Improve Antrea-native Policy CRD schema verification (#2125)

* Add namespaceSelector/podSelector validations in all CRD schema Improve Antrea-native Policy CRD schema verification * update the generate manifest YAMLs * add e2e test cases in antrea policy verify invalid labelSelector; * formalize e2e test case path of testInvalidACNPPodSelector; * verify e2e test;
antrea-io · May 6, 2021 · 64e017b · 64e017b
1 parent dbd2c1a
commit 64e017b
Show file tree

Hide file tree

Showing 8 changed files with 6,068 additions and 276 deletions.
diff --git a/.gitignore b/.gitignore
@@ -14,3 +14,4 @@ bin
 
 .idea/
 .vscode/
+vendor
diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
diff --git a/build/yamls/base/crds.yml b/build/yamls/base/crds.yml
diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go
@@ -664,6 +664,36 @@ func testInvalidTierANPRefDelete(t *testing.T) {
 	failOnError(k8sUtils.DeleteTier(tr.Name), t)
 }
 
+// testInvalidACNPPodSelectorNsSelectorMatchExpressions testes creating a ClusterNetworkPolicy with invalid LabelSelector(MatchExpressions)
+func testInvalidACNPPodSelectorNsSelectorMatchExpressions(t *testing.T) {
+	invalidLSErr := fmt.Errorf("create Antrea NetworkPolicy with namespaceSelector but matchExpressions invalid")
+
+	allowAction := crdv1alpha1.RuleActionAllow
+	selectorA := metav1.LabelSelector{MatchLabels: map[string]string{"env": "dummy"}}
+	nsSelectA := metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "env", Operator: "xxx", Values: []string{"xxxx"}}}}
+
+	var acnp = &crdv1alpha1.ClusterNetworkPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: testNamespace, Name: "cnptest", Labels: map[string]string{"antrea-e2e": "cnp1"}},
+		Spec: crdv1alpha1.ClusterNetworkPolicySpec{
+			AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
+				{PodSelector: &selectorA},
+				{NamespaceSelector: &nsSelectA},
+			},
+			Priority: 10,
+			Ingress: []crdv1alpha1.Rule{
+				{
+					Action: &allowAction,
+				},
+			},
+		},
+	}
+
+	if _, err := k8sUtils.CreateOrUpdateACNP(acnp); err == nil {
+		failOnError(invalidLSErr, t)
+	}
+}
+
 // testACNPAllowXBtoA tests traffic from X/B to pods with label A, after applying the default deny
 // k8s NetworkPolicies in all namespaces and ACNP to allow X/B to A.
 func testACNPAllowXBtoA(t *testing.T) {
@@ -2560,6 +2590,7 @@ func TestAntreaPolicy(t *testing.T) {
 		t.Run("Case=ANPTierDoesNotExistDenied", func(t *testing.T) { testInvalidANPTierDoesNotExist(t) })
 		t.Run("Case=ANPPortRangePortUnsetDenied", func(t *testing.T) { testInvalidANPPortRangePortUnset(t) })
 		t.Run("Case=ANPPortRangePortEndPortSmallDenied", func(t *testing.T) { testInvalidANPPortRangeEndPortSmall(t) })
+		t.Run("Case=ACNPInvalidPodSelectorNsSelectorMatchExpressions", func(t *testing.T) { testInvalidACNPPodSelectorNsSelectorMatchExpressions(t) })
 	})
 
 	t.Run("TestGroupValidateTiers", func(t *testing.T) {