diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index 2a993b12649..c417de247eb 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -700,6 +700,11 @@ spec: matchLabels: x-kubernetes-preserve-unknown-fields: true type: object + namespaces: + properties: + match: + type: string + type: object podSelector: properties: matchExpressions: @@ -827,6 +832,11 @@ spec: matchLabels: x-kubernetes-preserve-unknown-fields: true type: object + namespaces: + properties: + match: + type: string + type: object podSelector: properties: matchExpressions: diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index 4a0ec57539f..c8e7d205879 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -700,6 +700,11 @@ spec: matchLabels: x-kubernetes-preserve-unknown-fields: true type: object + namespaces: + properties: + match: + type: string + type: object podSelector: properties: matchExpressions: @@ -827,6 +832,11 @@ spec: matchLabels: x-kubernetes-preserve-unknown-fields: true type: object + namespaces: + properties: + match: + type: string + type: object podSelector: properties: matchExpressions: diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index 91b18d0e2c0..417534a8a89 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -700,6 +700,11 @@ spec: matchLabels: x-kubernetes-preserve-unknown-fields: true type: object + namespaces: + properties: + match: + type: string + type: object podSelector: properties: matchExpressions: @@ -827,6 +832,11 @@ spec: matchLabels: x-kubernetes-preserve-unknown-fields: true type: object + namespaces: + properties: + match: + type: string + type: object podSelector: properties: matchExpressions: diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index 1b487ca0e61..6c36af82e58 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -700,6 +700,11 @@ spec: matchLabels: x-kubernetes-preserve-unknown-fields: true type: object + namespaces: + properties: + match: + type: string + type: object podSelector: properties: matchExpressions: @@ -827,6 +832,11 @@ spec: matchLabels: x-kubernetes-preserve-unknown-fields: true type: object + namespaces: + properties: + match: + type: string + type: object podSelector: properties: matchExpressions: diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index 30cefeff29a..c9d2f5c5eb7 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -700,6 +700,11 @@ spec: matchLabels: x-kubernetes-preserve-unknown-fields: true type: object + namespaces: + properties: + match: + type: string + type: object podSelector: properties: matchExpressions: @@ -827,6 +832,11 @@ spec: matchLabels: x-kubernetes-preserve-unknown-fields: true type: object + namespaces: + properties: + match: + type: string + type: object podSelector: properties: matchExpressions: diff --git a/build/yamls/base/crds.yml b/build/yamls/base/crds.yml index eb69823bc1f..fa9eca30fb3 100644 --- a/build/yamls/base/crds.yml +++ b/build/yamls/base/crds.yml @@ -656,6 +656,11 @@ spec: type: string matchLabels: x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + type: string ipBlock: type: object properties: @@ -795,6 +800,11 @@ spec: type: string matchLabels: x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + type: string ipBlock: type: object properties: diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy.go b/pkg/controller/networkpolicy/clusternetworkpolicy.go index a33f98e63fa..5e5a89c3a5d 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy.go @@ -26,6 +26,7 @@ import ( crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/controller/networkpolicy/store" antreatypes "antrea.io/antrea/pkg/controller/types" + utilsets "antrea.io/antrea/pkg/util/sets" ) // addCNP receives ClusterNetworkPolicy ADD events and creates resources @@ -135,9 +136,7 @@ func (n *NetworkPolicyController) filterPerNamespaceRuleACNPsByNSLabels(nsLabels } for _, np := range nps { internalNP := np.(*antreatypes.NetworkPolicy) - //klog.Infof("NP %v has perNSSel", internalNP.SourceRef.Name) for _, sel := range internalNP.PerNamespaceSelectors { - //klog.Infof("Evaluating selector %v", sel) if sel.Matches(nsLabels) { affectedPolicies.Insert(internalNP.SourceRef.Name) break @@ -171,21 +170,10 @@ func (n *NetworkPolicyController) updateNamespace(oldObj, curObj interface{}) { oldNamespace, curNamespace := oldObj.(*v1.Namespace), curObj.(*v1.Namespace) klog.V(2).Infof("Processing Namespace %s UPDATE event, labels: %v", curNamespace.Name, curNamespace.Labels) oldLabelSet, curLabelSet := labels.Set(oldNamespace.Labels), labels.Set(curNamespace.Labels) - addedLabels, removedLabels := labels.Set{}, labels.Set{} - for k, v := range oldLabelSet { - if !curLabelSet.Has(k) || curLabelSet.Get(k) != v { - removedLabels[k] = v - } - } - for k, v := range curLabelSet { - if !oldLabelSet.Has(k) || oldLabelSet.Get(k) != v { - addedLabels[k] = v - } - } - affectedACNPsByLabelRemoval := n.filterPerNamespaceRuleACNPsByNSLabels(removedLabels) - affectedACNPsByLabelAdd := n.filterPerNamespaceRuleACNPsByNSLabels(addedLabels) - policiesToSync := affectedACNPsByLabelAdd.Union(affectedACNPsByLabelRemoval) - for _, cnpName := range policiesToSync.List() { + affectedACNPsByOldLabels := n.filterPerNamespaceRuleACNPsByNSLabels(oldLabelSet) + affectedACNPsByCurLabels := n.filterPerNamespaceRuleACNPsByNSLabels(curLabelSet) + affectedACNPs := utilsets.SymmetricDifference(affectedACNPsByOldLabels, affectedACNPsByCurLabels) + for _, cnpName := range affectedACNPs.List() { cnp, err := n.cnpLister.Get(cnpName) if err != nil { klog.Errorf("Error getting Antrea ClusterNetworkPolicy %s", cnpName) @@ -248,6 +236,22 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1alpha1.C // to re-calculate affected Namespaces. var affectedNamespaceSelectors []labels.Selector + // If appliedTo is set at spec level and the ACNP has per-namespace rules, then each appliedTo needs + // to be split into appliedToGroups for each of its affected Namespace. + var clusterAppliedToAffectedNS []string + var atgForNamespace []string + if hasPerNamespaceRule && len(cnp.Spec.AppliedTo) > 0 { + for _, at := range cnp.Spec.AppliedTo { + affectedNS, selectors := n.getAffectedNamespacesForAppliedTo(at) + affectedNamespaceSelectors = append(affectedNamespaceSelectors, selectors...) + for _, ns := range affectedNS { + atg := n.createAppliedToGroup(ns, at.PodSelector, nil, at.ExternalEntitySelector) + atgNamesSet.Insert(atg) + clusterAppliedToAffectedNS = append(clusterAppliedToAffectedNS, ns) + atgForNamespace = append(atgForNamespace, atg) + } + } + } var rules []controlplane.NetworkPolicyRule processRules := func(cnpRules []crdv1alpha1.Rule, direction controlplane.Direction) { for idx, cnpRule := range cnpRules { @@ -282,18 +286,23 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1alpha1.C addRule(n.toAntreaPeerForCRD(clusterPeers, cnp, direction, namedPortExists), direction, ruleATGNames) } if len(perNSPeers) > 0 { - ruleAppliedTos := cnp.Spec.AppliedTo - if len(cnpRule.AppliedTo) > 0 { - ruleAppliedTos = cnpRule.AppliedTo - } - for _, at := range ruleAppliedTos { - affectedNS, selectors := n.getAffectedNamespacesForAppliedTo(at) - affectedNamespaceSelectors = append(affectedNamespaceSelectors, selectors...) - for _, ns := range affectedNS { - atg := n.createAppliedToGroup(ns, at.PodSelector, nil, at.ExternalEntitySelector) - atgNamesSet.Insert(atg) - klog.V(4).Infof("Adding a new per-namespace rule with appliedTo %v for %s", atg, cnp.Name) - addRule(n.toNamespacedPeerForCRD(perNSPeers, ns), direction, []string{atg}) + if len(cnp.Spec.AppliedTo) > 0 { + // Create a rule for each affected Namespace of appliedTo at spec level + for i := range clusterAppliedToAffectedNS { + klog.V(4).Infof("Adding a new per-namespace rule with appliedTo %v for rule %d of %s", clusterAppliedToAffectedNS[i], idx, cnp.Name) + addRule(n.toNamespacedPeerForCRD(perNSPeers, clusterAppliedToAffectedNS[i]), direction, []string{atgForNamespace[i]}) + } + } else { + // Create a rule for each affected Namespace of appliedTo at rule level + for _, at := range cnpRule.AppliedTo { + affectedNS, selectors := n.getAffectedNamespacesForAppliedTo(at) + affectedNamespaceSelectors = append(affectedNamespaceSelectors, selectors...) + for _, ns := range affectedNS { + atg := n.createAppliedToGroup(ns, at.PodSelector, nil, at.ExternalEntitySelector) + atgNamesSet.Insert(atg) + klog.V(4).Infof("Adding a new per-namespace rule with appliedTo %v for rule %d of %s", atg, idx, cnp.Name) + addRule(n.toNamespacedPeerForCRD(perNSPeers, ns), direction, []string{atg}) + } } } } @@ -308,7 +317,6 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1alpha1.C n.processClusterAppliedTo(cnp.Spec.AppliedTo, atgNamesSet) } tierPriority := n.getTierPriority(cnp.Spec.Tier) - klog.Infof("Before uniqueness compute, selectors are %v", affectedNamespaceSelectors) internalNetworkPolicy := &antreatypes.NetworkPolicy{ Name: internalNetworkPolicyKeyFunc(cnp), Generation: cnp.Generation, diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go index c12e7dce143..9647f40a0ed 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go @@ -52,10 +52,13 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { } allowAction := crdv1alpha1.RuleActionAllow + dropAction := crdv1alpha1.RuleActionDrop protocolTCP := controlplane.ProtocolTCP selectorA := metav1.LabelSelector{MatchLabels: map[string]string{"foo1": "bar1"}} selectorB := metav1.LabelSelector{MatchLabels: map[string]string{"foo2": "bar2"}} selectorC := metav1.LabelSelector{MatchLabels: map[string]string{"foo3": "bar3"}} + labelSelectorA, _ := metav1.LabelSelectorAsSelector(&selectorA) + labelSelectorB, _ := metav1.LabelSelectorAsSelector(&selectorB) cgA := crdv1alpha3.ClusterGroup{ ObjectMeta: metav1.ObjectMeta{Name: "cgA", UID: "uidA"}, Spec: crdv1alpha3.GroupSpec{ @@ -669,38 +672,38 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, { name: "with-per-namespace-rule", - inputPolicy: &secv1alpha1.ClusterNetworkPolicy{ + inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Name: "cnpI", UID: "uidI"}, - Spec: secv1alpha1.ClusterNetworkPolicySpec{ - AppliedTo: []secv1alpha1.NetworkPolicyPeer{ + Spec: crdv1alpha1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1alpha1.NetworkPolicyPeer{ { NamespaceSelector: &metav1.LabelSelector{}, }, }, Priority: p10, - Ingress: []secv1alpha1.Rule{ + Ingress: []crdv1alpha1.Rule{ { - Ports: []secv1alpha1.NetworkPolicyPort{ + Ports: []crdv1alpha1.NetworkPolicyPort{ { Port: &int80, }, }, - From: []secv1alpha1.NetworkPolicyPeer{ + From: []crdv1alpha1.NetworkPolicyPeer{ { - Namespaces: &secv1alpha1.PeerNamespaces{ - Self: true, + Namespaces: &crdv1alpha1.PeerNamespaces{ + Match: crdv1alpha1.NamespaceMatchSelf, }, }, }, Action: &allowAction, }, { - Ports: []secv1alpha1.NetworkPolicyPort{ + Ports: []crdv1alpha1.NetworkPolicyPort{ { Port: &int81, }, }, - From: []secv1alpha1.NetworkPolicyPeer{ + From: []crdv1alpha1.NetworkPolicyPeer{ { NamespaceSelector: &selectorA, }, @@ -769,8 +772,8 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, AppliedToGroups: []string{ getNormalizedUID(toGroupSelector("nsA", nil, nil, nil).NormalizedName), - getNormalizedUID(toGroupSelector("", nil, &metav1.LabelSelector{}, nil).NormalizedName), getNormalizedUID(toGroupSelector("nsB", nil, nil, nil).NormalizedName), + getNormalizedUID(toGroupSelector("", nil, &metav1.LabelSelector{}, nil).NormalizedName), }, AppliedToPerRule: true, PerNamespaceSelectors: []labels.Selector{labels.Everything()}, @@ -778,6 +781,110 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { expectedAppliedToGroups: 3, expectedAddressGroups: 3, }, + { + name: "with-per-namespace-rule-applied-to-per-rule", + inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Name: "cnpJ", UID: "uidJ"}, + Spec: crdv1alpha1.ClusterNetworkPolicySpec{ + Priority: p10, + Ingress: []crdv1alpha1.Rule{ + { + AppliedTo: []crdv1alpha1.NetworkPolicyPeer{ + { + NamespaceSelector: &selectorA, + PodSelector: &selectorA, + }, + }, + Ports: []crdv1alpha1.NetworkPolicyPort{ + { + Port: &int80, + }, + }, + From: []crdv1alpha1.NetworkPolicyPeer{ + { + Namespaces: &crdv1alpha1.PeerNamespaces{ + Match: crdv1alpha1.NamespaceMatchSelf, + }, + PodSelector: &selectorA, + }, + }, + Action: &dropAction, + }, + { + AppliedTo: []crdv1alpha1.NetworkPolicyPeer{ + { + NamespaceSelector: &selectorB, + }, + }, + Ports: []crdv1alpha1.NetworkPolicyPort{ + { + Port: &int81, + }, + }, + From: []crdv1alpha1.NetworkPolicyPeer{ + { + Namespaces: &crdv1alpha1.PeerNamespaces{ + Match: crdv1alpha1.NamespaceMatchSelf, + }, + }, + }, + Action: &dropAction, + }, + }, + }, + }, + expectedPolicy: &antreatypes.NetworkPolicy{ + UID: "uidJ", + Name: "uidJ", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaClusterNetworkPolicy, + Name: "cnpJ", + UID: "uidJ", + }, + Priority: &p10, + TierPriority: &DefaultTierPriority, + Rules: []controlplane.NetworkPolicyRule{ + { + Direction: controlplane.DirectionIn, + AppliedToGroups: []string{getNormalizedUID(toGroupSelector("nsA", &selectorA, nil, nil).NormalizedName)}, + From: controlplane.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(toGroupSelector("nsA", &selectorA, nil, nil).NormalizedName)}, + }, + Services: []controlplane.Service{ + { + Protocol: &protocolTCP, + Port: &int80, + }, + }, + Priority: 0, + Action: &dropAction, + }, + { + Direction: controlplane.DirectionIn, + AppliedToGroups: []string{getNormalizedUID(toGroupSelector("nsB", nil, nil, nil).NormalizedName)}, + From: controlplane.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(toGroupSelector("nsB", nil, nil, nil).NormalizedName)}, + }, + Services: []controlplane.Service{ + { + Protocol: &protocolTCP, + Port: &int81, + }, + }, + Priority: 1, + Action: &dropAction, + }, + }, + AppliedToGroups: []string{ + getNormalizedUID(toGroupSelector("nsA", &selectorA, nil, nil).NormalizedName), + getNormalizedUID(toGroupSelector("nsB", nil, nil, nil).NormalizedName), + }, + AppliedToPerRule: true, + PerNamespaceSelectors: []labels.Selector{labelSelectorA, labelSelectorB}, + }, + expectedAppliedToGroups: 2, + expectedAddressGroups: 2, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -794,10 +901,10 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { assert.Equal(t, tt.expectedPolicy.Name, actualPolicy.Name) assert.Equal(t, tt.expectedPolicy.SourceRef, actualPolicy.SourceRef) assert.Equal(t, tt.expectedPolicy.Priority, actualPolicy.Priority) - assert.Equal(t, tt.expectedPolicy.Rules, actualPolicy.Rules) assert.Equal(t, tt.expectedPolicy.TierPriority, actualPolicy.TierPriority) assert.Equal(t, tt.expectedPolicy.AppliedToPerRule, actualPolicy.AppliedToPerRule) - assert.Equal(t, tt.expectedPolicy.PerNamespaceSelectors, actualPolicy.PerNamespaceSelectors) + assert.ElementsMatch(t, tt.expectedPolicy.Rules, actualPolicy.Rules) + assert.ElementsMatch(t, tt.expectedPolicy.PerNamespaceSelectors, actualPolicy.PerNamespaceSelectors) assert.ElementsMatch(t, tt.expectedPolicy.AppliedToGroups, actualPolicy.AppliedToGroups) assert.Equal(t, tt.expectedAppliedToGroups, len(c.appliedToGroupStore.List())) }) diff --git a/pkg/controller/networkpolicy/crd_utils.go b/pkg/controller/networkpolicy/crd_utils.go index 23088ecffe6..6c4496fe5ae 100644 --- a/pkg/controller/networkpolicy/crd_utils.go +++ b/pkg/controller/networkpolicy/crd_utils.go @@ -119,9 +119,9 @@ func (n *NetworkPolicyController) toAntreaPeerForCRD(peers []v1alpha1.NetworkPol return &controlplane.NetworkPolicyPeer{AddressGroups: addressGroups, IPBlocks: ipBlocks} } -// toAntreaPeerForCRD creates a Antrea controlplane NetworkPolicyPeer for crdv1alpha1 NetworkPolicyPeer +// toAntreaPeerForCRD creates an Antrea controlplane NetworkPolicyPeer for crdv1alpha1 NetworkPolicyPeer // for a particular Namespace. It is used when a single crdv1alpha1 NetworkPolicyPeer maps to multiple -// controlplane NetworkPolicyPeers because the appliedTo workloads resides in different Namespaces. +// controlplane NetworkPolicyPeers because the appliedTo workloads reside in different Namespaces. func (n *NetworkPolicyController) toNamespacedPeerForCRD(peers []v1alpha1.NetworkPolicyPeer, namespace string) *controlplane.NetworkPolicyPeer { var addressGroups []string for _, peer := range peers { diff --git a/pkg/controller/types/networkpolicy.go b/pkg/controller/types/networkpolicy.go index c86efe7724a..f468e87aa02 100644 --- a/pkg/controller/types/networkpolicy.go +++ b/pkg/controller/types/networkpolicy.go @@ -99,8 +99,8 @@ type NetworkPolicy struct { AppliedToPerRule bool // PerNamespaceSelectors maintains a list of unique Namespace selectors of appliedTo groups // of the NetworkPolicy, for which a per-namespace rule is created. - // It is used as an index so that namespace updates can trigger corresponding rules - // to re-calculate affected namespaces. - // This can be non-empty only for NetworkPolicy created for Antrea ClusterNetworkPolicy. + // It is used as an index so that Namespace updates can trigger corresponding rules + // to re-calculate affected Namespaces. + // It is set only for AntreaClusterNetworkPolicies with per-namespace rules. PerNamespaceSelectors []labels.Selector } diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go index 70026effe5b..ce56eed2cde 100644 --- a/test/e2e/antreapolicy_test.go +++ b/test/e2e/antreapolicy_test.go @@ -44,13 +44,13 @@ import ( // common for all tests. var ( - allPods []Pod - podsByNamespace map[string][]Pod - k8sUtils *KubernetesUtils - allTestList []*TestCase - pods, namespaces []string - podIPs map[string][]string - p80, p81, p5000, p8080, p8081, p8082, p8085 int32 + allPods []Pod + podsByNamespace map[string][]Pod + k8sUtils *KubernetesUtils + allTestList []*TestCase + pods, namespaces []string + podIPs map[string][]string + p80, p81, p8080, p8081, p8082, p8085 int32 ) const ( @@ -493,21 +493,19 @@ func testInvalidACNPIngressPeerCGSetWithIPBlock(t *testing.T) { } func testInvalidACNPIngressPeerNamespacesSetWithNSSelector(t *testing.T) { - nsSelector := metav1.LabelSelector{MatchLabels: map[string]string{"ns": "x"}} invalidNpErr := fmt.Errorf("invalid Antrea ClusterNetworkPolicy with namespaces and namespaceSelector in NetworkPolicyPeer set") builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("acnp-ingress-namespaces-nsselector-set"). SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}}) builder = builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "x"}, - nil, nil, true, secv1alpha1.RuleActionAllow, "", "", nil) + nil, nil, true, nil, crdv1alpha1.RuleActionAllow, "", "") acnp := builder.Get() log.Debugf("creating ACNP %v", acnp.Name) if _, err := k8sUtils.CreateOrUpdateACNP(acnp); err == nil { // Above creation of ACNP must fail as it is an invalid spec. failOnError(invalidNpErr, t) } - failOnError(k8sUtils.CleanCGs(), t) } func testInvalidANPNoPriority(t *testing.T) { @@ -916,7 +914,7 @@ func testACNPNoEffectOnOtherProtocols(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "") reachability1 := NewReachability(allPods, Connected) reachability1.Expect(Pod("z/a"), Pod("x/a"), Dropped) @@ -1344,9 +1342,9 @@ func testACNPClusterGroupRefRuleIPBlocks(t *testing.T) { }, }) builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, nil, - nil, nil, nil, crdv1alpha1.RuleActionDrop, cgv1a3Name, "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgv1a3Name, "") builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, nil, - nil, nil, nil, crdv1alpha1.RuleActionDrop, cgv1a2Name, "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgv1a2Name, "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod("x/a"), Pod("y/a"), Dropped) @@ -1385,7 +1383,7 @@ func testBaselineNamespaceIsolation(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}}}) builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, nil, - nil, &[]metav1.LabelSelectorRequirement{nsExpOtherThanX}, false, + nil, []metav1.LabelSelectorRequirement{nsExpOtherThanX}, false, nil, crdv1alpha1.RuleActionDrop, "", "") // create a K8s NetworkPolicy for Pods in namespace x to allow ingress traffic from Pods in the same namespace, @@ -1446,7 +1444,7 @@ func testACNPPriorityOverride(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": "x"}}}) // Medium priority. Allows traffic from z to x/a. builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, false, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "") builder3 := &ClusterNetworkPolicySpecBuilder{} builder3 = builder3.SetName("acnp-priority3"). @@ -2105,7 +2103,7 @@ func testACNPClusterGroupServiceRefCreateAndUpdate(t *testing.T, data *TestData) builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("cnp-cg-svc-ref").SetPriority(1.0).SetAppliedToGroup([]ACNPAppliedToSpec{{Group: cg1Name}}) builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, - nil, false, crdv1alpha1.RuleActionDrop, cg2Name, "") + false, nil, crdv1alpha1.RuleActionDrop, cg2Name, "") // Pods backing svc1 (label pod=a) in Namespace x should not allow ingress from Pods backing svc2 (label pod=b) in Namespace y. reachability := NewReachability(allPods, Connected) @@ -2196,7 +2194,7 @@ func testACNPNestedClusterGroupCreateAndUpdate(t *testing.T, data *TestData) { builder = builder.SetName("cnp-nested-cg").SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "z"}}}). AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, - nil, crdv1alpha1.RuleActionDrop, cgNestedName, "") + false, nil, crdv1alpha1.RuleActionDrop, cgNestedName, "") // Pods in Namespace z should not allow ingress from Pods backing svc1 (label pod=a) in Namespace x. reachability := NewReachability(allPods, Connected) @@ -2266,9 +2264,9 @@ func testACNPNamespaceIsolation(t *testing.T, data *TestData) { SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{}}}) // deny ingress traffic except from own namespace builder.AddIngress(v1.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, - true, nil, secv1alpha1.RuleActionAllow, "", "") + true, nil, crdv1alpha1.RuleActionAllow, "", "") builder.AddIngress(v1.ProtocolTCP, nil, nil, nil, nil, nil, map[string]string{}, nil, nil, - false, nil, secv1alpha1.RuleActionDrop, "", "") + false, nil, crdv1alpha1.RuleActionDrop, "", "") reachability := NewReachability(allPods, Dropped) reachability.ExpectAllSelfNamespace(Connected) @@ -2289,9 +2287,9 @@ func testACNPNamespaceIsolation(t *testing.T, data *TestData) { SetPriority(1.0) //SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}}}) builder2.AddEgress(v1.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, - true, []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}}}, secv1alpha1.RuleActionAllow, "", "") + true, []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}}}, crdv1alpha1.RuleActionAllow, "", "") builder2.AddEgress(v1.ProtocolTCP, nil, nil, nil, nil, nil, map[string]string{}, nil, nil, - false, []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}}}, secv1alpha1.RuleActionDrop, "", "") + false, []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}}}, crdv1alpha1.RuleActionDrop, "", "") reachability2 := NewReachability(allPods, Connected) reachability2.ExpectEgressToNamespace(Pod("x/a"), "y", Dropped) diff --git a/test/e2e/legacyantreapolicy_test.go b/test/e2e/legacyantreapolicy_test.go index b8607c13546..b107a089528 100644 --- a/test/e2e/legacyantreapolicy_test.go +++ b/test/e2e/legacyantreapolicy_test.go @@ -85,7 +85,7 @@ func testLegacyMutateACNPNoRuleName(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}). SetPriority(10.0). AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "") acnp := builder.GetLegacy() log.Debugf("creating ACNP %v", acnp.Name) acnp, err := k8sUtils.CreateOrUpdateLegacyACNP(acnp) @@ -147,9 +147,9 @@ func testLegacyInvalidACNPRuleNameNotUnique(t *testing.T) { builder = builder.SetName("acnp-rule-name-not-unique"). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}). AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "not-unique"). + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "not-unique"). AddIngress(v1.ProtocolTCP, &p81, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"}, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "not-unique") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "not-unique") acnp := builder.GetLegacy() log.Debugf("creating ACNP %v", acnp.Name) if _, err := k8sUtils.CreateOrUpdateLegacyACNP(acnp); err == nil { @@ -179,7 +179,7 @@ func testLegacyInvalidACNPPortRangePortUnset(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}}) builder.AddEgress(v1.ProtocolTCP, nil, nil, &p8085, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "acnp-port-range") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "acnp-port-range") acnp := builder.GetLegacy() log.Debugf("creating ACNP %v", acnp.Name) @@ -196,7 +196,7 @@ func testLegacyInvalidACNPPortRangeEndPortSmall(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}}) builder.AddEgress(v1.ProtocolTCP, &p8082, nil, &p8081, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "acnp-port-range") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "acnp-port-range") acnp := builder.GetLegacy() log.Debugf("creating ACNP %v", acnp.Name) @@ -216,7 +216,7 @@ func testLegacyInvalidACNPSpecAppliedToRuleAppliedToSet(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}}) builder = builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, - nil, nil, []ACNPAppliedToSpec{ruleAppTo}, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, []ACNPAppliedToSpec{ruleAppTo}, crdv1alpha1.RuleActionAllow, "", "") acnp := builder.GetLegacy() log.Debugf("creating ACNP %v", acnp.Name) if _, err := k8sUtils.CreateOrUpdateLegacyACNP(acnp); err == nil { @@ -234,9 +234,9 @@ func testLegacyInvalidACNPAppliedToNotSetInAllRules(t *testing.T) { builder = builder.SetName("acnp-appto-not-set-in-all-rules"). SetPriority(1.0) builder = builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, - nil, nil, []ACNPAppliedToSpec{ruleAppTo}, crdv1alpha1.RuleActionAllow, "", ""). + nil, nil, false, []ACNPAppliedToSpec{ruleAppTo}, crdv1alpha1.RuleActionAllow, "", ""). AddIngress(v1.ProtocolTCP, &p81, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"}, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "") acnp := builder.GetLegacy() log.Debugf("creating ACNP %v", acnp.Name) if _, err := k8sUtils.CreateOrUpdateLegacyACNP(acnp); err == nil { @@ -252,7 +252,7 @@ func testLegacyInvalidACNPAppliedToCGDoesNotExist(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{Group: "cgA"}}). AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, nil, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "") acnp := builder.GetLegacy() log.Debugf("creating ACNP %v", acnp.Name) if _, err := k8sUtils.CreateOrUpdateLegacyACNP(acnp); err == nil { @@ -268,7 +268,7 @@ func testLegacyInvalidACNPCGDoesNotExist(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}}). AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, nil, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "cgA", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "cgA", "") acnp := builder.GetLegacy() log.Debugf("creating ACNP %v", acnp.Name) if _, err := k8sUtils.CreateOrUpdateLegacyACNP(acnp); err == nil { @@ -289,7 +289,7 @@ func testLegacyInvalidACNPIngressPeerCGSetWithPodSelector(t *testing.T) { builder = builder.SetName("acnp-ingress-group-podselector-set"). SetPriority(1.0) builder = builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, nil, - nil, nil, []ACNPAppliedToSpec{ruleAppTo}, crdv1alpha1.RuleActionAllow, "cgA", "") + nil, nil, false, []ACNPAppliedToSpec{ruleAppTo}, crdv1alpha1.RuleActionAllow, "cgA", "") acnp := builder.GetLegacy() log.Debugf("creating ACNP %v", acnp.Name) if _, err := k8sUtils.CreateOrUpdateLegacyACNP(acnp); err == nil { @@ -309,7 +309,7 @@ func testLegacyInvalidACNPIngressPeerCGSetWithNSSelector(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}}) builder = builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "x"}, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "cgA", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "cgA", "") acnp := builder.GetLegacy() log.Debugf("creating ACNP %v", acnp.Name) if _, err := k8sUtils.CreateOrUpdateLegacyACNP(acnp); err == nil { @@ -330,7 +330,7 @@ func testLegacyInvalidACNPIngressPeerCGSetWithIPBlock(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{Group: "cgA"}}) builder = builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, &cidr, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, - nil, nil, []ACNPAppliedToSpec{{Group: "cgB"}}, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, []ACNPAppliedToSpec{{Group: "cgB"}}, crdv1alpha1.RuleActionAllow, "", "") acnp := builder.GetLegacy() log.Debugf("creating ACNP %v", acnp.Name) if _, err := k8sUtils.CreateOrUpdateLegacyACNP(acnp); err == nil { @@ -524,7 +524,7 @@ func testLegacyACNPAllowXBtoA(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "") reachability := NewReachability(allPods, Dropped) reachability.Expect(Pod("x/b"), Pod("x/a"), Connected) @@ -559,7 +559,7 @@ func testLegacyACNPAllowXBtoYA(t *testing.T) { SetPriority(2.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": "y"}}}) builder.AddIngress(v1.ProtocolTCP, nil, &port81Name, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "") reachability := NewReachability(allPods, Dropped) reachability.Expect(Pod("x/b"), Pod("y/a"), Connected) @@ -592,14 +592,14 @@ func testLegacyACNPPriorityOverrideDefaultDeny(t *testing.T) { SetPriority(2). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}}}) builder1.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "") builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("acnp-priority1"). SetPriority(1). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": "x"}}}) builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "") // Ingress from ns:z to x/a will be dropped since acnp-priority1 has higher precedence. reachabilityBothACNP := NewReachability(allPods, Dropped) @@ -645,9 +645,9 @@ func testLegacyACNPAllowNoDefaultIsolation(t *testing.T, protocol v1.Protocol) { SetPriority(1.1). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}}}) builder.AddIngress(protocol, &p81, nil, nil, nil, nil, map[string]string{"ns": "y"}, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "") builder.AddEgress(protocol, &p81, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "") reachability := NewReachability(allPods, Connected) testStep := []*TestStep{ @@ -684,7 +684,7 @@ func testLegacyACNPDropEgress(t *testing.T, protocol v1.Protocol) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddEgress(protocol, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod("x/a"), Pod("z/a"), Dropped) @@ -721,7 +721,7 @@ func testLegacyACNPNoEffectOnOtherProtocols(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "") reachability1 := NewReachability(allPods, Connected) reachability1.Expect(Pod("z/a"), Pod("x/a"), Dropped) @@ -776,7 +776,7 @@ func testLegacyACNPAppliedToDenyXBtoCGWithYA(t *testing.T) { SetPriority(2.0). SetAppliedToGroup([]ACNPAppliedToSpec{{Group: cgName}}) builder.AddIngress(v1.ProtocolTCP, nil, &port81Name, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod("x/b"), Pod("y/a"), Dropped) @@ -813,7 +813,7 @@ func testLegacyACNPIngressRuleDenyCGWithXBtoYA(t *testing.T) { SetPriority(2.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": "y"}}}) builder.AddIngress(v1.ProtocolTCP, nil, &port81Name, nil, nil, nil, nil, - nil, nil, nil, crdv1alpha1.RuleActionDrop, cgName, "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgName, "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod("x/b"), Pod("y/a"), Dropped) @@ -847,7 +847,7 @@ func testLegacyACNPAppliedToRuleCGWithPodsAToNsZ(t *testing.T) { builder = builder.SetName("acnp-deny-cg-with-a-to-z"). SetPriority(1.0) builder.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, []ACNPAppliedToSpec{{Group: cgName}}, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, []ACNPAppliedToSpec{{Group: cgName}}, crdv1alpha1.RuleActionDrop, "", "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod("x/a"), Pod("z/a"), Dropped) @@ -888,7 +888,7 @@ func testLegacyACNPEgressRulePodsAToCGWithNsZ(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, nil, - nil, nil, nil, crdv1alpha1.RuleActionDrop, cgName, "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgName, "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod("x/a"), Pod("z/a"), Dropped) @@ -932,7 +932,7 @@ func testLegacyACNPClusterGroupUpdateAppliedTo(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{Group: cgName}}) builder.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod("x/a"), Pod("z/a"), Dropped) @@ -995,7 +995,7 @@ func testLegacyACNPClusterGroupUpdate(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, nil, - nil, nil, nil, crdv1alpha1.RuleActionDrop, cgName, "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgName, "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod("x/a"), Pod("z/a"), Dropped) @@ -1055,7 +1055,7 @@ func testLegacyACNPClusterGroupAppliedToPodAdd(t *testing.T, data *TestData) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{Group: cgName}}) builder.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "j"}, map[string]string{"ns": "x"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "") cp := []*CustomProbe{ { SourcePod: CustomPod{ @@ -1100,7 +1100,7 @@ func testLegacyACNPClusterGroupRefRulePodAdd(t *testing.T, data *TestData) { SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "k"}, NSSelector: map[string]string{"ns": "x"}}}) builder.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, nil, - nil, nil, nil, crdv1alpha1.RuleActionDrop, cgName, "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, cgName, "") cp := []*CustomProbe{ { SourcePod: CustomPod{ @@ -1147,8 +1147,8 @@ func testLegacyBaselineNamespaceIsolation(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}}}) builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, nil, - nil, &[]metav1.LabelSelectorRequirement{nsExpOtherThanX}, - nil, crdv1alpha1.RuleActionDrop, "", "") + nil, []metav1.LabelSelectorRequirement{nsExpOtherThanX}, + false, nil, crdv1alpha1.RuleActionDrop, "", "") // create a K8s NetworkPolicy for Pods in namespace x to allow ingress traffic from Pods in the same namespace, // as well as from the y/a Pod. It should open up ingress from y/a since it's evaluated before the baseline tier. @@ -1207,7 +1207,7 @@ func testLegacyACNPPriorityOverride(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": "x"}}}) // Highest priority. Drops traffic from z/b to x/a. builder1.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "") builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("acnp-priority2"). @@ -1215,7 +1215,7 @@ func testLegacyACNPPriorityOverride(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": "x"}}}) // Medium priority. Allows traffic from z to x/a. builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "") builder3 := &ClusterNetworkPolicySpecBuilder{} builder3 = builder3.SetName("acnp-priority3"). @@ -1223,7 +1223,7 @@ func testLegacyACNPPriorityOverride(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}}}) // Lowest priority. Drops traffic from z to x. builder3.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "") reachabilityTwoACNPs := NewReachability(allPods, Connected) reachabilityTwoACNPs.Expect(Pod("z/a"), Pod("x/b"), Dropped) @@ -1284,7 +1284,7 @@ func testLegacyACNPTierOverride(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": "x"}}}) // Highest priority. Drops traffic from z/b to x/a. builder1.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "") builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("acnp-tier-securityops"). @@ -1293,7 +1293,7 @@ func testLegacyACNPTierOverride(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": "x"}}}) // Medium priority tier. Allows traffic from z to x/a. builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "") builder3 := &ClusterNetworkPolicySpecBuilder{} builder3 = builder3.SetName("acnp-tier-application"). @@ -1302,7 +1302,7 @@ func testLegacyACNPTierOverride(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}}}) // Lowest priority tier. Drops traffic from z to x. builder3.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "") reachabilityTwoACNPs := NewReachability(allPods, Connected) reachabilityTwoACNPs.Expect(Pod("z/a"), Pod("x/b"), Dropped) @@ -1370,7 +1370,7 @@ func testLegacyACNPCustomTiers(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": "x"}}}) // Medium priority tier. Allows traffic from z to x/a. builder1.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "") time.Sleep(mockWait) builder2 := &ClusterNetworkPolicySpecBuilder{} @@ -1380,7 +1380,7 @@ func testLegacyACNPCustomTiers(t *testing.T) { SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}}}) // Lowest priority tier. Drops traffic from z to x. builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "") reachabilityTwoACNPs := NewReachability(allPods, Connected) reachabilityTwoACNPs.Expect(Pod("z/a"), Pod("x/b"), Dropped) @@ -1419,7 +1419,7 @@ func testLegacyACNPPriorityConflictingRule(t *testing.T) { SetPriority(1). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}}}) builder1.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "") builder2 := &ClusterNetworkPolicySpecBuilder{} builder2 = builder2.SetName("acnp-allow"). @@ -1428,7 +1428,7 @@ func testLegacyACNPPriorityConflictingRule(t *testing.T) { // The following ingress rule will take no effect as it is exactly the same as ingress rule of cnp-drop, // but cnp-allow has lower priority. builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "") reachabilityBothACNP := NewReachability(allPods, Connected) reachabilityBothACNP.Expect(Pod("z/a"), Pod("x/a"), Dropped) @@ -1468,10 +1468,10 @@ func testLegacyACNPRulePrioirty(t *testing.T) { SetPriority(5). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}}}) builder1.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "y"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "") // This rule should take no effect as it will be overridden by the first rule of cnp-allow builder1.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "") builder2 := &ClusterNetworkPolicySpecBuilder{} // acnp-allow will also apply to all pods in namespace x @@ -1479,10 +1479,10 @@ func testLegacyACNPRulePrioirty(t *testing.T) { SetPriority(5). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}}}) builder2.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "") // This rule should take no effect as it will be overridden by the first rule of cnp-drop builder2.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "y"}, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "") // Only egress from pods in namespace x to namespace y should be denied reachabilityBothACNP := NewReachability(allPods, Connected) @@ -1521,7 +1521,7 @@ func testLegacyACNPPortRange(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddEgress(v1.ProtocolTCP, &p8080, nil, &p8085, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "acnp-port-range") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "acnp-port-range") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod("x/a"), Pod("z/a"), Dropped) @@ -1558,7 +1558,7 @@ func testLegacyACNPRejectEgress(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionReject, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod("x/a"), Pod("z/a"), Rejected) @@ -1595,7 +1595,7 @@ func testLegacyACNPRejectIngress(t *testing.T, protocol v1.Protocol) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}) builder.AddIngress(protocol, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionReject, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionReject, "", "") reachability := NewReachability(allPods, Connected) reachability.Expect(Pod("z/a"), Pod("x/a"), Rejected) @@ -1711,7 +1711,7 @@ func testLegacyAuditLoggingBasic(t *testing.T, data *TestData) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": "x"}}}) builder.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "") builder.AddEgressLogging() _, err := k8sUtils.CreateOrUpdateLegacyACNP(builder.GetLegacy()) @@ -1789,9 +1789,9 @@ func testLegacyAppliedToPerRule(t *testing.T) { PodSelector: map[string]string{"pod": "b"}, NSSelector: map[string]string{"ns": "y"}, PodSelectorMatchExp: nil, NSSelectorMatchExp: nil} builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, - nil, nil, []ACNPAppliedToSpec{cnpATGrp1}, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, []ACNPAppliedToSpec{cnpATGrp1}, crdv1alpha1.RuleActionDrop, "", "") builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "z"}, - nil, nil, []ACNPAppliedToSpec{cnpATGrp2}, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, []ACNPAppliedToSpec{cnpATGrp2}, crdv1alpha1.RuleActionDrop, "", "") reachability2 := NewReachability(allPods, Connected) reachability2.Expect(Pod("x/b"), Pod("x/a"), Dropped) @@ -1831,7 +1831,7 @@ func testLegacyACNPClusterGroupServiceRefCreateAndUpdate(t *testing.T, data *Tes builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("cnp-cg-svc-ref").SetPriority(1.0).SetAppliedToGroup([]ACNPAppliedToSpec{{Group: cg1Name}}) builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, - nil, crdv1alpha1.RuleActionDrop, cg2Name, "") + false, nil, crdv1alpha1.RuleActionDrop, cg2Name, "") // Pods backing svc1 (label pod=a) in Namespace x should not allow ingress from Pods backing svc2 (label pod=b) in Namespace y. reachability := NewReachability(allPods, Connected) @@ -1884,7 +1884,7 @@ func testLegacyACNPClusterGroupServiceRefCreateAndUpdate(t *testing.T, data *Tes builderUpdated = builderUpdated.SetName("cnp-cg-svc-ref").SetPriority(1.0) builderUpdated.SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": "x"}}}) builderUpdated.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "y"}, - nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "") // Pod x/a should not allow ingress from y/b per the updated ACNP spec. testStep3 := &TestStep{ @@ -1922,7 +1922,7 @@ func testLegacyACNPNestedClusterGroupCreateAndUpdate(t *testing.T, data *TestDat builder = builder.SetName("cnp-nested-cg").SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "z"}}}). AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, - nil, crdv1alpha1.RuleActionDrop, cgNestedName, "") + false, nil, crdv1alpha1.RuleActionDrop, cgNestedName, "") // Pods in Namespace z should not allow ingress from Pods backing svc1 (label pod=a) in Namespace x. reachability := NewReachability(allPods, Connected) @@ -2265,7 +2265,7 @@ func TestLegacyAntreaPolicyStatus(t *testing.T) { SetPriority(1.0). SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}}) acnpBuilder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, - nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "") + nil, nil, false, nil, crdv1alpha1.RuleActionAllow, "", "") acnp := acnpBuilder.GetLegacy() log.Debugf("creating ACNP %v", acnp.Name) _, err = data.legacyCrdClient.SecurityV1alpha1().ClusterNetworkPolicies().Create(context.TODO(), acnp, metav1.CreateOptions{}) diff --git a/test/e2e/utils/cnpspecbuilder.go b/test/e2e/utils/cnpspecbuilder.go index 063d4aa4470..4718d52dda7 100644 --- a/test/e2e/utils/cnpspecbuilder.go +++ b/test/e2e/utils/cnpspecbuilder.go @@ -123,7 +123,7 @@ func (b *ClusterNetworkPolicySpecBuilder) GetAppliedToPeer(podSelector map[strin func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol, port *int32, portName *string, endPort *int32, cidr *string, podSelector map[string]string, nsSelector map[string]string, - podSelectorMatchExp *[]metav1.LabelSelectorRequirement, nsSelectorMatchExp *[]metav1.LabelSelectorRequirement, selfNS bool, + podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement, selfNS bool, ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1alpha1.RuleAction, ruleClusterGroup, name string) *ClusterNetworkPolicySpecBuilder { var pSel *metav1.LabelSelector @@ -142,13 +142,10 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol, MatchExpressions: podSelectorMatchExp, } } - if nsSelector != nil || nsSelectorMatchExp != nil || selfNS == true { - nSel = &secv1alpha1.PeerNamespaces{ - Self: selfNS, - Selector: &metav1.LabelSelector{ - MatchLabels: nsSelector, - MatchExpressions: nsSelectorMatchExp, - }, + if nsSelector != nil || nsSelectorMatchExp != nil { + nSel = &metav1.LabelSelector{ + MatchLabels: nsSelector, + MatchExpressions: nsSelectorMatchExp, } } if selfNS == true { @@ -166,7 +163,7 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol, appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.NSSelector, at.PodSelectorMatchExp, at.NSSelectorMatchExp, at.Group)) } var policyPeer []crdv1alpha1.NetworkPolicyPeer - if pSel != nil || nSel != nil || ipBlock != nil || ruleClusterGroup != "" { + if pSel != nil || nSel != nil || ns != nil || ipBlock != nil || ruleClusterGroup != "" { policyPeer = []crdv1alpha1.NetworkPolicyPeer{{ PodSelector: pSel, NamespaceSelector: nSel, @@ -201,7 +198,6 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol, }, } } - newRule := crdv1alpha1.Rule{ From: policyPeer, Ports: ports, @@ -216,7 +212,7 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol, func (b *ClusterNetworkPolicySpecBuilder) AddEgress(protoc v1.Protocol, port *int32, portName *string, endPort *int32, cidr *string, podSelector map[string]string, nsSelector map[string]string, - podSelectorMatchExp *[]metav1.LabelSelectorRequirement, nsSelectorMatchExp *[]metav1.LabelSelectorRequirement, selfNS bool, + podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement, selfNS bool, ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1alpha1.RuleAction, ruleClusterGroup, name string) *ClusterNetworkPolicySpecBuilder { // For simplicity, we just reuse the Ingress code here. The underlying data model for ingress/egress is identical