Add e2e test

Signed-off-by: Dyanngg <dingyang@vmware.com>
antrea-io · Mar 21, 2023 · 30205eb · 30205eb
1 parent d3eb0da
commit 30205eb
Show file tree

Hide file tree

Showing 6 changed files with 117 additions and 18 deletions.
diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go
@@ -574,6 +574,37 @@ func testACNPAllowXBtoA(t *testing.T) {
 	executeTests(t, testCase)
 }
 
+func testACNPSourcePort(t *testing.T) {
+	portStart, portEnd, err := k8sUtils.getTCPv4SourcePortRangeFromPod(namespaces["x"], "a")
+	failOnError(err, t)
+	builder := &ClusterNetworkPolicySpecBuilder{}
+	builder = builder.SetName("acnp-source-port").
+		SetPriority(1.0).
+		SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}})
+	builder.AddIngressForSrcPort(ProtocolTCP, &portStart, &portEnd, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]},
+		nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", "", nil)
+
+	reachability := NewReachability(allPods, Connected)
+	reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["x"]+"/a"), Dropped)
+	reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped)
+	reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["z"]+"/a"), Dropped)
+	testStep := []*TestStep{
+		{
+			"Port 80",
+			reachability,
+			[]metav1.Object{builder.Get()},
+			[]int32{80},
+			ProtocolTCP,
+			0,
+			nil,
+		},
+	}
+	testCase := []*TestCase{
+		{"ACNP Drop X/B to A based on source port", testStep},
+	}
+	executeTests(t, testCase)
+}
+
 // testACNPAllowXBtoYA tests traffic from X/B to Y/A on named port 81, after applying the default deny
 // k8s NetworkPolicies in all namespaces and ACNP to allow X/B to Y/A.
 func testACNPAllowXBtoYA(t *testing.T) {
@@ -4306,6 +4337,7 @@ func TestAntreaPolicy(t *testing.T) {
 		t.Run("Case=ACNPPriorityConflictingRule", func(t *testing.T) { testACNPPriorityConflictingRule(t) })
 		t.Run("Case=ACNPRulePriority", func(t *testing.T) { testACNPRulePriority(t) })
 		t.Run("Case=ANPPortRange", func(t *testing.T) { testANPPortRange(t) })
+		t.Run("Case=ACNPSourcePort", func(t *testing.T) { testACNPSourcePort(t) })
 		t.Run("Case=ANPBasic", func(t *testing.T) { testANPBasic(t) })
 		t.Run("Case=testANPMultipleAppliedToSingleRule", func(t *testing.T) { testANPMultipleAppliedTo(t, data, true) })
 		t.Run("Case=testANPMultipleAppliedToMultipleRules", func(t *testing.T) { testANPMultipleAppliedTo(t, data, false) })

diff --git a/test/e2e/k8s_util.go b/test/e2e/k8s_util.go
@@ -133,7 +133,7 @@ func (k *KubernetesUtils) LabelPod(ns, name, key, value string) (*v1.Pod, error)
 	return k.clientset.CoreV1().Pods(ns).Update(context.TODO(), pod, metav1.UpdateOptions{})
 }
 
-func (k *KubernetesUtils) getTCPv4SourcePortRangeFromPod(podNamespace, podNameLabel string) (int, int, error) {
+func (k *KubernetesUtils) getTCPv4SourcePortRangeFromPod(podNamespace, podNameLabel string) (int32, int32, error) {
 	pod, err := k.GetPodByLabel(podNamespace, podNameLabel)
 	if err != nil {
 		return 0, 0, err
@@ -153,14 +153,9 @@ func (k *KubernetesUtils) getTCPv4SourcePortRangeFromPod(podNamespace, podNameLa
 		log.Errorf("Failed to retrieve TCP source port range for Pod %s/%s", podNamespace, podNameLabel)
 		return 0, 0, err
 	}
-	log.Infof("The first splitted port is %s", ports[0])
-	log.Infof("The second splitted port is %s", ports[1])
-	startPort, _ := strconv.Atoi(ports[0])
-	endPort, err := strconv.Atoi(ports[1])
-	if err != nil {
-		log.Errorf("Err in converting endPort: %v", err)
-	}
-	return startPort, endPort, err
+	startPort, _ := strconv.ParseInt(ports[0], 0, 32)
+	endPort, _ := strconv.ParseInt(strings.TrimSuffix(ports[1], "\n"), 0, 32)
+	return int32(startPort), int32(endPort), nil
 }
 
 func (k *KubernetesUtils) probe(

diff --git a/test/e2e/utils/anp_spec_builder.go b/test/e2e/utils/anp_spec_builder.go
@@ -151,7 +151,7 @@ func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol,
 			Group:                  ruleGroup,
 		}}
 	}
-	ports, protocols := GenPortsOrProtocols(protoc, port, portName, endPort, icmpType, icmpCode, igmpType, groupAddress)
+	ports, protocols := GenPortsOrProtocols(protoc, port, portName, endPort, nil, nil, icmpType, icmpCode, igmpType, groupAddress)
 	newRule := crdv1alpha1.Rule{
 		From:        policyPeer,
 		Ports:       ports,

diff --git a/test/e2e/utils/cnp_spec_builder.go b/test/e2e/utils/cnp_spec_builder.go
@@ -162,7 +162,77 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol
 			ServiceAccount:    serviceAccount,
 		}}
 	}
-	ports, protocols := GenPortsOrProtocols(protoc, port, portName, endPort, icmpType, icmpCode, igmpType, groupAddress)
+	ports, protocols := GenPortsOrProtocols(protoc, port, portName, endPort, nil, nil, icmpType, icmpCode, igmpType, groupAddress)
+	newRule := crdv1alpha1.Rule{
+		From:      policyPeer,
+		Ports:     ports,
+		Protocols: protocols,
+		Action:    &action,
+		Name:      name,
+		AppliedTo: appliedTos,
+	}
+	b.Spec.Ingress = append(b.Spec.Ingress, newRule)
+	return b
+}
+
+// TODO: added new function to avoid merge conflicts. Unify this function with AddIngress when
+//
+//	all conflicting PRs are merged.
+func (b *ClusterNetworkPolicySpecBuilder) AddIngressForSrcPort(protoc AntreaPolicyProtocol,
+	srcPort *int32, endPort, icmpType, icmpCode, igmpType *int32,
+	groupAddress, cidr *string, podSelector map[string]string, nsSelector map[string]string,
+	podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement, selfNS bool,
+	ruleAppliedToSpecs []ACNPAppliedToSpec, action crdv1alpha1.RuleAction, ruleClusterGroup, name string, serviceAccount *crdv1alpha1.NamespacedName) *ClusterNetworkPolicySpecBuilder {
+
+	var pSel *metav1.LabelSelector
+	var nSel *metav1.LabelSelector
+	var ns *crdv1alpha1.PeerNamespaces
+	var appliedTos []crdv1alpha1.AppliedTo
+	matchSelf := crdv1alpha1.NamespaceMatchSelf
+
+	if b.Spec.Ingress == nil {
+		b.Spec.Ingress = []crdv1alpha1.Rule{}
+	}
+
+	if podSelector != nil || podSelectorMatchExp != nil {
+		pSel = &metav1.LabelSelector{
+			MatchLabels:      podSelector,
+			MatchExpressions: podSelectorMatchExp,
+		}
+	}
+	if nsSelector != nil || nsSelectorMatchExp != nil {
+		nSel = &metav1.LabelSelector{
+			MatchLabels:      nsSelector,
+			MatchExpressions: nsSelectorMatchExp,
+		}
+	}
+	if selfNS == true {
+		ns = &crdv1alpha1.PeerNamespaces{
+			Match: matchSelf,
+		}
+	}
+	var ipBlock *crdv1alpha1.IPBlock
+	if cidr != nil {
+		ipBlock = &crdv1alpha1.IPBlock{
+			CIDR: *cidr,
+		}
+	}
+	for _, at := range ruleAppliedToSpecs {
+		appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.NSSelector, at.PodSelectorMatchExp, at.NSSelectorMatchExp, at.Group, at.Service))
+	}
+	// An empty From/To in ACNP rules evaluates to match all addresses.
+	policyPeer := make([]crdv1alpha1.NetworkPolicyPeer, 0)
+	if pSel != nil || nSel != nil || ns != nil || ipBlock != nil || ruleClusterGroup != "" || serviceAccount != nil {
+		policyPeer = []crdv1alpha1.NetworkPolicyPeer{{
+			PodSelector:       pSel,
+			NamespaceSelector: nSel,
+			Namespaces:        ns,
+			IPBlock:           ipBlock,
+			Group:             ruleClusterGroup,
+			ServiceAccount:    serviceAccount,
+		}}
+	}
+	ports, protocols := GenPortsOrProtocols(protoc, nil, nil, nil, srcPort, endPort, icmpType, icmpCode, igmpType, groupAddress)
 	newRule := crdv1alpha1.Rule{
 		From:      policyPeer,
 		Ports:     ports,
@@ -232,7 +302,7 @@ func (b *ClusterNetworkPolicySpecBuilder) AddFQDNRule(fqdn string,
 		appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.NSSelector, at.PodSelectorMatchExp, at.NSSelectorMatchExp, at.Group, at.Service))
 	}
 	policyPeer := []crdv1alpha1.NetworkPolicyPeer{{FQDN: fqdn}}
-	ports, _ := GenPortsOrProtocols(protoc, port, portName, endPort, nil, nil, nil, nil)
+	ports, _ := GenPortsOrProtocols(protoc, port, portName, endPort, nil, nil, nil, nil, nil, nil)
 	newRule := crdv1alpha1.Rule{
 		To:        policyPeer,
 		Ports:     ports,

diff --git a/test/e2e/utils/helper.go b/test/e2e/utils/helper.go
@@ -46,7 +46,7 @@ func AntreaPolicyProtocolToK8sProtocol(antreaProtocol AntreaPolicyProtocol) (v1.
 	}
 }
 
-func GenPortsOrProtocols(protoc AntreaPolicyProtocol, port *int32, portName *string, endPort, icmpType, icmpCode, igmpType *int32, groupAddress *string) ([]crdv1alpha1.NetworkPolicyPort, []crdv1alpha1.NetworkPolicyProtocol) {
+func GenPortsOrProtocols(protoc AntreaPolicyProtocol, port *int32, portName *string, endPort, srcPort, srcEndPort, icmpType, icmpCode, igmpType *int32, groupAddress *string) ([]crdv1alpha1.NetworkPolicyPort, []crdv1alpha1.NetworkPolicyProtocol) {
 	if protoc == ProtocolICMP {
 		return nil, []crdv1alpha1.NetworkPolicyProtocol{
 			{
@@ -80,16 +80,18 @@ func GenPortsOrProtocols(protoc AntreaPolicyProtocol, port *int32, portName *str
 			},
 		}
 	}
-	if port != nil || endPort != nil {
+	if port != nil || endPort != nil || srcPort != nil || srcEndPort != nil {
 		var pVal *intstr.IntOrString
 		if port != nil {
 			pVal = &intstr.IntOrString{IntVal: *port}
 		}
 		ports = []crdv1alpha1.NetworkPolicyPort{
 			{
-				Port:     pVal,
-				EndPort:  endPort,
-				Protocol: &k8sProtocol,
+				Port:          pVal,
+				EndPort:       endPort,
+				SourcePort:    srcPort,
+				SourceEndPort: srcEndPort,
+				Protocol:      &k8sProtocol,
 			},
 		}
 	}

diff --git a/test/e2e/vmagent_test.go b/test/e2e/vmagent_test.go
@@ -487,7 +487,7 @@ func createANPWithFQDN(t *testing.T, data *TestData, name string, namespace stri
 	for fqdn, action := range fqdnSettings {
 		ruleName := fmt.Sprintf("name-%d", i)
 		policyPeer := []crdv1alpha1.NetworkPolicyPeer{{FQDN: fqdn}}
-		ports, _ := GenPortsOrProtocols(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil)
+		ports, _ := GenPortsOrProtocols(ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, nil)
 		newRule := crdv1alpha1.Rule{
 			To:     policyPeer,
 			Ports:  ports,