diff --git a/docs/antrea-network-policy.md b/docs/antrea-network-policy.md index bc3ee856148..dba39773cbc 100644 --- a/docs/antrea-network-policy.md +++ b/docs/antrea-network-policy.md @@ -1115,9 +1115,11 @@ when used in the `from` field of an ingress rule, it adds the Node IPs to the ru Notice that when a rule with a nodeSelector applies to a Node, it only restricts the traffic to/from certain IPs of the Node. The IPs include: -1.The Node IP(the IP addresses of nodeInterface); -2.The Antrea gateway IP(the IP addresses of Antrea gatewayInterface); -3.The transport IP(the IP addresses of transportInterface); + +1. The Node IP (the IP address in the Node API object) +2. The Antrea gateway IP (the IP address of the interface antrea-agent will create and use for Node-to-Pod communication) +3. The transport IP (the IP address of the interface used for tunneling or routing the traffic across Nodes) if it's different from Node IP + Traffic to/from other interfaces of the Node will be ignored. For example, the following rule applies to Pods with label `app=antrea-test-app` and will `Drop` egress traffic to diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go index fb4f6b3214a..5fb593d32c3 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller.go @@ -1187,7 +1187,7 @@ func nodeToGroupMember(node *v1.Node) (member *controlplane.GroupMember) { member = &controlplane.GroupMember{Node: &controlplane.NodeReference{Name: node.Name}} ips, err := k8s.GetNodeAllAddrs(node) if err != nil { - klog.ErrorS(err, "get Node IP addresses error", "Name", node.Name) + klog.ErrorS(err, "Error getting Node IP addresses", "Node", node.Name) } for ip := range ips { member.IPs = append(member.IPs, ipStrToIPAddress(ip)) diff --git a/pkg/controller/networkpolicy/networkpolicy_controller_test.go b/pkg/controller/networkpolicy/networkpolicy_controller_test.go index a65746b3b81..2e088721f5e 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller_test.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller_test.go @@ -3274,7 +3274,7 @@ func TestGetAddressGroupMemberSet(t *testing.T) { } } -func TestAddNodeSelector(t *testing.T) { +func TestAddressGroupWithNodeSelector(t *testing.T) { stopCh := make(chan struct{}) defer close(stopCh) _, c := newController() diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go index afba7013f46..3a2047a8bf1 100644 --- a/test/e2e/antreapolicy_test.go +++ b/test/e2e/antreapolicy_test.go @@ -2703,19 +2703,41 @@ func testACNPNodeSelectorEgress(t *testing.T) { []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "x"}, PodSelector: map[string]string{"pod": "a"}}}, crdv1alpha1.RuleActionDrop, true) - testcases := []podToAddrTestStep{ - { - "x/a", - controlPlaneNodeIPv4(), - 6443, - Dropped, - }, - { - "x/b", - controlPlaneNodeIPv4(), - 6443, - Connected, - }, + var testcases []podToAddrTestStep + if clusterInfo.podV4NetworkCIDR != "" { + ipv4Testcases := []podToAddrTestStep{ + { + "x/a", + controlPlaneNodeIPv4(), + 6443, + Dropped, + }, + { + "x/b", + controlPlaneNodeIPv4(), + 6443, + Connected, + }, + } + testcases = append(testcases, ipv4Testcases...) + } + + if clusterInfo.podV6NetworkCIDR != "" { + ipv6Testcases := []podToAddrTestStep{ + { + "x/a", + controlPlaneNodeIPv6(), + 6443, + Dropped, + }, + { + "x/b", + controlPlaneNodeIPv6(), + 6443, + Connected, + }, + } + testcases = append(testcases, ipv6Testcases...) } _, err := k8sUtils.CreateOrUpdateACNP(builder.Get()) failOnError(err, t)