diff --git a/ci/kind/test-netpol-v2-conformance-kind.sh b/ci/kind/test-netpol-v2-conformance-kind.sh index 29bca5257ce..4af153a633a 100755 --- a/ci/kind/test-netpol-v2-conformance-kind.sh +++ b/ci/kind/test-netpol-v2-conformance-kind.sh @@ -48,7 +48,7 @@ function quit { $TESTBED_CMD destroy kind } -api_version="v0.1.0" +api_version="v0.1.5" ipfamily="v4" feature_gates="AdminNetworkPolicy=true" setup_only=false @@ -127,7 +127,9 @@ function setup_cluster { function run_test { # Install the network-policy-api CRDs in the kind cluster - kubectl apply -f https://github.com/kubernetes-sigs/network-policy-api/releases/download/"$api_version"/install.yaml + # TODO: Change the following yamls to the released install.yaml as soon as a release is cut for the latest API changes + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/network-policy-api/main/config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/network-policy-api/main/config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml echo "Generating Antrea manifest with args $manifest_args" $YML_CMD $manifest_args | kubectl apply -f - @@ -141,8 +143,7 @@ function run_test { export KUBE_CONTAINER_RUNTIME_ENDPOINT=unix:///run/containerd/containerd.sock export KUBE_CONTAINER_RUNTIME_NAME=containerd - # TODO: use https://github.com/kubernetes-sigs/network-policy-api when conformance test config timeout and go dependency is fixed - git clone https://github.com/Dyanngg/network-policy-api.git + git clone https://github.com/kubernetes-sigs/network-policy-api pushd network-policy-api/conformance go mod download go test -v --debug=true -timeout=15m diff --git a/go.mod b/go.mod index 573c1fd6407..079a87222c0 100644 --- a/go.mod +++ b/go.mod @@ -78,10 +78,10 @@ require ( k8s.io/kubectl v0.29.2 k8s.io/kubelet v0.29.2 k8s.io/utils v0.0.0-20230726121419-3b25d923346b - sigs.k8s.io/controller-runtime v0.16.3 + sigs.k8s.io/controller-runtime v0.17.0 sigs.k8s.io/mcs-api v0.1.0 - sigs.k8s.io/network-policy-api v0.1.1 - sigs.k8s.io/yaml v1.3.0 + sigs.k8s.io/network-policy-api v0.1.5 + sigs.k8s.io/yaml v1.4.0 ) require ( @@ -124,7 +124,7 @@ require ( github.com/coreos/go-systemd/v22 v22.5.0 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect - github.com/evanphx/json-patch/v5 v5.6.0 // indirect + github.com/evanphx/json-patch/v5 v5.8.0 // indirect github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fvbommel/sortorder v1.1.0 // indirect @@ -215,7 +215,7 @@ require ( go.opentelemetry.io/proto/otlp v1.0.0 // indirect go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.25.0 // indirect + go.uber.org/zap v1.26.0 // indirect golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect golang.org/x/oauth2 v0.18.0 // indirect golang.org/x/term v0.20.0 // indirect diff --git a/go.sum b/go.sum index 756af0974bf..abb0c4f45bc 100644 --- a/go.sum +++ b/go.sum @@ -104,8 +104,6 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.16.12 h1:YU9UHPukkCCnETHEExOptF/BxPv github.com/aws/aws-sdk-go-v2/service/sts v1.16.12/go.mod h1:b53qpmhHk7mTL2J/tfG6f38neZiyBQSiNXGCuNKq4+4= github.com/aws/smithy-go v1.12.1 h1:yQRC55aXN/y1W10HgwHle01DRuV9Dpf31iGkotjt3Ag= github.com/aws/smithy-go v1.12.1/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= -github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A= -github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -204,8 +202,8 @@ github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.0.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= -github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= -github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= +github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro= +github.com/evanphx/json-patch/v5 v5.8.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d h1:105gxyaGwCFad8crR9dcMQWvV9Hvulu6hwUh4tWPJnM= github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= @@ -242,8 +240,8 @@ github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ4 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v0.1.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk= -github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= -github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI= github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= github.com/go-openapi/analysis v0.18.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= @@ -795,8 +793,8 @@ go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= -go.uber.org/zap v1.25.0 h1:4Hvk6GtkucQ790dqmj7l1eEnRdKm3k3ZUrUMS2d5+5c= -go.uber.org/zap v1.25.0/go.mod h1:JIAUzQIH94IC4fOJQm7gMmBJP5k7wQfdcnYdPoEXJYk= +go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= +go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= @@ -1129,8 +1127,8 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0 h1:TgtAeesdhpm2SGwkQasmbeqDo8th5wOBA5h/AjTKA4I= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0/go.mod h1:VHVDI/KrK4fjnV61bE2g3sA7tiETLn8sooImelsCx3Y= sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A= -sigs.k8s.io/controller-runtime v0.16.3 h1:2TuvuokmfXvDUamSx1SuAOO3eTyye+47mJCigwG62c4= -sigs.k8s.io/controller-runtime v0.16.3/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0= +sigs.k8s.io/controller-runtime v0.17.0 h1:fjJQf8Ukya+VjogLO6/bNX9HE6Y2xpsO5+fyS26ur/s= +sigs.k8s.io/controller-runtime v0.17.0/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= @@ -1141,13 +1139,13 @@ sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 h1:W6cLQc5pnqM sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3/go.mod h1:JWP1Fj0VWGHyw3YUPjXSQnRnrwezrZSrApfX5S0nIag= sigs.k8s.io/mcs-api v0.1.0 h1:edDbg0oRGfXw8TmZjKYep06LcJLv/qcYLidejnUp0PM= sigs.k8s.io/mcs-api v0.1.0/go.mod h1:gGiAryeFNB4GBsq2LBmVqSgKoobLxt+p7ii/WG5QYYw= -sigs.k8s.io/network-policy-api v0.1.1 h1:KDW+AkvCCQI3h8yH8j0hurhvPLNtLeVvmZoqtMaG9ew= -sigs.k8s.io/network-policy-api v0.1.1/go.mod h1:F7S5fsb7QEzlLjuMgTGfUT4LRHylRbx2xDDpHfJKKEs= +sigs.k8s.io/network-policy-api v0.1.5 h1:xyS7VAaM9EfyB428oFk7WjWaCK6B129i+ILUF4C8l6E= +sigs.k8s.io/network-policy-api v0.1.5/go.mod h1:D7Nkr43VLNd7iYryemnj8qf0N/WjBzTZDxYA+g4u1/Y= sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw= sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= -sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= -sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/pkg/controller/networkpolicy/adminnetworkpolicy.go b/pkg/controller/networkpolicy/adminnetworkpolicy.go index 3ef269022dc..22577b25bd6 100644 --- a/pkg/controller/networkpolicy/adminnetworkpolicy.go +++ b/pkg/controller/networkpolicy/adminnetworkpolicy.go @@ -137,59 +137,19 @@ func (n *NetworkPolicyController) deleteBANP(old interface{}) { n.enqueueInternalNetworkPolicy(getBANPReference(banp)) } -// anpHasNamespaceLabelRule returns whether an AdminNetworkPolicy has rules defined by -// advanced Namespace selection (sameLabels and notSameLabels) -func anpHasNamespaceLabelRule(anp *v1alpha1.AdminNetworkPolicy) bool { - for _, ingress := range anp.Spec.Ingress { - for _, peer := range ingress.From { - if peer.Namespaces != nil && (len(peer.Namespaces.SameLabels) > 0 || len(peer.Namespaces.NotSameLabels) > 0) { - return true - } - } - } - for _, egress := range anp.Spec.Egress { - for _, peer := range egress.To { - if peer.Namespaces != nil && (len(peer.Namespaces.SameLabels) > 0 || len(peer.Namespaces.NotSameLabels) > 0) { - return true - } - } - } - return false -} - -// banpHasNamespaceLabelRule returns whether a BaselineAdminNetworkPolicy has rules defined by -// advanced Namespace selection (sameLabels and notSameLabels) -func banpHasNamespaceLabelRule(banp *v1alpha1.BaselineAdminNetworkPolicy) bool { - for _, ingress := range banp.Spec.Ingress { - for _, peer := range ingress.From { - if peer.Namespaces != nil && (len(peer.Namespaces.SameLabels) > 0 || len(peer.Namespaces.NotSameLabels) > 0) { - return true - } - } - } - for _, egress := range banp.Spec.Egress { - for _, peer := range egress.To { - if peer.Namespaces != nil && (len(peer.Namespaces.SameLabels) > 0 || len(peer.Namespaces.NotSameLabels) > 0) { - return true - } - } - } - return false -} - // toAntreaServicesForPolicyCRD processes ports field for ANPs/BANPs and returns the translated // Antrea Services. func toAntreaServicesForPolicyCRD(npPorts []v1alpha1.AdminNetworkPolicyPort) []controlplane.Service { var antreaServices []controlplane.Service for _, npPort := range npPorts { if npPort.PortNumber != nil { - port := intstr.FromInt(int(npPort.PortNumber.Port)) + port := intstr.FromInt32(npPort.PortNumber.Port) antreaServices = append(antreaServices, controlplane.Service{ Protocol: toAntreaProtocol(&npPort.PortNumber.Protocol), Port: &port, }) } else if npPort.PortRange != nil { - portStart := intstr.FromInt(int(npPort.PortRange.Start)) + portStart := intstr.FromInt32(npPort.PortRange.Start) antreaServices = append(antreaServices, controlplane.Service{ Protocol: toAntreaProtocol(&npPort.PortRange.Protocol), Port: &portStart, @@ -205,32 +165,32 @@ func toAntreaServicesForPolicyCRD(npPorts []v1alpha1.AdminNetworkPolicyPort) []c return antreaServices } -// splitPolicyPeersByScope splits the ANP/BANP peers in the rule by whether the peer is cluster scoped -// or per-namespace scoped. Per-namespace peers are those whose defined by sameLabels and -// notSameLabels. -func splitPolicyPeerByScope(peers []v1alpha1.AdminNetworkPolicyPeer) ([]v1alpha1.AdminNetworkPolicyPeer, []v1alpha1.AdminNetworkPolicyPeer) { - var clusterPeers, perNSLabelPeers []v1alpha1.AdminNetworkPolicyPeer +// toAntreaIngressPeerForPolicyCRD processes AdminNetworkPolicyIngressPeers and yield Antrea NetworkPolicyPeers. +func (n *NetworkPolicyController) toAntreaIngressPeerForPolicyCRD(peers []v1alpha1.AdminNetworkPolicyIngressPeer) (*controlplane.NetworkPolicyPeer, []*antreatypes.AddressGroup) { + var addressGroups []*antreatypes.AddressGroup for _, peer := range peers { - if peer.Pods != nil && peer.Pods.Namespaces.NamespaceSelector != nil { - clusterPeers = append(clusterPeers, peer) - } else if peer.Namespaces != nil && peer.Namespaces.NamespaceSelector != nil { - clusterPeers = append(clusterPeers, peer) - } else { - perNSLabelPeers = append(perNSLabelPeers, peer) + if peer.Pods != nil { + addressGroup := n.createAddressGroup("", &peer.Pods.PodSelector, &peer.Pods.NamespaceSelector, nil, nil) + addressGroups = append(addressGroups, addressGroup) + } else if peer.Namespaces != nil { + addressGroup := n.createAddressGroup("", nil, peer.Namespaces, nil, nil) + addressGroups = append(addressGroups, addressGroup) } } - return clusterPeers, perNSLabelPeers + return &controlplane.NetworkPolicyPeer{ + AddressGroups: getAddressGroupNames(addressGroups), + }, addressGroups } -// toAntreaPeerForPolicyCRD processes AdminNetworkPolicyPeers and yield Antrea NetworkPolicyPeers. -func (n *NetworkPolicyController) toAntreaPeerForPolicyCRD(peers []v1alpha1.AdminNetworkPolicyPeer) (*controlplane.NetworkPolicyPeer, []*antreatypes.AddressGroup) { +// toAntreaEgressPeerForPolicyCRD processes AdminNetworkPolicyEgressPeers and yield Antrea NetworkPolicyPeers. +func (n *NetworkPolicyController) toAntreaEgressPeerForPolicyCRD(peers []v1alpha1.AdminNetworkPolicyEgressPeer) (*controlplane.NetworkPolicyPeer, []*antreatypes.AddressGroup) { var addressGroups []*antreatypes.AddressGroup for _, peer := range peers { if peer.Pods != nil { - addressGroup := n.createAddressGroup("", &peer.Pods.PodSelector, peer.Pods.Namespaces.NamespaceSelector, nil, nil) + addressGroup := n.createAddressGroup("", &peer.Pods.PodSelector, &peer.Pods.NamespaceSelector, nil, nil) addressGroups = append(addressGroups, addressGroup) } else if peer.Namespaces != nil { - addressGroup := n.createAddressGroup("", nil, peer.Namespaces.NamespaceSelector, nil, nil) + addressGroup := n.createAddressGroup("", nil, peer.Namespaces, nil, nil) addressGroups = append(addressGroups, addressGroup) } } @@ -265,7 +225,8 @@ func banpActionToCRDAction(action v1alpha1.BaselineAdminNetworkPolicyRuleAction) } func (n *NetworkPolicyController) processAdminNetworkPolicy(anp *v1alpha1.AdminNetworkPolicy) (*antreatypes.NetworkPolicy, map[string]*antreatypes.AppliedToGroup, map[string]*antreatypes.AddressGroup) { - appliedToPerRule := anpHasNamespaceLabelRule(anp) + // AdminNetworkPolicy tenant rules are not yet available in the API + appliedToPerRule := false appliedToGroups := map[string]*antreatypes.AppliedToGroup{} addressGroups := map[string]*antreatypes.AddressGroup{} var rules []controlplane.NetworkPolicyRule @@ -275,9 +236,8 @@ func (n *NetworkPolicyController) processAdminNetworkPolicy(anp *v1alpha1.AdminN if anpIngressRule.Ports != nil { services = toAntreaServicesForPolicyCRD(*anpIngressRule.Ports) } - clusterPeers, _ := splitPolicyPeerByScope(anpIngressRule.From) - if len(clusterPeers) > 0 { - peer, ags := n.toAntreaPeerForPolicyCRD(clusterPeers) + if len(anpIngressRule.From) > 0 { + peer, ags := n.toAntreaIngressPeerForPolicyCRD(anpIngressRule.From) rule := controlplane.NetworkPolicyRule{ Direction: controlplane.DirectionIn, From: *peer, @@ -289,16 +249,14 @@ func (n *NetworkPolicyController) processAdminNetworkPolicy(anp *v1alpha1.AdminN rules = append(rules, rule) addressGroups = mergeAddressGroups(addressGroups, ags...) } - //TODO: implement SameLabels and NotSameLabels for per NS label ingress peers } for idx, anpEgressRule := range anp.Spec.Egress { var services []controlplane.Service if anpEgressRule.Ports != nil { services = toAntreaServicesForPolicyCRD(*anpEgressRule.Ports) } - clusterPeers, _ := splitPolicyPeerByScope(anpEgressRule.To) - if len(clusterPeers) > 0 { - peer, ags := n.toAntreaPeerForPolicyCRD(clusterPeers) + if len(anpEgressRule.To) > 0 { + peer, ags := n.toAntreaEgressPeerForPolicyCRD(anpEgressRule.To) rule := controlplane.NetworkPolicyRule{ Direction: controlplane.DirectionOut, To: *peer, @@ -310,12 +268,9 @@ func (n *NetworkPolicyController) processAdminNetworkPolicy(anp *v1alpha1.AdminN rules = append(rules, rule) addressGroups = mergeAddressGroups(addressGroups, ags...) } - //TODO: implement SameLabels and NotSameLabels for per NS label egress peers } priority := float64(anp.Spec.Priority) - if !appliedToPerRule { - appliedToGroups = mergeAppliedToGroups(appliedToGroups, n.processClusterSubject(anp.Spec.Subject)...) - } + appliedToGroups = mergeAppliedToGroups(appliedToGroups, n.processClusterSubject(anp.Spec.Subject)...) internalNetworkPolicy := &antreatypes.NetworkPolicy{ Name: internalNetworkPolicyKeyFunc(anp), Generation: anp.Generation, @@ -335,7 +290,8 @@ func (n *NetworkPolicyController) processAdminNetworkPolicy(anp *v1alpha1.AdminN } func (n *NetworkPolicyController) processBaselineAdminNetworkPolicy(banp *v1alpha1.BaselineAdminNetworkPolicy) (*antreatypes.NetworkPolicy, map[string]*antreatypes.AppliedToGroup, map[string]*antreatypes.AddressGroup) { - appliedToPerRule := banpHasNamespaceLabelRule(banp) + // BaselineAdminNetworkPolicy tenant rules are not yet available in the API + appliedToPerRule := false appliedToGroups := map[string]*antreatypes.AppliedToGroup{} addressGroups := map[string]*antreatypes.AddressGroup{} var rules []controlplane.NetworkPolicyRule @@ -345,9 +301,8 @@ func (n *NetworkPolicyController) processBaselineAdminNetworkPolicy(banp *v1alph if banpIngressRule.Ports != nil { services = toAntreaServicesForPolicyCRD(*banpIngressRule.Ports) } - clusterPeers, _ := splitPolicyPeerByScope(banpIngressRule.From) - if len(clusterPeers) > 0 { - peer, ags := n.toAntreaPeerForPolicyCRD(clusterPeers) + if len(banpIngressRule.From) > 0 { + peer, ags := n.toAntreaIngressPeerForPolicyCRD(banpIngressRule.From) rule := controlplane.NetworkPolicyRule{ Direction: controlplane.DirectionIn, From: *peer, @@ -359,16 +314,14 @@ func (n *NetworkPolicyController) processBaselineAdminNetworkPolicy(banp *v1alph rules = append(rules, rule) addressGroups = mergeAddressGroups(addressGroups, ags...) } - //TODO: implement SameLabels and NotSameLabels for per NS label ingress peers } for idx, banpEgressRule := range banp.Spec.Egress { var services []controlplane.Service if banpEgressRule.Ports != nil { services = toAntreaServicesForPolicyCRD(*banpEgressRule.Ports) } - clusterPeers, _ := splitPolicyPeerByScope(banpEgressRule.To) - if len(clusterPeers) > 0 { - peer, ags := n.toAntreaPeerForPolicyCRD(clusterPeers) + if len(banpEgressRule.To) > 0 { + peer, ags := n.toAntreaEgressPeerForPolicyCRD(banpEgressRule.To) rule := controlplane.NetworkPolicyRule{ Direction: controlplane.DirectionOut, To: *peer, @@ -380,11 +333,8 @@ func (n *NetworkPolicyController) processBaselineAdminNetworkPolicy(banp *v1alph rules = append(rules, rule) addressGroups = mergeAddressGroups(addressGroups, ags...) } - //TODO: implement SameLabels and NotSameLabels for per NS label egress peers - } - if !appliedToPerRule { - appliedToGroups = mergeAppliedToGroups(appliedToGroups, n.processClusterSubject(banp.Spec.Subject)...) } + appliedToGroups = mergeAppliedToGroups(appliedToGroups, n.processClusterSubject(banp.Spec.Subject)...) internalNetworkPolicy := &antreatypes.NetworkPolicy{ Name: internalNetworkPolicyKeyFunc(banp), Generation: banp.Generation, diff --git a/pkg/controller/networkpolicy/adminnetworkpolicy_test.go b/pkg/controller/networkpolicy/adminnetworkpolicy_test.go index c7dea83f135..e83ecb0c33b 100644 --- a/pkg/controller/networkpolicy/adminnetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/adminnetworkpolicy_test.go @@ -51,13 +51,11 @@ func TestProcessAdminNetworkPolicy(t *testing.T) { Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionAllow, - From: []v1alpha1.AdminNetworkPolicyPeer{ + From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { - Pods: &v1alpha1.NamespacedPodPeer{ - Namespaces: v1alpha1.NamespacedPeer{ - NamespaceSelector: &selectorC, - }, - PodSelector: selectorB, + Pods: &v1alpha1.NamespacedPod{ + NamespaceSelector: selectorC, + PodSelector: selectorB, }, }, }, @@ -74,13 +72,11 @@ func TestProcessAdminNetworkPolicy(t *testing.T) { Egress: []v1alpha1.AdminNetworkPolicyEgressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionAllow, - To: []v1alpha1.AdminNetworkPolicyPeer{ + To: []v1alpha1.AdminNetworkPolicyEgressPeer{ { - Pods: &v1alpha1.NamespacedPodPeer{ - Namespaces: v1alpha1.NamespacedPeer{ - NamespaceSelector: &selectorC, - }, - PodSelector: selectorB, + Pods: &v1alpha1.NamespacedPod{ + NamespaceSelector: selectorC, + PodSelector: selectorB, }, }, }, @@ -153,13 +149,11 @@ func TestProcessAdminNetworkPolicy(t *testing.T) { Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionDeny, - From: []v1alpha1.AdminNetworkPolicyPeer{ + From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { - Pods: &v1alpha1.NamespacedPodPeer{ - Namespaces: v1alpha1.NamespacedPeer{ - NamespaceSelector: &selectorC, - }, - PodSelector: selectorB, + Pods: &v1alpha1.NamespacedPod{ + NamespaceSelector: selectorC, + PodSelector: selectorB, }, }, }, @@ -176,13 +170,11 @@ func TestProcessAdminNetworkPolicy(t *testing.T) { Egress: []v1alpha1.AdminNetworkPolicyEgressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionDeny, - To: []v1alpha1.AdminNetworkPolicyPeer{ + To: []v1alpha1.AdminNetworkPolicyEgressPeer{ { - Pods: &v1alpha1.NamespacedPodPeer{ - Namespaces: v1alpha1.NamespacedPeer{ - NamespaceSelector: &selectorB, - }, - PodSelector: selectorC, + Pods: &v1alpha1.NamespacedPod{ + NamespaceSelector: selectorB, + PodSelector: selectorC, }, }, }, @@ -255,13 +247,11 @@ func TestProcessAdminNetworkPolicy(t *testing.T) { Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionPass, - From: []v1alpha1.AdminNetworkPolicyPeer{ + From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { - Pods: &v1alpha1.NamespacedPodPeer{ - Namespaces: v1alpha1.NamespacedPeer{ - NamespaceSelector: &selectorC, - }, - PodSelector: selectorB, + Pods: &v1alpha1.NamespacedPod{ + NamespaceSelector: selectorC, + PodSelector: selectorB, }, }, }, @@ -316,7 +306,7 @@ func TestProcessAdminNetworkPolicy(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Name: "anpD", UID: "uidD"}, Spec: v1alpha1.AdminNetworkPolicySpec{ Subject: v1alpha1.AdminNetworkPolicySubject{ - Pods: &v1alpha1.NamespacedPodSubject{ + Pods: &v1alpha1.NamespacedPod{ NamespaceSelector: selectorA, PodSelector: selectorB, }, @@ -325,11 +315,9 @@ func TestProcessAdminNetworkPolicy(t *testing.T) { Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionAllow, - From: []v1alpha1.AdminNetworkPolicyPeer{ + From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { - Namespaces: &v1alpha1.NamespacedPeer{ - NamespaceSelector: &selectorC, - }, + Namespaces: &selectorC, }, }, Ports: &[]v1alpha1.AdminNetworkPolicyPort{ @@ -371,47 +359,6 @@ func TestProcessAdminNetworkPolicy(t *testing.T) { expectedAppliedToGroups: 1, expectedAddressGroups: 1, }, - { - // TODO: when sameLabels and notSameLabels is supported, this test need to be modified - name: "with-same-label-namespaces-selection", - inputPolicy: &v1alpha1.AdminNetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{Name: "anpE", UID: "uidE"}, - Spec: v1alpha1.AdminNetworkPolicySpec{ - Subject: v1alpha1.AdminNetworkPolicySubject{ - Namespaces: &selectorA, - }, - Priority: 10, - Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ - { - Action: v1alpha1.AdminNetworkPolicyRuleActionAllow, - From: []v1alpha1.AdminNetworkPolicyPeer{ - { - Namespaces: &v1alpha1.NamespacedPeer{ - SameLabels: []string{"purpose"}, - }, - }, - }, - }, - }, - }, - }, - expectedPolicy: &antreatypes.NetworkPolicy{ - UID: "uidE", - Name: "uidE", - SourceRef: &controlplane.NetworkPolicyReference{ - Type: controlplane.AdminNetworkPolicy, - Name: "anpE", - UID: "uidE", - }, - Priority: &p10, - TierPriority: &adminNetworkPolicyTierPriority, - Rules: []controlplane.NetworkPolicyRule{}, - AppliedToGroups: []string{}, - AppliedToPerRule: true, - }, - expectedAppliedToGroups: 0, - expectedAddressGroups: 0, - }, } defer featuregatetesting.SetFeatureGateDuringTest(t, features.DefaultFeatureGate, features.AdminNetworkPolicy, true) for _, tt := range tests { @@ -451,13 +398,11 @@ func TestProcessBaselineAdminNetworkPolicy(t *testing.T) { Ingress: []v1alpha1.BaselineAdminNetworkPolicyIngressRule{ { Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionDeny, - From: []v1alpha1.AdminNetworkPolicyPeer{ + From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { - Pods: &v1alpha1.NamespacedPodPeer{ - Namespaces: v1alpha1.NamespacedPeer{ - NamespaceSelector: &selectorC, - }, - PodSelector: selectorB, + Pods: &v1alpha1.NamespacedPod{ + NamespaceSelector: selectorC, + PodSelector: selectorB, }, }, }, @@ -474,13 +419,11 @@ func TestProcessBaselineAdminNetworkPolicy(t *testing.T) { Egress: []v1alpha1.BaselineAdminNetworkPolicyEgressRule{ { Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionDeny, - To: []v1alpha1.AdminNetworkPolicyPeer{ + To: []v1alpha1.AdminNetworkPolicyEgressPeer{ { - Pods: &v1alpha1.NamespacedPodPeer{ - Namespaces: v1alpha1.NamespacedPeer{ - NamespaceSelector: &selectorC, - }, - PodSelector: selectorB, + Pods: &v1alpha1.NamespacedPod{ + NamespaceSelector: selectorC, + PodSelector: selectorB, }, }, }, @@ -552,13 +495,11 @@ func TestProcessBaselineAdminNetworkPolicy(t *testing.T) { Ingress: []v1alpha1.BaselineAdminNetworkPolicyIngressRule{ { Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionDeny, - From: []v1alpha1.AdminNetworkPolicyPeer{ + From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { - Pods: &v1alpha1.NamespacedPodPeer{ - Namespaces: v1alpha1.NamespacedPeer{ - NamespaceSelector: &selectorC, - }, - PodSelector: selectorB, + Pods: &v1alpha1.NamespacedPod{ + NamespaceSelector: selectorC, + PodSelector: selectorB, }, }, }, @@ -575,13 +516,11 @@ func TestProcessBaselineAdminNetworkPolicy(t *testing.T) { Egress: []v1alpha1.BaselineAdminNetworkPolicyEgressRule{ { Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionDeny, - To: []v1alpha1.AdminNetworkPolicyPeer{ + To: []v1alpha1.AdminNetworkPolicyEgressPeer{ { - Pods: &v1alpha1.NamespacedPodPeer{ - Namespaces: v1alpha1.NamespacedPeer{ - NamespaceSelector: &selectorB, - }, - PodSelector: selectorC, + Pods: &v1alpha1.NamespacedPod{ + NamespaceSelector: selectorB, + PodSelector: selectorC, }, }, }, @@ -653,13 +592,11 @@ func TestProcessBaselineAdminNetworkPolicy(t *testing.T) { Ingress: []v1alpha1.BaselineAdminNetworkPolicyIngressRule{ { Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionAllow, - From: []v1alpha1.AdminNetworkPolicyPeer{ + From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { - Pods: &v1alpha1.NamespacedPodPeer{ - Namespaces: v1alpha1.NamespacedPeer{ - NamespaceSelector: &selectorC, - }, - PodSelector: selectorB, + Pods: &v1alpha1.NamespacedPod{ + NamespaceSelector: selectorC, + PodSelector: selectorB, }, }, }, diff --git a/pkg/controller/networkpolicy/validate.go b/pkg/controller/networkpolicy/validate.go index 5639866e452..f1f6c3d42cd 100644 --- a/pkg/controller/networkpolicy/validate.go +++ b/pkg/controller/networkpolicy/validate.go @@ -32,7 +32,6 @@ import ( "k8s.io/apimachinery/pkg/util/validation" "k8s.io/apiserver/pkg/authentication/serviceaccount" "k8s.io/klog/v2" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/pkg/controller/networkpolicy/store" @@ -71,9 +70,6 @@ type tierValidator resourceValidator // groupValidator implements the validator interface for the ClusterGroup resource. type groupValidator resourceValidator -// adminPolicyValidator implements the validator interface for the AdminNetworkPolicy resource. -type adminPolicyValidator resourceValidator - var ( // reservedTierPriorities stores the reserved priority range from 251, 252, 254 and 255. // The priority 250 is reserved for default Tier but not part of this set in order to be @@ -109,10 +105,6 @@ func (v *NetworkPolicyValidator) RegisterGroupValidator(g validator) { v.groupValidators = append(v.groupValidators, g) } -func (v *NetworkPolicyValidator) RegisterAdminNetworkPolicyValidator(a validator) { - v.adminNPValidators = append(v.adminNPValidators, a) -} - // NetworkPolicyValidator maintains list of validator objects which validate // the Antrea-native policy related resources. type NetworkPolicyValidator struct { @@ -125,9 +117,6 @@ type NetworkPolicyValidator struct { // groupValidators maintains a list of validator objects which // implement the validator interface for ClusterGroup resources. groupValidators []validator - // adminNPValidators maintains a list of validator objects which - // implement the validator interface for ANP and BANP resources. - adminNPValidators []validator } // NewNetworkPolicyValidator returns a new *NetworkPolicyValidator. @@ -149,13 +138,9 @@ func NewNetworkPolicyValidator(networkPolicyController *NetworkPolicyController) gv := groupValidator{ networkPolicyController: networkPolicyController, } - av := adminPolicyValidator{ - networkPolicyController: networkPolicyController, - } vr.RegisterAntreaPolicyValidator(&apv) vr.RegisterTierValidator(&tv) vr.RegisterGroupValidator(&gv) - vr.RegisterAdminNetworkPolicyValidator(&av) return &vr } @@ -258,38 +243,6 @@ func (v *NetworkPolicyValidator) Validate(ar *admv1.AdmissionReview) *admv1.Admi } } msg, allowed = v.validateAntreaPolicy(&curANNP, &oldANNP, op, ui) - case "AdminNetworkPolicy": - klog.V(2).Info("Validating AdminNetworkPolicy CRD") - var curANP, oldANP v1alpha1.AdminNetworkPolicy - if curRaw != nil { - if err := json.Unmarshal(curRaw, &curANP); err != nil { - klog.Errorf("Error de-serializing current AdminNetworkPolicy") - return GetAdmissionResponseForErr(err) - } - } - if oldRaw != nil { - if err := json.Unmarshal(oldRaw, &oldANP); err != nil { - klog.Errorf("Error de-serializing old AdminNetworkPolicy") - return GetAdmissionResponseForErr(err) - } - } - msg, allowed = v.validateAdminNetworkPolicy(&curANP, &oldANP, op, ui) - case "BaselineAdminNetworkPolicy": - klog.V(2).Info("Validating BaselineAdminNetworkPolicy CRD") - var curBANP, oldBANP v1alpha1.BaselineAdminNetworkPolicy - if curRaw != nil { - if err := json.Unmarshal(curRaw, &curBANP); err != nil { - klog.Errorf("Error de-serializing current BaselineAdminNetworkPolicy") - return GetAdmissionResponseForErr(err) - } - } - if oldRaw != nil { - if err := json.Unmarshal(oldRaw, &oldBANP); err != nil { - klog.Errorf("Error de-serializing old BaselineAdminNetworkPolicy") - return GetAdmissionResponseForErr(err) - } - } - msg, allowed = v.validateAdminNetworkPolicy(&curBANP, &oldBANP, op, ui) } if msg != "" { result = &metav1.Status{ @@ -334,35 +287,6 @@ func (v *NetworkPolicyValidator) validateAntreaPolicy(curObj, oldObj interface{} return reason, allowed } -func (v *NetworkPolicyValidator) validateAdminNetworkPolicy(curObj, oldObj interface{}, op admv1.Operation, userInfo authenticationv1.UserInfo) (string, bool) { - allowed := true - reason := "" - switch op { - case admv1.Create: - for _, val := range v.adminNPValidators { - reason, allowed = val.createValidate(curObj, userInfo) - if !allowed { - return reason, allowed - } - } - case admv1.Update: - for _, val := range v.adminNPValidators { - reason, allowed = val.updateValidate(curObj, oldObj, userInfo) - if !allowed { - return reason, allowed - } - } - case admv1.Delete: - for _, val := range v.adminNPValidators { - reason, allowed = val.deleteValidate(oldObj, userInfo) - if !allowed { - return reason, allowed - } - } - } - return reason, allowed -} - // validatePort validates if ports is valid func (v *antreaPolicyValidator) validatePort(ingress, egress []crdv1beta1.Rule) error { isValid := func(rules []crdv1beta1.Rule) error { @@ -1133,39 +1057,3 @@ func (g *groupValidator) validateGroup(curObj interface{}) (string, bool) { func (g *groupValidator) deleteValidate(oldObj interface{}, userInfo authenticationv1.UserInfo) (string, bool) { return "", true } - -func (a *adminPolicyValidator) validateAdminNP(anp *v1alpha1.AdminNetworkPolicy) (string, bool) { - if anpHasNamespaceLabelRule(anp) { - return "SameLabels and NotSameLabels namespace selection are not yet supported by Antrea", false - } - return "", true -} - -func (a *adminPolicyValidator) validateBANP(banp *v1alpha1.BaselineAdminNetworkPolicy) (string, bool) { - if banpHasNamespaceLabelRule(banp) { - return "SameLabels and NotSameLabels namespace selection are not yet supported by Antrea", false - } - return "", true -} - -func (a *adminPolicyValidator) createValidate(curObj interface{}, userInfo authenticationv1.UserInfo) (string, bool) { - var reason string - var allowed bool - switch curObj.(type) { - case *v1alpha1.AdminNetworkPolicy: - curANP := curObj.(*v1alpha1.AdminNetworkPolicy) - reason, allowed = a.validateAdminNP(curANP) - case *v1alpha1.BaselineAdminNetworkPolicy: - curBANP := curObj.(*v1alpha1.BaselineAdminNetworkPolicy) - reason, allowed = a.validateBANP(curBANP) - } - return reason, allowed -} - -func (a *adminPolicyValidator) updateValidate(curObj, oldObj interface{}, userInfo authenticationv1.UserInfo) (string, bool) { - return a.createValidate(curObj, userInfo) -} - -func (a *adminPolicyValidator) deleteValidate(oldObj interface{}, userInfo authenticationv1.UserInfo) (string, bool) { - return "", true -} diff --git a/pkg/controller/networkpolicy/validate_test.go b/pkg/controller/networkpolicy/validate_test.go index 271da1e06c1..1fcf7786042 100644 --- a/pkg/controller/networkpolicy/validate_test.go +++ b/pkg/controller/networkpolicy/validate_test.go @@ -24,7 +24,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/component-base/featuregate" featuregatetesting "k8s.io/component-base/featuregate/testing" - "sigs.k8s.io/network-policy-api/apis/v1alpha1" crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/pkg/features" @@ -2575,209 +2574,3 @@ func TestValidateTier(t *testing.T) { }) } } - -func TestValidateAdminNetworkPolicy(t *testing.T) { - tests := []struct { - name string - policy metav1.Object - operation admv1.Operation - expectedReason string - }{ - { - name: "anp-has-same-labels-rule", - policy: &v1alpha1.AdminNetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{Name: "anpA", UID: "uidA"}, - Spec: v1alpha1.AdminNetworkPolicySpec{ - Subject: v1alpha1.AdminNetworkPolicySubject{ - Namespaces: &selectorA, - }, - Priority: 10, - Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ - { - Action: v1alpha1.AdminNetworkPolicyRuleActionAllow, - From: []v1alpha1.AdminNetworkPolicyPeer{ - { - Namespaces: &v1alpha1.NamespacedPeer{ - SameLabels: []string{"labelA"}, - }, - }, - }, - }, - }, - Egress: []v1alpha1.AdminNetworkPolicyEgressRule{ - { - Action: v1alpha1.AdminNetworkPolicyRuleActionAllow, - To: []v1alpha1.AdminNetworkPolicyPeer{ - { - Pods: &v1alpha1.NamespacedPodPeer{ - Namespaces: v1alpha1.NamespacedPeer{ - NamespaceSelector: &selectorC, - }, - PodSelector: selectorB, - }, - }, - }, - }, - }, - }, - }, - operation: admv1.Create, - expectedReason: "SameLabels and NotSameLabels namespace selection are not yet supported by Antrea", - }, - { - name: "anp-update-to-same-labels-rule", - policy: &v1alpha1.AdminNetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{Name: "anpA", UID: "uidA"}, - Spec: v1alpha1.AdminNetworkPolicySpec{ - Subject: v1alpha1.AdminNetworkPolicySubject{ - Namespaces: &selectorA, - }, - Priority: 10, - Egress: []v1alpha1.AdminNetworkPolicyEgressRule{ - { - Action: v1alpha1.AdminNetworkPolicyRuleActionAllow, - To: []v1alpha1.AdminNetworkPolicyPeer{ - { - Namespaces: &v1alpha1.NamespacedPeer{ - SameLabels: []string{"labelA"}, - }, - }, - }, - }, - }, - }, - }, - operation: admv1.Update, - expectedReason: "SameLabels and NotSameLabels namespace selection are not yet supported by Antrea", - }, - { - name: "anp-has-not-same-labels-rule", - policy: &v1alpha1.AdminNetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{Name: "anpA", UID: "uidA"}, - Spec: v1alpha1.AdminNetworkPolicySpec{ - Subject: v1alpha1.AdminNetworkPolicySubject{ - Namespaces: &selectorA, - }, - Priority: 10, - Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ - { - Action: v1alpha1.AdminNetworkPolicyRuleActionAllow, - From: []v1alpha1.AdminNetworkPolicyPeer{ - { - Namespaces: &v1alpha1.NamespacedPeer{ - NotSameLabels: []string{"labelA", "labelB"}, - }, - }, - }, - }, - }, - }, - }, - operation: admv1.Create, - expectedReason: "SameLabels and NotSameLabels namespace selection are not yet supported by Antrea", - }, - { - name: "banp-has-same-labels-rule", - policy: &v1alpha1.BaselineAdminNetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{Name: "anpA", UID: "uidA"}, - Spec: v1alpha1.BaselineAdminNetworkPolicySpec{ - Subject: v1alpha1.AdminNetworkPolicySubject{ - Namespaces: &selectorA, - }, - Ingress: []v1alpha1.BaselineAdminNetworkPolicyIngressRule{ - { - Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionAllow, - From: []v1alpha1.AdminNetworkPolicyPeer{ - { - Namespaces: &v1alpha1.NamespacedPeer{ - SameLabels: []string{"labelA"}, - }, - }, - }, - }, - }, - Egress: []v1alpha1.BaselineAdminNetworkPolicyEgressRule{ - { - Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionAllow, - To: []v1alpha1.AdminNetworkPolicyPeer{ - { - Pods: &v1alpha1.NamespacedPodPeer{ - Namespaces: v1alpha1.NamespacedPeer{ - NamespaceSelector: &selectorC, - }, - PodSelector: selectorB, - }, - }, - }, - }, - }, - }, - }, - operation: admv1.Create, - expectedReason: "SameLabels and NotSameLabels namespace selection are not yet supported by Antrea", - }, - { - name: "banp-update-to-same-labels-rule", - policy: &v1alpha1.BaselineAdminNetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{Name: "anpA", UID: "uidA"}, - Spec: v1alpha1.BaselineAdminNetworkPolicySpec{ - Subject: v1alpha1.AdminNetworkPolicySubject{ - Namespaces: &selectorA, - }, - Egress: []v1alpha1.BaselineAdminNetworkPolicyEgressRule{ - { - Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionAllow, - To: []v1alpha1.AdminNetworkPolicyPeer{ - { - Namespaces: &v1alpha1.NamespacedPeer{ - SameLabels: []string{"labelA"}, - }, - }, - }, - }, - }, - }, - }, - operation: admv1.Update, - expectedReason: "SameLabels and NotSameLabels namespace selection are not yet supported by Antrea", - }, - { - name: "banp-has-not-same-labels-rule", - policy: &v1alpha1.BaselineAdminNetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{Name: "anpA", UID: "uidA"}, - Spec: v1alpha1.BaselineAdminNetworkPolicySpec{ - Subject: v1alpha1.AdminNetworkPolicySubject{ - Namespaces: &selectorA, - }, - Ingress: []v1alpha1.BaselineAdminNetworkPolicyIngressRule{ - { - Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionAllow, - From: []v1alpha1.AdminNetworkPolicyPeer{ - { - Namespaces: &v1alpha1.NamespacedPeer{ - NotSameLabels: []string{"labelA", "labelB"}, - }, - }, - }, - }, - }, - }, - }, - operation: admv1.Create, - expectedReason: "SameLabels and NotSameLabels namespace selection are not yet supported by Antrea", - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - _, controller := newController(nil, nil) - validator := NewNetworkPolicyValidator(controller.NetworkPolicyController) - actualReason, allowed := validator.validateAdminNetworkPolicy(tt.policy, "", tt.operation, authenticationv1.UserInfo{}) - assert.Equal(t, tt.expectedReason, actualReason) - if tt.expectedReason == "" { - assert.True(t, allowed) - } else { - assert.False(t, allowed) - } - }) - } -}