antrea-io · qiyueyao · Sep 14, 2023
diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go
@@ -2374,20 +2374,23 @@ func testANNPUpdate(t *testing.T, data *TestData) {
 // testANNPMultipleAppliedTo tests traffic from X/B to Y/A on port 80 will be dropped, after applying Antrea
 // NetworkPolicy that applies to multiple AppliedTos, one of which doesn't select any Pod. It also ensures the Policy is
 // updated correctly when one of its AppliedToGroup starts and stops selecting Pods.
-func testANNPMultipleAppliedTo(t *testing.T, data *TestData, singleRule bool) {
+func testANNPMultipleAppliedTo(t *testing.T, data *TestData, singleRule bool, protocol AntreaPolicyProtocol) {
+	if protocol == ProtocolSCTP {
+		skipIfIPv6Cluster(t)
+	}
 	tempLabel := randName("temp-")
 	builder := &AntreaNetworkPolicySpecBuilder{}
 	builder = builder.SetName(getNS("y"), "np-multiple-appliedto").SetPriority(1.0)
 	// Make it apply to an extra dummy AppliedTo to ensure it handles multiple AppliedToGroups correctly.
 	// See https://github.com/antrea-io/antrea/issues/2083.
 	if singleRule {
 		builder.SetAppliedToGroup([]ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}, {PodSelector: map[string]string{tempLabel: ""}}})
-		builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil,
+		builder.AddIngress(protocol, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil,
 			nil, nil, nil, nil, crdv1beta1.RuleActionDrop, "", "")
 	} else {
-		builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil,
+		builder.AddIngress(protocol, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil,
 			nil, nil, nil, []ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}, crdv1beta1.RuleActionDrop, "", "")
-		builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil,
+		builder.AddIngress(protocol, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil,
 			nil, nil, nil, []ANNPAppliedToSpec{{PodSelector: map[string]string{tempLabel: ""}}}, crdv1beta1.RuleActionDrop, "", "")
 	}
 
@@ -2397,7 +2400,7 @@ func testANNPMultipleAppliedTo(t *testing.T, data *TestData, singleRule bool) {
 	annp, err := k8sUtils.CreateOrUpdateANNP(builder.Get())
 	failOnError(err, t)
 	failOnError(data.waitForANNPRealized(t, annp.Namespace, annp.Name, policyRealizedTimeout), t)
-	k8sUtils.Validate(allPods, reachability, []int32{80}, ProtocolTCP)
+	k8sUtils.Validate(allPods, reachability, []int32{80}, protocol)
 	_, wrong, _ := reachability.Summary()
 	if wrong != 0 {
 		t.Errorf("Failure -- %d wrong results", wrong)
@@ -2416,7 +2419,7 @@ func testANNPMultipleAppliedTo(t *testing.T, data *TestData, singleRule bool) {
 	reachability.Expect(getPod("x", "b"), getPod("y", "a"), Dropped)
 	reachability.Expect(getPod("x", "b"), getPod("y", "c"), Dropped)
 	time.Sleep(networkPolicyDelay)
-	k8sUtils.Validate(allPods, reachability, []int32{80}, ProtocolTCP)
+	k8sUtils.Validate(allPods, reachability, []int32{80}, protocol)
 	_, wrong, _ = reachability.Summary()
 	if wrong != 0 {
 		t.Errorf("Failure -- %d wrong results", wrong)
@@ -2430,7 +2433,7 @@ func testANNPMultipleAppliedTo(t *testing.T, data *TestData, singleRule bool) {
 	reachability = NewReachability(allPods, Connected)
 	reachability.Expect(getPod("x", "b"), getPod("y", "a"), Dropped)
 	time.Sleep(networkPolicyDelay)
-	k8sUtils.Validate(allPods, reachability, []int32{80}, ProtocolTCP)
+	k8sUtils.Validate(allPods, reachability, []int32{80}, protocol)
 	_, wrong, _ = reachability.Summary()
 	if wrong != 0 {
 		t.Errorf("Failure -- %d wrong results", wrong)
@@ -4041,6 +4044,162 @@ func testACNPMulticastEgress(t *testing.T, data *TestData, acnpName, caseName, g
 	}
 }
 
+// testANNPAllowNoDefaultIsolation tests that no default isolation rules are created for Policies.
+func testANNPAllowNoDefaultIsolation(t *testing.T) {
+	builder := &AntreaNetworkPolicySpecBuilder{}
+	builder = builder.SetName(getNS("x"), "annp-allow-xa-ingress-and-egress").
+		SetPriority(1.1).
+		SetAppliedToGroup([]ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}})
+	builder.AddIngress(ProtocolTCP, &p81, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("y")}, nil,
+		nil, nil, nil, nil, crdv1beta1.RuleActionAllow, "", "")
+	builder.AddEgress(ProtocolTCP, &p81, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": getNS("z")}, nil,
+		nil, nil, nil, nil, crdv1beta1.RuleActionAllow, "", "")
+
+	reachability := NewReachability(allPods, Connected)
+	testStep := []*TestStep{
+		{
+			Name:          "Port 81",
+			Reachability:  reachability,
+			TestResources: []metav1.Object{builder.Get()},
+			Ports:         []int32{81},
+			Protocol:      ProtocolTCP,
+		},
+	}
+	testCase := []*TestCase{
+		{"ANNP Allow No Default Isolation", testStep},
+	}
+	executeTests(t, testCase)
+}
+
+// testANNPCompleteIsolation tests that an ANNP with default drop rules creates
+// complete pod isolation for X/A that drops all traffic from anywhere.
+func testANNPCompleteIsolation(t *testing.T) {
+	builder := &AntreaNetworkPolicySpecBuilder{}
+	builder = builder.SetName(getNS("x"), "annp-drop-xa-ingress-and-egress").
+		SetPriority(1.1).
+		SetAppliedToGroup([]ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}})
+	builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{}, map[string]string{}, nil,
+		nil, nil, nil, nil, crdv1beta1.RuleActionDrop, "", "")
+	builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{}, map[string]string{}, nil,
+		nil, nil, nil, nil, crdv1beta1.RuleActionDrop, "", "")
+
+	reachability := NewReachability(allPods, Connected)
+	reachability.ExpectAllIngress(getPod("x", "a"), Dropped)
+	reachability.ExpectAllEgress(getPod("x", "a"), Dropped)
+	reachability.ExpectSelf(allPods, Connected)
+	testStep := []*TestStep{
+		{
+			Name:          "Port 80",
+			Reachability:  reachability,
+			TestResources: []metav1.Object{builder.Get()},
+			Ports:         []int32{80},
+			Protocol:      ProtocolTCP,
+		},
+	}
+	testCase := []*TestCase{
+		{"ANNP Drop Complete Isolation For Pods in X", testStep},
+	}
+	executeTests(t, testCase)
+}
+
+// testANNPDropIngressEgress tests that an ANNP is able to drop ingress traffic
+// from X/B to Y/A and drop egress traffic from Y/A to Z/C for the provided protocol.
+func testANNPDropIngressEgress(t *testing.T, protocol AntreaPolicyProtocol) {
+	if protocol == ProtocolSCTP {
+		skipIfIPv6Cluster(t)
+	}
+	builder := &AntreaNetworkPolicySpecBuilder{}
+	builder = builder.SetName(getNS("y"), "annp-deny-xb-to-ya-ingress-ya-to-zc-egress").
+		SetPriority(1.0).
+		SetAppliedToGroup([]ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}})
+	builder.AddIngress(protocol, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil,
+		nil, nil, nil, nil, crdv1beta1.RuleActionDrop, "", "")
+	builder.AddEgress(protocol, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": getNS("z")}, nil,
+		nil, nil, nil, nil, crdv1beta1.RuleActionDrop, "", "")
+
+	reachability := NewReachability(allPods, Connected)
+	reachability.Expect(getPod("x", "b"), getPod("y", "a"), Dropped)
+	reachability.Expect(getPod("y", "a"), getPod("z", "c"), Dropped)
+	testStep := []*TestStep{
+		{
+			Name:          "Port 80",
+			Reachability:  reachability,
+			TestResources: []metav1.Object{builder.Get()},
+			Ports:         []int32{80},
+			Protocol:      protocol,
+		},
+	}
+	testCase := []*TestCase{
+		{Name: "ANNP Drop Ingress From X/B to Y/A And Egress From Y/A to Z/C", Steps: testStep},
+	}
+	executeTests(t, testCase)
+}
+
+// testANNPConflictIngressEgress tests that conflicting policies with drop ingress
+// and allow egress from y/b to x/a results in the drop instead of allow.
+func testANNPConflictIngressEgress(t *testing.T) {
+	builder := &AntreaNetworkPolicySpecBuilder{}
+	builder = builder.SetName(getNS("x"), "annp-deny-yb-to-xa-ingress").
+		SetPriority(1.0).
+		SetAppliedToGroup([]ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}})
+	builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("y")}, nil,
+		nil, nil, nil, nil, crdv1beta1.RuleActionDrop, "", "")
+
+	builder2 := &AntreaNetworkPolicySpecBuilder{}
+	builder2 = builder2.SetName(getNS("y"), "annp-allow-yb-to-xa-egress").
+		SetPriority(1.0).
+		SetAppliedToGroup([]ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}})
+	builder2.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "a"}, map[string]string{"ns": getNS("x")}, nil,
+		nil, nil, nil, nil, crdv1beta1.RuleActionAllow, "", "")
+
+	reachability := NewReachability(allPods, Connected)
+	reachability.Expect(getPod("y", "b"), getPod("x", "a"), Dropped)
+	testStep := []*TestStep{
+		{
+			Name:          "Port 80",
+			Reachability:  reachability,
+			TestResources: []metav1.Object{builder.Get(), builder2.Get()},
+			Ports:         []int32{80},
+			Protocol:      ProtocolTCP,
+		},
+	}
+	testCase := []*TestCase{
+		{Name: "ANNP Drop Y/B to X/A with Conflicting Policies", Steps: testStep},
+	}
+	executeTests(t, testCase)
+}
+
+// testANNPIngressDelete tests that an ANNP is no longer effective after deleted.
+func testANNPIngressDelete(t *testing.T, data *TestData) {
+	builder := &AntreaNetworkPolicySpecBuilder{}
+	builder = builder.SetName(getNS("y"), "annp-deny-xb-to-ya-ingress").
+		SetPriority(1.0).
+		SetAppliedToGroup([]ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}})
+	builder.AddIngress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": getNS("x")}, nil,
+		nil, nil, nil, nil, crdv1beta1.RuleActionDrop, "", "")
+	reachability := NewReachability(allPods, Connected)
+	reachability.Expect(getPod("x", "b"), getPod("y", "a"), Dropped)
+
+	annp, err := k8sUtils.CreateOrUpdateANNP(builder.Get())
+	failOnError(err, t)
+	failOnError(data.waitForANNPRealized(t, annp.Namespace, annp.Name, policyRealizedTimeout), t)
+	k8sUtils.Validate(allPods, reachability, []int32{80}, ProtocolTCP)
+	_, wrong, _ := reachability.Summary()
+	if wrong != 0 {
+		t.Errorf("Failure -- %d wrong results", wrong)
+		reachability.PrintSummary(true, true, true)
+	}
+
+	failOnError(k8sUtils.DeleteANNP(annp.Namespace, annp.Name), t)
+	updatedReachability := NewReachability(allPods, Connected)
+	k8sUtils.Validate(allPods, updatedReachability, []int32{80}, ProtocolTCP)
+	_, wrong, _ = reachability.Summary()
+	if wrong != 0 {
+		t.Errorf("Failure -- %d wrong results", wrong)
+		reachability.PrintSummary(true, true, true)
+	}
+}
+
 // the matchers parameter is a list of regular expressions which will be matched against the
 // contents of the audit logs. The call will "succeed" if all matches are successful.
 func checkAuditLoggingResult(t *testing.T, data *TestData, nodeName, logLocator string, matchers []*regexp.Regexp) {
@@ -4400,8 +4559,8 @@ func TestAntreaPolicy(t *testing.T) {
 		t.Run("Case=ANNPPortRange", func(t *testing.T) { testANNPPortRange(t) })
 		t.Run("Case=ANNPBasic", func(t *testing.T) { testANNPBasic(t) })
 		t.Run("Case=ANNPUpdate", func(t *testing.T) { testANNPUpdate(t, data) })
-		t.Run("Case=testANNPMultipleAppliedToSingleRule", func(t *testing.T) { testANNPMultipleAppliedTo(t, data, true) })
-		t.Run("Case=testANNPMultipleAppliedToMultipleRules", func(t *testing.T) { testANNPMultipleAppliedTo(t, data, false) })
+		t.Run("Case=testANNPMultipleAppliedToSingleRule", func(t *testing.T) { testANNPMultipleAppliedTo(t, data, true, ProtocolTCP) })
+		t.Run("Case=testANNPMultipleAppliedToMultipleRules", func(t *testing.T) { testANNPMultipleAppliedTo(t, data, false, ProtocolTCP) })
 		t.Run("Case=AppliedToPerRule", func(t *testing.T) { testAppliedToPerRule(t) })
 		t.Run("Case=ACNPNamespaceIsolation", func(t *testing.T) { testACNPNamespaceIsolation(t) })
 		t.Run("Case=ACNPStrictNamespaceIsolation", func(t *testing.T) { testACNPStrictNamespacesIsolation(t) })
@@ -4439,6 +4598,20 @@ func TestAntreaPolicy(t *testing.T) {
 		t.Run("Case=ACNPICMPSupport", func(t *testing.T) { testACNPICMPSupport(t, data) })
 		t.Run("Case=ACNPNodePortServiceSupport", func(t *testing.T) { testACNPNodePortServiceSupport(t, data, data.testNamespace) })
 	})
+	t.Run("ExtendedTestGroupANNP", func(t *testing.T) {
+		skipIfNotRequired(t, "mode-irrelevant")
+		t.Run("Case=ANNPAllowNoDefaultIsolation", func(t *testing.T) { testANNPAllowNoDefaultIsolation(t) })
+		t.Run("Case=ANNPCompleteIsolation", func(t *testing.T) { testANNPCompleteIsolation(t) })
+		t.Run("Case=ANNPDropIngressEgressTCP", func(t *testing.T) { testANNPDropIngressEgress(t, ProtocolTCP) })
+		t.Run("Case=ANNPDropIngressEgressUDP", func(t *testing.T) { testANNPDropIngressEgress(t, ProtocolUDP) })
+		t.Run("Case=ANNPDropIngressEgressSCTP", func(t *testing.T) { testANNPDropIngressEgress(t, ProtocolSCTP) })
+		t.Run("Case=ANNPConflictIngressEgress", func(t *testing.T) { testANNPConflictIngressEgress(t) })
+		t.Run("Case=testANNPMultipleAppliedToSingleRuleUDP", func(t *testing.T) { testANNPMultipleAppliedTo(t, data, true, ProtocolUDP) })
+		t.Run("Case=testANNPMultipleAppliedToSingleRuleSCTP", func(t *testing.T) { testANNPMultipleAppliedTo(t, data, true, ProtocolSCTP) })
+		t.Run("Case=testANNPMultipleAppliedToMultipleRulesUDP", func(t *testing.T) { testANNPMultipleAppliedTo(t, data, false, ProtocolUDP) })
+		t.Run("Case=testANNPMultipleAppliedToMultipleRulesSCTP", func(t *testing.T) { testANNPMultipleAppliedTo(t, data, false, ProtocolSCTP) })
+		t.Run("Case=testANNPIngressDelete", func(t *testing.T) { testANNPIngressDelete(t, data) })
+	})
 	// print results for reachability tests
 	printResults()