Add same-labels e2e testcase

Signed-off-by: Dyanngg <dingyang@vmware.com>
antrea-io · Jan 10, 2023 · d9adf87 · d9adf87
1 parent cdf7892
commit d9adf87
Show file tree

Hide file tree

Showing 2 changed files with 84 additions and 3 deletions.
diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go
@@ -138,8 +138,8 @@ func initNamespaceMeta(formFactor string) map[string]TestNamespaceMeta {
 			}
 			allNamespaceMeta["dev"+strconv.Itoa(i)] = devNS
 		}
-		allNamespaceMeta["no-tier-label"] = TestNamespaceMeta{
-			Name: "no-tier-label-" + suffix,
+		allNamespaceMeta["no-tier"] = TestNamespaceMeta{
+			Name: "no-tier-" + suffix,
 			Labels: map[string]string{
 				"purpose": "test",
 			},
@@ -3185,7 +3185,50 @@ func testACNPStrictNamespacesIsolation(t *testing.T) {
 	}
 
 	testCase := []*TestCase{
-		{"ACNP strict Namespace isolation for all namespaces", []*TestStep{testStep1, testStep2}},
+		{"ACNP strict Namespace isolation for all Namespaces", []*TestStep{testStep1, testStep2}},
+	}
+	executeTests(t, testCase)
+}
+
+func testACNPStrictNamespacesIsolationByLabel(t *testing.T) {
+	samePurposeTierLabels := &crdv1alpha1.PeerNamespaces{
+		SameLabels: []string{"purpose", "tier"},
+	}
+	builder := &ClusterNetworkPolicySpecBuilder{}
+	builder = builder.SetName("test-acnp-strict-ns-isolation-by-label").
+		SetTier("securityops").
+		SetPriority(1.0).
+		SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{}}})
+	builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil,
+		samePurposeTierLabels, nil, crdv1alpha1.RuleActionPass, "", "", nil)
+	builder.AddIngress(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{}, nil, nil,
+		nil, nil, crdv1alpha1.RuleActionDrop, "", "", nil)
+	// deny ingress traffic except from own namespace, which is delegated to Namespace owners (who can create K8s
+	// NetworkPolicies to regulate intra-Namespace traffic)
+	reachability := NewReachability(allPods, Dropped)
+	reachability.ExpectNamespaceIngressFromNamespace(getNS("prod1"), getNS("prod2"), Connected)
+	reachability.ExpectNamespaceEgressToNamespace(getNS("prod1"), getNS("prod2"), Connected)
+	reachability.ExpectNamespaceIngressFromNamespace(getNS("prod2"), getNS("prod1"), Connected)
+	reachability.ExpectNamespaceEgressToNamespace(getNS("prod2"), getNS("prod1"), Connected)
+	reachability.ExpectNamespaceIngressFromNamespace(getNS("dev1"), getNS("dev2"), Connected)
+	reachability.ExpectNamespaceEgressToNamespace(getNS("dev1"), getNS("dev2"), Connected)
+	reachability.ExpectNamespaceIngressFromNamespace(getNS("dev2"), getNS("dev1"), Connected)
+	reachability.ExpectNamespaceEgressToNamespace(getNS("dev2"), getNS("dev1"), Connected)
+	reachability.ExpectAllSelfNamespace(Connected)
+	reachability.ExpectSelfNamespace(getNS("no-tier"), Dropped)
+	reachability.ExpectSelf(allPods, Connected)
+
+	testStep1 := &TestStep{
+		"Namespace isolation by label, Port 80",
+		reachability,
+		[]metav1.Object{builder.Get()},
+		[]int32{80},
+		ProtocolTCP,
+		0,
+		nil,
+	}
+	testCase := []*TestCase{
+		{"ACNP strict Namespace isolation by Namespace purpose and tier labels", []*TestStep{testStep1}},
 	}
 	executeTests(t, testCase)
 }
@@ -4343,6 +4386,24 @@ func TestAntreaPolicy(t *testing.T) {
 	k8sUtils.Cleanup(namespaces)
 }
 
+func TestAntreaPolicyExtendedNamespaces(t *testing.T) {
+	skipIfHasWindowsNodes(t)
+	skipIfAntreaPolicyDisabled(t)
+
+	data, err := setupTest(t)
+	if err != nil {
+		t.Fatalf("Error when setting up test: %v", err)
+	}
+	defer teardownTest(t, data)
+
+	initialize(t, data, formFactorLarge)
+
+	t.Run("TestGroupACNPNamespaceLabelSelections", func(t *testing.T) {
+		t.Run("Case=ACNPStrictNamespacesIsolationByLabel", func(t *testing.T) { testACNPStrictNamespacesIsolationByLabel(t) })
+	})
+	k8sUtils.Cleanup(namespaces)
+}
+
 func TestAntreaPolicyStatus(t *testing.T) {
 	skipIfHasWindowsNodes(t)
 	skipIfAntreaPolicyDisabled(t)

diff --git a/test/e2e/reachability.go b/test/e2e/reachability.go
@@ -312,6 +312,26 @@ func (r *Reachability) ExpectEgressToNamespace(pod Pod, namespace string, connec
 	}
 }
 
+func (r *Reachability) ExpectNamespaceIngressFromNamespace(dstNamespace, srcNamespace string, connectivity PodConnectivityMark) {
+	dstPods, ok := r.PodsByNamespace[dstNamespace]
+	if !ok {
+		panic(fmt.Errorf("destination Namespace %s is not found", dstNamespace))
+	}
+	for _, p := range dstPods {
+		r.ExpectIngressFromNamespace(p, srcNamespace, connectivity)
+	}
+}
+
+func (r *Reachability) ExpectNamespaceEgressToNamespace(srcNamespace, dstNamespace string, connectivity PodConnectivityMark) {
+	srcPods, ok := r.PodsByNamespace[srcNamespace]
+	if !ok {
+		panic(fmt.Errorf("src Namespace %s is not found", srcNamespace))
+	}
+	for _, p := range srcPods {
+		r.ExpectEgressToNamespace(p, dstNamespace, connectivity)
+	}
+}
+
 func (r *Reachability) Observe(pod1 Pod, pod2 Pod, connectivity PodConnectivityMark) {
 	r.Observed.Set(string(pod1), string(pod2), connectivity)
 }