cnf-tests: MultiNetworkPolicy e2etests

Add e2esuite/multinetworkpolicy suite with basic test cases. Inspiration has been taken from official test on NetworkPolicy (ses github.com/kubernetes/kubernetes package test/e2e/network/netpol) Add suite to unnamed import in test_suite_test.go to add to the main suite. Add the new scheme to test client. UPdate k8sreporter to dump information about multinetworkpolicy namespaces, pods and CRs. Add validation suite to check if the feature has been deployed. Signed-off-by: Andrea Panattoni <[email protected]>
openshift-kni · May 18, 2022 · 1996714 · 1996714
1 parent 73c8559
commit 1996714
Show file tree

Hide file tree

Showing 12 changed files with 1,236 additions and 7 deletions.
diff --git a/cnf-tests/README.md b/cnf-tests/README.md
@@ -545,6 +545,10 @@ DPDK relies on both `performance` and `SR-IOV` features, so the test suite both
 
 The validation test for container-mount-namespace mode only checks that the appropriate MachineConfig objects are present and active, and has no additional impact on the node.
 
+### Multi Networkpolicy
+
+Multi Networkpolicy tests rely on `SR-IOV` feature and test if the policies can be applied to SR-IOV function interfaces.
+
 ### Cleaning Up
 
 After running the test suite, all the dangling resources are cleaned up.

diff --git a/cnf-tests/TESTLIST.md b/cnf-tests/TESTLIST.md
@@ -29,6 +29,7 @@ The validation tests are preliminary tests intended to verify that the instrumen
 | validation general should have all the nodes in ready | Checks that all the nodes are in ready state | 
 | validation general should have one machine config pool with the requested label | Checks the existance of a machine config pool with the value passed in the ROLE_WORKER_CNF env variable (or the default worker-cnf). | 
 | validation general should report all machine config pools are in ready status | Checks that all the machine config pools are ready so the tests can be run. | 
+| validation multineworkpolicy should have MultiNetworkPolicy CRD available in the cluster | Check the existence of MultiNetworkPolicy Custome Resource Definition in the cluster. | 
 | validation n3000 should have a ready deployment for the OpenNESS Operator for Intel FPGA PAC N3000 (Programming) operator | Checks Intel FPGA PAC N3000 (Programming) deployment ready - n3000-controller-manager | 
 | validation n3000 should have all the required OpenNESS Operator for Intel FPGA PAC N3000 (Programming) operands | Checks the existence and quantity of each Intel FPGA PAC N3000 (Programming) daemonset | 
 | validation n3000 should have the n3000 CRDs available in the cluster | Checks the existence of the Intel FPGA PAC N3000 (Programming) CRDs used by the Intel FPGA PAC N3000 (Programming) operator. | 
@@ -80,6 +81,20 @@ The cnf tests instrument each different feature required by CNF. Following, a de
 
 | Test Name | Description |
 | -- | ----------- |
+| [sriov] MultiNetworkPolicy integration Egress ALLOW traffic to nsX_podA only from nsX_podB | Checks Egress rule to allow traffic between two pods. | 
+| [sriov] MultiNetworkPolicy integration Egress DENY all traffic from a pod | Checks Egress rule to deny all traffic from a pod. | 
+| [sriov] MultiNetworkPolicy integration Ingress ALLOW traffic to nsX_podA only from (namespace == nsY) | Checks Ingress rule for namespaces. | 
+| [sriov] MultiNetworkPolicy integration Ingress ALLOW traffic to nsX_podA only from (namespace IN {nsY, nsZ} AND pod IN {podB, podC}) | Check egress rule with complex matchExpression field. | 
+| [sriov] MultiNetworkPolicy integration Ingress ALLOW traffic to nsX_podA only from (nsY/* OR */podB) | Check Ingress rule with combined namespace and pod selectors. | 
+| [sriov] MultiNetworkPolicy integration Ingress ALLOW traffic to nsX_podA only from nsX_podB | Checks Ingress rule to allow traffic between two pods. | 
+| [sriov] MultiNetworkPolicy integration Ingress DENY all traffic to a pod | DENY all traffic to a pod with an Ingress rule. | 
+| [sriov] MultiNetworkPolicy integration Ingress DENY all traffic to/from/in a namespace | DENY all traffic in a namespace with an Ingress rule. | 
+| [sriov] MultiNetworkPolicy integration Ports/Protocol Allow access only to a specific UDP port from any pod | Verifies if a rule can allow traffic only to a specific UDP port from any pod. | 
+| [sriov] MultiNetworkPolicy integration Ports/Protocol Allow access only to a specific port/protocol TCP | Verifies if a rule can allow traffic only to a specific TCP port from a pod selection. | 
+| [sriov] MultiNetworkPolicy integration Ports/Protocol Allow access only to a specific port/protocol TCP+UDP | Verifies if a rule can allow traffic only to a specific TCP or UDP port from a pod selection. | 
+| [sriov] MultiNetworkPolicy integration Ports/Protocol Allow access only to a specific port/protocol UDP | Verifies if a rule can allow traffic only to a specific UDP port from a pod selection. | 
+| [sriov] MultiNetworkPolicy integration Stacked policies enforce multiple stacked policies with overlapping selector [nsX_podA <=> (nsY/* OR */podB)] | Verifies if multiple rules can be stacked to create complex conditions. | 
+| [sriov] MultiNetworkPolicy integration Stacked policies enforce multiple stacked policies with overlapping selector and different ports (*/podB ==> nsX/podA:5555 , */podC ==> nsX/podA:6666) | Verifies if multiple rules can be stacked to create complex conditions with protocol and ports. | 
 | [sriov] SCTP integration Test Connectivity Connectivity between client and server Should work over a SR-IOV device | SCTP connectivity test over SR-IOV vfs. | 
 | [sriov] VRF integration  Integration: SRIOV, IPAM: static, Interfaces: 1, Scheme: 2 Pods 2 VRFs OCP Primary network overlap {"IPStack":"ipv4"} | Verifies that it's possible to configure within the same node 1 VRF that overlaps pod's network + 2 non overlapping VRF on top of SriovNetwork. Connectivity ICMP test. | 
 | [sriov] operator Custom SriovNetworkNodePolicy Configuration Create vfio-pci node policy Should be possible to create a vfio-pci resource | Verifies creating of vfio-pci resources | 

diff --git a/cnf-tests/docgen/e2e.json b/cnf-tests/docgen/e2e.json
@@ -1,4 +1,18 @@
 {
+    "[sriov] MultiNetworkPolicy integration Egress ALLOW traffic to nsX_podA only from nsX_podB": "Checks Egress rule to allow traffic between two pods.",
+    "[sriov] MultiNetworkPolicy integration Egress DENY all traffic from a pod": "Checks Egress rule to deny all traffic from a pod.",
+    "[sriov] MultiNetworkPolicy integration Ingress ALLOW traffic to nsX_podA only from (namespace == nsY)": "Checks Ingress rule for namespaces.",
+    "[sriov] MultiNetworkPolicy integration Ingress ALLOW traffic to nsX_podA only from (namespace IN {nsY, nsZ} AND pod IN {podB, podC})": "Check egress rule with complex matchExpression field.",
+    "[sriov] MultiNetworkPolicy integration Ingress ALLOW traffic to nsX_podA only from (nsY/* OR */podB)": "Check Ingress rule with combined namespace and pod selectors.",
+    "[sriov] MultiNetworkPolicy integration Ingress ALLOW traffic to nsX_podA only from nsX_podB": "Checks Ingress rule to allow traffic between two pods.",
+    "[sriov] MultiNetworkPolicy integration Ingress DENY all traffic to a pod": "DENY all traffic to a pod with an Ingress rule.",
+    "[sriov] MultiNetworkPolicy integration Ingress DENY all traffic to/from/in a namespace": "DENY all traffic in a namespace with an Ingress rule.",
+    "[sriov] MultiNetworkPolicy integration Ports/Protocol Allow access only to a specific UDP port from any pod": "Verifies if a rule can allow traffic only to a specific UDP port from any pod.",
+    "[sriov] MultiNetworkPolicy integration Ports/Protocol Allow access only to a specific port/protocol TCP": "Verifies if a rule can allow traffic only to a specific TCP port from a pod selection.",
+    "[sriov] MultiNetworkPolicy integration Ports/Protocol Allow access only to a specific port/protocol TCP+UDP": "Verifies if a rule can allow traffic only to a specific TCP or UDP port from a pod selection.",
+    "[sriov] MultiNetworkPolicy integration Ports/Protocol Allow access only to a specific port/protocol UDP": "Verifies if a rule can allow traffic only to a specific UDP port from a pod selection.",
+    "[sriov] MultiNetworkPolicy integration Stacked policies enforce multiple stacked policies with overlapping selector [nsX_podA \u003c=\u003e (nsY/* OR */podB)]": "Verifies if multiple rules can be stacked to create complex conditions.",
+    "[sriov] MultiNetworkPolicy integration Stacked policies enforce multiple stacked policies with overlapping selector and different ports (*/podB ==\u003e nsX/podA:5555 , */podC ==\u003e nsX/podA:6666)": "Verifies if multiple rules can be stacked to create complex conditions with protocol and ports.",
     "[performance] Latency Test with the cyclictest image should succeed": "Run the cyclictest with parameters specified via environment variables and validated that the maximum latency between a thread's intended wake-up time and the time at which it actually wakes up is below the value specified under the CYCLICTEST_MAXIMUM_LATENCY environment variable",
     "[performance] Latency Test with the hwlatdetect image should succeed": "Run the hwlatdetect with parameters specified via environment variables and validated that the maximum latency for the hardware-firmware is below the value specified under the HWLATDETECT_MAXIMUM_LATENCY environment variable",
     "[performance] Latency Test with the oslat image should succeed": "Run the oslat with parameters specified via environment variables and validated that the maximum latency for isolated CPUs below the value specified under the OSLAT_MAXIMUM_LATENCY environment variable",
@@ -183,4 +197,4 @@
     "sro Build source out of tree driver for SRO using Should have the source driver image as imageStream": "Test a Source Container build as input for the SRO build recipe",
     "xt_u32 Negative - xt_u32 disabled Should NOT create an iptable rule": "Negative test: when the xt_u32 module is not enabled, appling an iptables rule that utilize the module should fail.",
     "xt_u32 Validate the module is enabled and works Should create an iptables rule inside a pod that has the module enabled": "Verifies that an iptables rule that utilize xt_u32 module can be applied successfully in a pod that has the module enabled."
-}
+}
diff --git a/cnf-tests/docgen/validation.json b/cnf-tests/docgen/validation.json
@@ -19,6 +19,7 @@
     "validation general should have all the nodes in ready": "Checks that all the nodes are in ready state",
     "validation general should have one machine config pool with the requested label": "Checks the existance of a machine config pool with the value passed in the ROLE_WORKER_CNF env variable (or the default worker-cnf).",
     "validation general should report all machine config pools are in ready status": "Checks that all the machine config pools are ready so the tests can be run.",
+    "validation multineworkpolicy should have MultiNetworkPolicy CRD available in the cluster": "Check the existence of MultiNetworkPolicy Custome Resource Definition in the cluster.",
     "validation n3000 should have a ready deployment for the OpenNESS Operator for Intel FPGA PAC N3000 (Programming) operator": "Checks Intel FPGA PAC N3000 (Programming) deployment ready - n3000-controller-manager",
     "validation n3000 should have all the required OpenNESS Operator for Intel FPGA PAC N3000 (Programming) operands": "Checks the existence and quantity of each Intel FPGA PAC N3000 (Programming) daemonset",
     "validation n3000 should have the n3000 CRDs available in the cluster": "Checks the existence of the Intel FPGA PAC N3000 (Programming) CRDs used by the Intel FPGA PAC N3000 (Programming) operator.",

diff --git a/cnf-tests/testsuites/e2esuite/multinetworkpolicy/multinetworkpolicy.go b/cnf-tests/testsuites/e2esuite/multinetworkpolicy/multinetworkpolicy.go
@@ -0,0 +1,85 @@
+package multinetworkpolicy
+
+import (
+	"context"
+
+	"github.com/onsi/gomega"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	multinetpolicyv1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta1"
+	client "github.com/openshift-kni/cnf-features-deploy/cnf-tests/testsuites/pkg/client"
+)
+
+type MultiNetworkPolicyOpt func(*multinetpolicyv1.MultiNetworkPolicy)
+
+func MakeMultiNetworkPolicy(targetNetwork string, opts ...MultiNetworkPolicyOpt) *multinetpolicyv1.MultiNetworkPolicy {
+	ret := multinetpolicyv1.MultiNetworkPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: "test-multinetwork-policy-",
+			Annotations: map[string]string{
+				"k8s.v1.cni.cncf.io/policy-for": targetNetwork,
+			},
+		},
+	}
+
+	for _, opt := range opts {
+		opt(&ret)
+	}
+
+	return &ret
+}
+
+func WithPodSelector(podSelector metav1.LabelSelector) MultiNetworkPolicyOpt {
+	return func(pol *multinetpolicyv1.MultiNetworkPolicy) {
+		pol.Spec.PodSelector = podSelector
+	}
+}
+
+func WithEmptyIngressRules() MultiNetworkPolicyOpt {
+	return func(pol *multinetpolicyv1.MultiNetworkPolicy) {
+		pol.Spec.PolicyTypes = appendIfNotPresent(pol.Spec.PolicyTypes, multinetpolicyv1.PolicyTypeIngress)
+		pol.Spec.Ingress = []multinetpolicyv1.MultiNetworkPolicyIngressRule{}
+	}
+}
+
+func WithIngressRule(rule multinetpolicyv1.MultiNetworkPolicyIngressRule) MultiNetworkPolicyOpt {
+	return func(pol *multinetpolicyv1.MultiNetworkPolicy) {
+		pol.Spec.PolicyTypes = appendIfNotPresent(pol.Spec.PolicyTypes, multinetpolicyv1.PolicyTypeIngress)
+		pol.Spec.Ingress = append(pol.Spec.Ingress, rule)
+	}
+}
+
+func WithEmptyEgressRules() MultiNetworkPolicyOpt {
+	return func(pol *multinetpolicyv1.MultiNetworkPolicy) {
+		pol.Spec.PolicyTypes = appendIfNotPresent(pol.Spec.PolicyTypes, multinetpolicyv1.PolicyTypeEgress)
+		pol.Spec.Egress = []multinetpolicyv1.MultiNetworkPolicyEgressRule{}
+	}
+}
+
+func WithEgressRule(rule multinetpolicyv1.MultiNetworkPolicyEgressRule) MultiNetworkPolicyOpt {
+	return func(pol *multinetpolicyv1.MultiNetworkPolicy) {
+		pol.Spec.PolicyTypes = appendIfNotPresent(pol.Spec.PolicyTypes, multinetpolicyv1.PolicyTypeEgress)
+		pol.Spec.Egress = append(pol.Spec.Egress, rule)
+	}
+}
+
+func CreateInNamespace(ns string) MultiNetworkPolicyOpt {
+	return func(pol *multinetpolicyv1.MultiNetworkPolicy) {
+		ret, err := client.Client.MultiNetworkPolicies(ns).
+			Create(context.Background(), pol, metav1.CreateOptions{})
+
+		gomega.Expect(err).ToNot(gomega.HaveOccurred())
+
+		ret.DeepCopyInto(pol)
+	}
+}
+
+func appendIfNotPresent(input []multinetpolicyv1.MultiPolicyType, newElement multinetpolicyv1.MultiPolicyType) []multinetpolicyv1.MultiPolicyType {
+	for _, e := range input {
+		if e == newElement {
+			return input
+		}
+	}
+
+	return append(input, newElement)
+}