github.com/cilium/cilium@v1.16.2/pkg/policy/groups/helpers_test.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Cilium 3 4 package groups 5 6 import ( 7 "context" 8 "fmt" 9 "net/netip" 10 "testing" 11 12 "github.com/stretchr/testify/require" 13 "k8s.io/apimachinery/pkg/types" 14 15 cilium_v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" 16 slim_metav1 "github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1" 17 "github.com/cilium/cilium/pkg/policy/api" 18 ) 19 20 func getSamplePolicy(name, ns string) *cilium_v2.CiliumNetworkPolicy { 21 cnp := &cilium_v2.CiliumNetworkPolicy{} 22 23 cnp.ObjectMeta.Name = name 24 cnp.ObjectMeta.Namespace = ns 25 cnp.ObjectMeta.UID = types.UID("123") 26 cnp.Spec = &api.Rule{ 27 EndpointSelector: api.EndpointSelector{ 28 LabelSelector: &slim_metav1.LabelSelector{ 29 MatchLabels: map[string]string{ 30 "test": "true", 31 }, 32 }, 33 }, 34 } 35 return cnp 36 } 37 38 func TestCorrectDerivativeName(t *testing.T) { 39 name := "test" 40 cnp := getSamplePolicy(name, "testns") 41 cnpDerivedPolicy, err := createDerivativeCNP(context.TODO(), cnp) 42 require.NoError(t, err) 43 require.Equal(t, fmt.Sprintf("%s-groups-%s", name, cnp.ObjectMeta.UID), cnpDerivedPolicy.ObjectMeta.Name) 44 45 // Test clusterwide policy helper functions 46 ccnpName := "ccnp-test" 47 ccnp := getSamplePolicy(ccnpName, "") 48 ccnpDerivedPolicy, err := createDerivativeCCNP(context.TODO(), ccnp) 49 50 require.NoError(t, err) 51 require.Equal(t, fmt.Sprintf("%s-groups-%s", ccnpName, ccnp.ObjectMeta.UID), ccnpDerivedPolicy.ObjectMeta.Name) 52 } 53 54 func TestDerivativePoliciesAreDeletedIfNogroups(t *testing.T) { 55 egressRule := []api.EgressRule{ 56 { 57 ToPorts: []api.PortRule{ 58 { 59 Ports: []api.PortProtocol{ 60 {Port: "5555"}, 61 }, 62 }, 63 }, 64 }, 65 } 66 67 name := "test" 68 cnp := getSamplePolicy(name, "testns") 69 70 cnp.Spec.Egress = egressRule 71 72 cnpDerivedPolicy, err := createDerivativeCNP(context.TODO(), cnp) 73 require.NoError(t, err) 74 require.EqualValues(t, cnp.Spec.Egress, cnpDerivedPolicy.Specs[0].Egress) 75 require.Equal(t, 1, len(cnpDerivedPolicy.Specs)) 76 77 // Clusterwide policies 78 ccnpName := "ccnp-test" 79 ccnp := getSamplePolicy(ccnpName, "") 80 ccnp.Spec.Egress = egressRule 81 82 ccnpDerivedPolicy, err := createDerivativeCCNP(context.TODO(), ccnp) 83 require.NoError(t, err) 84 require.EqualValues(t, ccnp.Spec.Egress, ccnpDerivedPolicy.Specs[0].Egress) 85 require.Equal(t, 1, len(ccnpDerivedPolicy.Specs)) 86 } 87 88 func TestDerivativePoliciesAreInheritCorrectly(t *testing.T) { 89 cb := func(ctx context.Context, group *api.Groups) ([]netip.Addr, error) { 90 return []netip.Addr{netip.MustParseAddr("192.168.1.1")}, nil 91 } 92 93 egressRule := []api.EgressRule{ 94 { 95 ToPorts: []api.PortRule{ 96 { 97 Ports: []api.PortProtocol{ 98 {Port: "5555"}, 99 }, 100 }, 101 }, 102 EgressCommonRule: api.EgressCommonRule{ 103 ToGroups: []api.Groups{ 104 { 105 AWS: &api.AWSGroup{ 106 Labels: map[string]string{ 107 "test": "a", 108 }, 109 }, 110 }, 111 }, 112 }, 113 }, 114 } 115 116 api.RegisterToGroupsProvider(api.AWSProvider, cb) 117 118 name := "test" 119 cnp := getSamplePolicy(name, "testns") 120 121 cnp.Spec.Egress = egressRule 122 123 cnpDerivedPolicy, err := createDerivativeCNP(context.TODO(), cnp) 124 require.NoError(t, err) 125 require.Nil(t, cnpDerivedPolicy.Spec) 126 require.Len(t, cnpDerivedPolicy.Specs, 1) 127 require.EqualValues(t, cnp.Spec.Egress[0].ToPorts, cnpDerivedPolicy.Specs[0].Egress[0].ToPorts) 128 require.Len(t, cnpDerivedPolicy.Specs[0].Egress[0].ToGroups, 0) 129 130 // Clusterwide policies 131 ccnpName := "ccnp-test" 132 ccnp := getSamplePolicy(ccnpName, "") 133 ccnp.Spec.Egress = egressRule 134 135 ccnpDerivedPolicy, err := createDerivativeCCNP(context.TODO(), ccnp) 136 require.NoError(t, err) 137 require.Nil(t, ccnpDerivedPolicy.Spec) 138 require.Len(t, ccnpDerivedPolicy.Specs, 1) 139 require.EqualValues(t, ccnp.Spec.Egress[0].ToPorts, ccnpDerivedPolicy.Specs[0].Egress[0].ToPorts) 140 require.Len(t, ccnpDerivedPolicy.Specs[0].Egress[0].ToGroups, 0) 141 }