t.Run("Should support a 'pass-egress' policy for UDP protocol at the specified port", func(t *testing.T) {
@@ -208,12 +208,12 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{
208208
// ensure egress to slytherin is PASSED from hufflepuff at port 5353; egressRule at index3 should take effect
209209
success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp",
210210
serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true)
211-
assert.Equal(t, true, success)
211+
assert.True(t, success)
212212
// cedric-diggory-1 is our client pod in hufflepuff namespace
213213
// ensure egress to slytherin is ALLOWED from hufflepuff for rest of the traffic; matches no rules hence allowed
214214
success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp",
215215
serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true)
216-
assert.Equal(t, true, success)
216+
assert.True(t, success)
217217
})
218218
},
219219
}

0 commit comments

Comments
 (0)