github.com/cilium/cilium@v1.16.2/pkg/policy/k8s/cilium_cidr_group_test.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Cilium 3 4 package k8s 5 6 import ( 7 "reflect" 8 "testing" 9 10 "github.com/stretchr/testify/assert" 11 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 12 13 cilium_v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" 14 cilium_v2_alpha1 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1" 15 "github.com/cilium/cilium/pkg/k8s/types" 16 "github.com/cilium/cilium/pkg/policy/api" 17 ) 18 19 func TestHasCIDRGroupRef(t *testing.T) { 20 testCases := [...]struct { 21 name string 22 cnp *types.SlimCNP 23 cidrGroup string 24 expected bool 25 }{ 26 { 27 name: "nil Spec", 28 cnp: &types.SlimCNP{ 29 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 30 TypeMeta: metav1.TypeMeta{ 31 APIVersion: "cilium.io/v2", 32 Kind: "CiliumNetworkPolicy", 33 }, 34 ObjectMeta: metav1.ObjectMeta{ 35 Name: "test-policy", 36 Namespace: "test-namespace", 37 }, 38 }, 39 }, 40 cidrGroup: "cidr-group-1", 41 expected: false, 42 }, 43 { 44 name: "nil Ingress and Egress", 45 cnp: &types.SlimCNP{ 46 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 47 TypeMeta: metav1.TypeMeta{ 48 APIVersion: "cilium.io/v2", 49 Kind: "CiliumNetworkPolicy", 50 }, 51 ObjectMeta: metav1.ObjectMeta{ 52 Name: "test-policy", 53 Namespace: "test-namespace", 54 }, 55 Spec: &api.Rule{}, 56 Specs: api.Rules{ 57 {}, 58 }, 59 }, 60 }, 61 cidrGroup: "cidr-group-1", 62 expected: false, 63 }, 64 { 65 name: "nil FromCidrSet rule", 66 cnp: &types.SlimCNP{ 67 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 68 TypeMeta: metav1.TypeMeta{ 69 APIVersion: "cilium.io/v2", 70 Kind: "CiliumNetworkPolicy", 71 }, 72 ObjectMeta: metav1.ObjectMeta{ 73 Name: "test-policy", 74 Namespace: "test-namespace", 75 }, 76 Spec: &api.Rule{ 77 Ingress: []api.IngressRule{}, 78 IngressDeny: []api.IngressDenyRule{}, 79 }, 80 Specs: api.Rules{ 81 { 82 Ingress: []api.IngressRule{}, 83 IngressDeny: []api.IngressDenyRule{}, 84 }, 85 }, 86 }, 87 }, 88 cidrGroup: "cidr-group-1", 89 expected: false, 90 }, 91 { 92 name: "nil ToCidrSet rule", 93 cnp: &types.SlimCNP{ 94 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 95 TypeMeta: metav1.TypeMeta{ 96 APIVersion: "cilium.io/v2", 97 Kind: "CiliumNetworkPolicy", 98 }, 99 ObjectMeta: metav1.ObjectMeta{ 100 Name: "test-policy", 101 Namespace: "test-namespace", 102 }, 103 Spec: &api.Rule{ 104 Egress: []api.EgressRule{}, 105 EgressDeny: []api.EgressDenyRule{}, 106 }, 107 Specs: api.Rules{ 108 { 109 Egress: []api.EgressRule{}, 110 EgressDeny: []api.EgressDenyRule{}, 111 }, 112 }, 113 }, 114 }, 115 cidrGroup: "cidr-group-1", 116 expected: false, 117 }, 118 { 119 name: "missing CIDRGroup", 120 cnp: &types.SlimCNP{ 121 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 122 TypeMeta: metav1.TypeMeta{ 123 APIVersion: "cilium.io/v2", 124 Kind: "CiliumNetworkPolicy", 125 }, 126 ObjectMeta: metav1.ObjectMeta{ 127 Name: "test-policy", 128 Namespace: "test-namespace", 129 }, 130 Spec: &api.Rule{ 131 Ingress: []api.IngressRule{ 132 { 133 IngressCommonRule: api.IngressCommonRule{ 134 FromCIDRSet: api.CIDRRuleSlice{ 135 { 136 CIDRGroupRef: "cidr-group-1", 137 }, 138 }, 139 }, 140 }, 141 }, 142 IngressDeny: []api.IngressDenyRule{ 143 { 144 IngressCommonRule: api.IngressCommonRule{ 145 FromCIDRSet: api.CIDRRuleSlice{ 146 { 147 CIDRGroupRef: "cidr-group-3", 148 }, 149 }, 150 }, 151 }, 152 }, 153 }, 154 Specs: api.Rules{ 155 { 156 Ingress: []api.IngressRule{ 157 { 158 IngressCommonRule: api.IngressCommonRule{ 159 FromCIDRSet: api.CIDRRuleSlice{ 160 { 161 CIDRGroupRef: "cidr-group-2", 162 }, 163 }, 164 }, 165 }, 166 }, 167 }, 168 { 169 IngressDeny: []api.IngressDenyRule{ 170 { 171 IngressCommonRule: api.IngressCommonRule{ 172 FromCIDRSet: api.CIDRRuleSlice{ 173 { 174 CIDRGroupRef: "cidr-group-4", 175 }, 176 }, 177 }, 178 }, 179 }, 180 }, 181 }, 182 }, 183 }, 184 cidrGroup: "cidr-group-5", 185 expected: false, 186 }, 187 { 188 name: "CIDRGroupRef in Ingress Spec", 189 cnp: &types.SlimCNP{ 190 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 191 TypeMeta: metav1.TypeMeta{ 192 APIVersion: "cilium.io/v2", 193 Kind: "CiliumNetworkPolicy", 194 }, 195 ObjectMeta: metav1.ObjectMeta{ 196 Name: "test-policy", 197 Namespace: "test-namespace", 198 }, 199 Spec: &api.Rule{ 200 Ingress: []api.IngressRule{ 201 { 202 IngressCommonRule: api.IngressCommonRule{ 203 FromCIDRSet: api.CIDRRuleSlice{ 204 { 205 CIDRGroupRef: "cidr-group-1", 206 }, 207 }, 208 }, 209 }, 210 }, 211 }, 212 Specs: api.Rules{ 213 { 214 Ingress: []api.IngressRule{ 215 { 216 IngressCommonRule: api.IngressCommonRule{ 217 FromCIDRSet: api.CIDRRuleSlice{ 218 { 219 CIDRGroupRef: "cidr-group-2", 220 }, 221 }, 222 }, 223 }, 224 }, 225 }, 226 }, 227 }, 228 }, 229 cidrGroup: "cidr-group-1", 230 expected: true, 231 }, 232 { 233 name: "CIDRGroupRef in Egress Spec", 234 cnp: &types.SlimCNP{ 235 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 236 TypeMeta: metav1.TypeMeta{ 237 APIVersion: "cilium.io/v2", 238 Kind: "CiliumNetworkPolicy", 239 }, 240 ObjectMeta: metav1.ObjectMeta{ 241 Name: "test-policy", 242 Namespace: "test-namespace", 243 }, 244 Spec: &api.Rule{ 245 Egress: []api.EgressRule{ 246 { 247 EgressCommonRule: api.EgressCommonRule{ 248 ToCIDRSet: api.CIDRRuleSlice{ 249 { 250 CIDRGroupRef: "cidr-group-1", 251 }, 252 }, 253 }, 254 }, 255 }, 256 }, 257 Specs: api.Rules{ 258 { 259 Egress: []api.EgressRule{ 260 { 261 EgressCommonRule: api.EgressCommonRule{ 262 ToCIDRSet: api.CIDRRuleSlice{ 263 { 264 CIDRGroupRef: "cidr-group-2", 265 }, 266 }, 267 }, 268 }, 269 }, 270 }, 271 }, 272 }, 273 }, 274 cidrGroup: "cidr-group-1", 275 expected: true, 276 }, 277 { 278 name: "CIDRGroupRef in IngressDeny Spec", 279 cnp: &types.SlimCNP{ 280 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 281 TypeMeta: metav1.TypeMeta{ 282 APIVersion: "cilium.io/v2", 283 Kind: "CiliumNetworkPolicy", 284 }, 285 ObjectMeta: metav1.ObjectMeta{ 286 Name: "test-policy", 287 Namespace: "test-namespace", 288 }, 289 Spec: &api.Rule{ 290 IngressDeny: []api.IngressDenyRule{ 291 { 292 IngressCommonRule: api.IngressCommonRule{ 293 FromCIDRSet: api.CIDRRuleSlice{ 294 { 295 CIDRGroupRef: "cidr-group-1", 296 }, 297 }, 298 }, 299 }, 300 }, 301 }, 302 Specs: api.Rules{ 303 { 304 IngressDeny: []api.IngressDenyRule{ 305 { 306 IngressCommonRule: api.IngressCommonRule{ 307 FromCIDRSet: api.CIDRRuleSlice{ 308 { 309 CIDRGroupRef: "cidr-group-2", 310 }, 311 }, 312 }, 313 }, 314 }, 315 }, 316 }, 317 }, 318 }, 319 cidrGroup: "cidr-group-1", 320 expected: true, 321 }, 322 { 323 name: "CIDRGroupRef in EgressDeny Spec", 324 cnp: &types.SlimCNP{ 325 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 326 TypeMeta: metav1.TypeMeta{ 327 APIVersion: "cilium.io/v2", 328 Kind: "CiliumNetworkPolicy", 329 }, 330 ObjectMeta: metav1.ObjectMeta{ 331 Name: "test-policy", 332 Namespace: "test-namespace", 333 }, 334 Spec: &api.Rule{ 335 EgressDeny: []api.EgressDenyRule{ 336 { 337 EgressCommonRule: api.EgressCommonRule{ 338 ToCIDRSet: api.CIDRRuleSlice{ 339 { 340 CIDRGroupRef: "cidr-group-1", 341 }, 342 }, 343 }, 344 }, 345 }, 346 }, 347 Specs: api.Rules{ 348 { 349 EgressDeny: []api.EgressDenyRule{ 350 { 351 EgressCommonRule: api.EgressCommonRule{ 352 ToCIDRSet: api.CIDRRuleSlice{ 353 { 354 CIDRGroupRef: "cidr-group-2", 355 }, 356 }, 357 }, 358 }, 359 }, 360 }, 361 }, 362 }, 363 }, 364 cidrGroup: "cidr-group-1", 365 expected: true, 366 }, 367 { 368 name: "CIDR in Ingress Spec", 369 cnp: &types.SlimCNP{ 370 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 371 TypeMeta: metav1.TypeMeta{ 372 APIVersion: "cilium.io/v2", 373 Kind: "CiliumNetworkPolicy", 374 }, 375 ObjectMeta: metav1.ObjectMeta{ 376 Name: "test-policy", 377 Namespace: "test-namespace", 378 }, 379 Spec: &api.Rule{ 380 Ingress: []api.IngressRule{ 381 { 382 IngressCommonRule: api.IngressCommonRule{ 383 FromCIDRSet: api.CIDRRuleSlice{ 384 { 385 CIDRGroupRef: "cidr-group-1", 386 }, 387 }, 388 }, 389 }, 390 }, 391 }, 392 Specs: api.Rules{ 393 { 394 Ingress: []api.IngressRule{ 395 { 396 IngressCommonRule: api.IngressCommonRule{ 397 FromCIDRSet: api.CIDRRuleSlice{ 398 { 399 Cidr: "1.1.1.1/32", 400 }, 401 }, 402 }, 403 }, 404 }, 405 }, 406 }, 407 }, 408 }, 409 cidrGroup: "cidr-group-1", 410 expected: true, 411 }, 412 { 413 name: "CIDR in IngressDeny Spec", 414 cnp: &types.SlimCNP{ 415 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 416 TypeMeta: metav1.TypeMeta{ 417 APIVersion: "cilium.io/v2", 418 Kind: "CiliumNetworkPolicy", 419 }, 420 ObjectMeta: metav1.ObjectMeta{ 421 Name: "test-policy", 422 Namespace: "test-namespace", 423 }, 424 Spec: &api.Rule{ 425 IngressDeny: []api.IngressDenyRule{ 426 { 427 IngressCommonRule: api.IngressCommonRule{ 428 FromCIDRSet: api.CIDRRuleSlice{ 429 { 430 CIDRGroupRef: "cidr-group-1", 431 }, 432 }, 433 }, 434 }, 435 }, 436 }, 437 Specs: api.Rules{ 438 { 439 IngressDeny: []api.IngressDenyRule{ 440 { 441 IngressCommonRule: api.IngressCommonRule{ 442 FromCIDRSet: api.CIDRRuleSlice{ 443 { 444 Cidr: "1.1.1.1/32", 445 }, 446 }, 447 }, 448 }, 449 }, 450 }, 451 }, 452 }, 453 }, 454 cidrGroup: "cidr-group-1", 455 expected: true, 456 }, 457 { 458 name: "CIDRGroupRef in IngressDeny Specs", 459 cnp: &types.SlimCNP{ 460 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 461 TypeMeta: metav1.TypeMeta{ 462 APIVersion: "cilium.io/v2", 463 Kind: "CiliumNetworkPolicy", 464 }, 465 ObjectMeta: metav1.ObjectMeta{ 466 Name: "test-policy", 467 Namespace: "test-namespace", 468 }, 469 Spec: &api.Rule{ 470 Ingress: []api.IngressRule{ 471 { 472 IngressCommonRule: api.IngressCommonRule{ 473 FromCIDRSet: api.CIDRRuleSlice{ 474 { 475 CIDRGroupRef: "cidr-group-1", 476 }, 477 }, 478 }, 479 }, 480 }, 481 }, 482 Specs: api.Rules{ 483 { 484 Ingress: []api.IngressRule{ 485 { 486 IngressCommonRule: api.IngressCommonRule{ 487 FromCIDRSet: api.CIDRRuleSlice{ 488 { 489 CIDRGroupRef: "cidr-group-2", 490 }, 491 }, 492 }, 493 }, 494 }, 495 }, 496 }, 497 }, 498 }, 499 cidrGroup: "cidr-group-2", 500 expected: true, 501 }, 502 { 503 name: "CIDRGroupRef in Spec (Egress)", 504 cnp: &types.SlimCNP{ 505 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 506 TypeMeta: metav1.TypeMeta{ 507 APIVersion: "cilium.io/v2", 508 Kind: "CiliumNetworkPolicy", 509 }, 510 ObjectMeta: metav1.ObjectMeta{ 511 Name: "test-policy", 512 Namespace: "test-namespace", 513 }, 514 Spec: &api.Rule{ 515 Egress: []api.EgressRule{ 516 { 517 EgressCommonRule: api.EgressCommonRule{ 518 ToCIDRSet: api.CIDRRuleSlice{ 519 { 520 CIDRGroupRef: "cidr-group-1", 521 }, 522 }, 523 }, 524 }, 525 }, 526 }, 527 }, 528 }, 529 cidrGroup: "cidr-group-1", 530 expected: true, 531 }, 532 { 533 name: "CIDRGroupRef in Specs (Egress)", 534 cnp: &types.SlimCNP{ 535 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 536 TypeMeta: metav1.TypeMeta{ 537 APIVersion: "cilium.io/v2", 538 Kind: "CiliumNetworkPolicy", 539 }, 540 ObjectMeta: metav1.ObjectMeta{ 541 Name: "test-policy", 542 Namespace: "test-namespace", 543 }, 544 Spec: &api.Rule{ 545 Egress: []api.EgressRule{ 546 { 547 EgressCommonRule: api.EgressCommonRule{ 548 ToCIDRSet: api.CIDRRuleSlice{ 549 { 550 CIDRGroupRef: "cidr-group-1", 551 }, 552 }, 553 }, 554 }, 555 }, 556 }, 557 Specs: api.Rules{ 558 { 559 Egress: []api.EgressRule{ 560 { 561 EgressCommonRule: api.EgressCommonRule{ 562 ToCIDRSet: api.CIDRRuleSlice{ 563 { 564 CIDRGroupRef: "cidr-group-2", 565 }, 566 }, 567 }, 568 }, 569 }, 570 }, 571 }, 572 }, 573 }, 574 cidrGroup: "cidr-group-2", 575 expected: true, 576 }, 577 { 578 name: "CIDRGroupRef in IngressDeny Specs", 579 cnp: &types.SlimCNP{ 580 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 581 TypeMeta: metav1.TypeMeta{ 582 APIVersion: "cilium.io/v2", 583 Kind: "CiliumNetworkPolicy", 584 }, 585 ObjectMeta: metav1.ObjectMeta{ 586 Name: "test-policy", 587 Namespace: "test-namespace", 588 }, 589 Spec: &api.Rule{ 590 IngressDeny: []api.IngressDenyRule{ 591 { 592 IngressCommonRule: api.IngressCommonRule{ 593 FromCIDRSet: api.CIDRRuleSlice{ 594 { 595 CIDRGroupRef: "cidr-group-1", 596 }, 597 }, 598 }, 599 }, 600 }, 601 }, 602 Specs: api.Rules{ 603 { 604 IngressDeny: []api.IngressDenyRule{ 605 { 606 IngressCommonRule: api.IngressCommonRule{ 607 FromCIDRSet: api.CIDRRuleSlice{ 608 { 609 CIDRGroupRef: "cidr-group-2", 610 }, 611 }, 612 }, 613 }, 614 }, 615 }, 616 }, 617 }, 618 }, 619 cidrGroup: "cidr-group-2", 620 expected: true, 621 }, 622 } 623 624 for _, tc := range testCases { 625 t.Run(tc.name, func(t *testing.T) { 626 got := hasCIDRGroupRef(tc.cnp, tc.cidrGroup) 627 if got != tc.expected { 628 t.Fatalf("expected hasCIDRGroupRef to return %t, got %t", tc.expected, got) 629 } 630 }) 631 } 632 } 633 634 func TestCIDRGroupRefsGet(t *testing.T) { 635 testCases := [...]struct { 636 name string 637 cnp *types.SlimCNP 638 expected []string 639 }{ 640 { 641 name: "nil Spec", 642 cnp: &types.SlimCNP{ 643 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 644 TypeMeta: metav1.TypeMeta{ 645 APIVersion: "cilium.io/v2", 646 Kind: "CiliumNetworkPolicy", 647 }, 648 ObjectMeta: metav1.ObjectMeta{ 649 Name: "test-policy", 650 Namespace: "test-namespace", 651 }, 652 }, 653 }, 654 expected: nil, 655 }, 656 { 657 name: "nil Ingress Spec with non-nil Ingress Specs", 658 cnp: &types.SlimCNP{ 659 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 660 TypeMeta: metav1.TypeMeta{ 661 APIVersion: "cilium.io/v2", 662 Kind: "CiliumNetworkPolicy", 663 }, 664 ObjectMeta: metav1.ObjectMeta{ 665 Name: "test-policy", 666 Namespace: "test-namespace", 667 }, 668 Specs: api.Rules{ 669 { 670 Ingress: []api.IngressRule{ 671 { 672 IngressCommonRule: api.IngressCommonRule{ 673 FromCIDRSet: api.CIDRRuleSlice{ 674 { 675 CIDRGroupRef: "cidr-group-1", 676 }, 677 }, 678 }, 679 }, 680 }, 681 }, 682 }, 683 }, 684 }, 685 expected: []string{"cidr-group-1"}, 686 }, 687 { 688 name: "nil IngressDeny Spec with non-nil IngressDeny Specs", 689 cnp: &types.SlimCNP{ 690 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 691 TypeMeta: metav1.TypeMeta{ 692 APIVersion: "cilium.io/v2", 693 Kind: "CiliumNetworkPolicy", 694 }, 695 ObjectMeta: metav1.ObjectMeta{ 696 Name: "test-policy", 697 Namespace: "test-namespace", 698 }, 699 Specs: api.Rules{ 700 { 701 IngressDeny: []api.IngressDenyRule{ 702 { 703 IngressCommonRule: api.IngressCommonRule{ 704 FromCIDRSet: api.CIDRRuleSlice{ 705 { 706 CIDRGroupRef: "cidr-group-1", 707 }, 708 }, 709 }, 710 }, 711 }, 712 }, 713 }, 714 }, 715 }, 716 expected: []string{"cidr-group-1"}, 717 }, 718 { 719 name: "nil Ingress and Egress", 720 cnp: &types.SlimCNP{ 721 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 722 TypeMeta: metav1.TypeMeta{ 723 APIVersion: "cilium.io/v2", 724 Kind: "CiliumNetworkPolicy", 725 }, 726 ObjectMeta: metav1.ObjectMeta{ 727 Name: "test-policy", 728 Namespace: "test-namespace", 729 }, 730 Spec: &api.Rule{}, 731 Specs: api.Rules{ 732 {}, 733 }, 734 }, 735 }, 736 expected: nil, 737 }, 738 { 739 name: "nil Ingress and IngressDeny FromCidrSet rule", 740 cnp: &types.SlimCNP{ 741 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 742 TypeMeta: metav1.TypeMeta{ 743 APIVersion: "cilium.io/v2", 744 Kind: "CiliumNetworkPolicy", 745 }, 746 ObjectMeta: metav1.ObjectMeta{ 747 Name: "test-policy", 748 Namespace: "test-namespace", 749 }, 750 Spec: &api.Rule{ 751 Ingress: []api.IngressRule{}, 752 IngressDeny: []api.IngressDenyRule{}, 753 }, 754 Specs: api.Rules{ 755 { 756 Ingress: []api.IngressRule{}, 757 IngressDeny: []api.IngressDenyRule{}, 758 }, 759 }, 760 }, 761 }, 762 expected: nil, 763 }, 764 { 765 name: "nil Egress and EgressDeny ToCidrSet rule", 766 cnp: &types.SlimCNP{ 767 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 768 TypeMeta: metav1.TypeMeta{ 769 APIVersion: "cilium.io/v2", 770 Kind: "CiliumNetworkPolicy", 771 }, 772 ObjectMeta: metav1.ObjectMeta{ 773 Name: "test-policy", 774 Namespace: "test-namespace", 775 }, 776 Spec: &api.Rule{ 777 Egress: []api.EgressRule{}, 778 EgressDeny: []api.EgressDenyRule{}, 779 }, 780 Specs: api.Rules{ 781 { 782 Egress: []api.EgressRule{}, 783 EgressDeny: []api.EgressDenyRule{}, 784 }, 785 }, 786 }, 787 }, 788 expected: nil, 789 }, 790 { 791 name: "single FromCidrSet rule", 792 cnp: &types.SlimCNP{ 793 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 794 TypeMeta: metav1.TypeMeta{ 795 APIVersion: "cilium.io/v2", 796 Kind: "CiliumNetworkPolicy", 797 }, 798 ObjectMeta: metav1.ObjectMeta{ 799 Name: "test-policy", 800 Namespace: "test-namespace", 801 }, 802 Spec: &api.Rule{ 803 Ingress: []api.IngressRule{ 804 { 805 IngressCommonRule: api.IngressCommonRule{ 806 FromCIDRSet: api.CIDRRuleSlice{ 807 { 808 CIDRGroupRef: "cidr-group-1", 809 }, 810 }, 811 }, 812 }, 813 }, 814 IngressDeny: []api.IngressDenyRule{ 815 { 816 IngressCommonRule: api.IngressCommonRule{ 817 FromCIDRSet: api.CIDRRuleSlice{ 818 { 819 CIDRGroupRef: "cidr-group-2", 820 }, 821 }, 822 }, 823 }, 824 }, 825 Egress: []api.EgressRule{ 826 { 827 EgressCommonRule: api.EgressCommonRule{ 828 ToCIDRSet: api.CIDRRuleSlice{ 829 { 830 CIDRGroupRef: "cidr-group-3", 831 }, 832 }, 833 }, 834 }, 835 }, 836 EgressDeny: []api.EgressDenyRule{ 837 { 838 EgressCommonRule: api.EgressCommonRule{ 839 ToCIDRSet: api.CIDRRuleSlice{ 840 { 841 CIDRGroupRef: "cidr-group-4", 842 }, 843 }, 844 }, 845 }, 846 }, 847 }, 848 Specs: api.Rules{ 849 { 850 Ingress: []api.IngressRule{ 851 { 852 IngressCommonRule: api.IngressCommonRule{ 853 FromCIDRSet: api.CIDRRuleSlice{ 854 { 855 CIDRGroupRef: "cidr-group-5", 856 }, 857 }, 858 }, 859 }, 860 }, 861 }, 862 { 863 IngressDeny: []api.IngressDenyRule{ 864 { 865 IngressCommonRule: api.IngressCommonRule{ 866 FromCIDRSet: api.CIDRRuleSlice{ 867 { 868 CIDRGroupRef: "cidr-group-6", 869 }, 870 }, 871 }, 872 }, 873 }, 874 }, 875 { 876 Egress: []api.EgressRule{ 877 { 878 EgressCommonRule: api.EgressCommonRule{ 879 ToCIDRSet: api.CIDRRuleSlice{ 880 { 881 CIDRGroupRef: "cidr-group-7", 882 }, 883 }, 884 }, 885 }, 886 }, 887 }, 888 { 889 EgressDeny: []api.EgressDenyRule{ 890 { 891 EgressCommonRule: api.EgressCommonRule{ 892 ToCIDRSet: api.CIDRRuleSlice{ 893 { 894 CIDRGroupRef: "cidr-group-8", 895 }, 896 }, 897 }, 898 }, 899 }, 900 }, 901 }, 902 }, 903 }, 904 expected: []string{ 905 "cidr-group-1", 906 "cidr-group-2", 907 "cidr-group-3", 908 "cidr-group-4", 909 "cidr-group-5", 910 "cidr-group-6", 911 "cidr-group-7", 912 "cidr-group-8", 913 }, 914 }, 915 { 916 name: "single FromCidrSet rule with only CIDR", 917 cnp: &types.SlimCNP{ 918 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 919 TypeMeta: metav1.TypeMeta{ 920 APIVersion: "cilium.io/v2", 921 Kind: "CiliumNetworkPolicy", 922 }, 923 ObjectMeta: metav1.ObjectMeta{ 924 Name: "test-policy", 925 Namespace: "test-namespace", 926 }, 927 Spec: &api.Rule{ 928 Ingress: []api.IngressRule{ 929 { 930 IngressCommonRule: api.IngressCommonRule{ 931 FromCIDRSet: api.CIDRRuleSlice{ 932 { 933 CIDRGroupRef: "cidr-group-1", 934 }, 935 }, 936 }, 937 }, 938 }, 939 IngressDeny: []api.IngressDenyRule{ 940 { 941 IngressCommonRule: api.IngressCommonRule{ 942 FromCIDRSet: api.CIDRRuleSlice{ 943 { 944 CIDRGroupRef: "cidr-group-2", 945 }, 946 }, 947 }, 948 }, 949 }, 950 }, 951 Specs: api.Rules{ 952 { 953 Ingress: []api.IngressRule{ 954 { 955 IngressCommonRule: api.IngressCommonRule{ 956 FromCIDRSet: api.CIDRRuleSlice{ 957 { 958 Cidr: "1.1.1.1/32", 959 }, 960 }, 961 }, 962 }, 963 }, 964 }, 965 { 966 IngressDeny: []api.IngressDenyRule{ 967 { 968 IngressCommonRule: api.IngressCommonRule{ 969 FromCIDRSet: api.CIDRRuleSlice{ 970 { 971 Cidr: "2.2.2.2/32", 972 }, 973 }, 974 }, 975 }, 976 }, 977 }, 978 }, 979 }, 980 }, 981 expected: []string{"cidr-group-1", "cidr-group-2"}, 982 }, 983 { 984 name: "multiple FromCidrSet rules", 985 cnp: &types.SlimCNP{ 986 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 987 TypeMeta: metav1.TypeMeta{ 988 APIVersion: "cilium.io/v2", 989 Kind: "CiliumNetworkPolicy", 990 }, 991 ObjectMeta: metav1.ObjectMeta{ 992 Name: "test-policy", 993 Namespace: "test-namespace", 994 }, 995 Spec: &api.Rule{ 996 Ingress: []api.IngressRule{ 997 { 998 IngressCommonRule: api.IngressCommonRule{ 999 FromCIDRSet: api.CIDRRuleSlice{ 1000 { 1001 CIDRGroupRef: "cidr-group-1", 1002 }, 1003 { 1004 CIDRGroupRef: "cidr-group-2", 1005 }, 1006 { 1007 CIDRGroupRef: "cidr-group-3", 1008 }, 1009 }, 1010 }, 1011 }, 1012 }, 1013 IngressDeny: []api.IngressDenyRule{ 1014 { 1015 IngressCommonRule: api.IngressCommonRule{ 1016 FromCIDRSet: api.CIDRRuleSlice{ 1017 { 1018 CIDRGroupRef: "cidr-group-6", 1019 }, 1020 { 1021 CIDRGroupRef: "cidr-group-7", 1022 }, 1023 }, 1024 }, 1025 }, 1026 }, 1027 }, 1028 Specs: api.Rules{ 1029 { 1030 Ingress: []api.IngressRule{ 1031 { 1032 IngressCommonRule: api.IngressCommonRule{ 1033 FromCIDRSet: api.CIDRRuleSlice{ 1034 { 1035 CIDRGroupRef: "cidr-group-4", 1036 }, 1037 { 1038 CIDRGroupRef: "cidr-group-5", 1039 }, 1040 }, 1041 }, 1042 }, 1043 }, 1044 IngressDeny: []api.IngressDenyRule{ 1045 { 1046 IngressCommonRule: api.IngressCommonRule{ 1047 FromCIDRSet: api.CIDRRuleSlice{ 1048 { 1049 CIDRGroupRef: "cidr-group-8", 1050 }, 1051 { 1052 CIDRGroupRef: "cidr-group-9", 1053 }, 1054 { 1055 CIDRGroupRef: "cidr-group-10", 1056 }, 1057 }, 1058 }, 1059 }, 1060 }, 1061 }, 1062 }, 1063 }, 1064 }, 1065 expected: []string{ 1066 "cidr-group-1", 1067 "cidr-group-2", 1068 "cidr-group-3", 1069 "cidr-group-4", 1070 "cidr-group-5", 1071 "cidr-group-6", 1072 "cidr-group-7", 1073 "cidr-group-8", 1074 "cidr-group-9", 1075 "cidr-group-10", 1076 }, 1077 }, 1078 } 1079 1080 for _, tc := range testCases { 1081 t.Run(tc.name, func(t *testing.T) { 1082 got := getCIDRGroupRefs(tc.cnp) 1083 assert.ElementsMatch(t, got, tc.expected) 1084 }) 1085 } 1086 } 1087 1088 func TestCIDRGroupRefsToCIDRsSets(t *testing.T) { 1089 testCases := [...]struct { 1090 name string 1091 refs []string 1092 cache map[string]*cilium_v2_alpha1.CiliumCIDRGroup 1093 expected map[string][]api.CIDR 1094 err string 1095 }{ 1096 { 1097 name: "nil refs", 1098 refs: nil, 1099 cache: map[string]*cilium_v2_alpha1.CiliumCIDRGroup{}, 1100 expected: map[string][]api.CIDR{}, 1101 }, 1102 { 1103 name: "missing refs", 1104 err: "cidr group \"missing\" not found, skipping translation", 1105 refs: []string{"missing", "cidr-group-1"}, 1106 cache: map[string]*cilium_v2_alpha1.CiliumCIDRGroup{ 1107 "cidr-group-1": { 1108 TypeMeta: metav1.TypeMeta{ 1109 APIVersion: "cilium.io/v2alpha1", 1110 Kind: "CiliumCIDRGroup", 1111 }, 1112 ObjectMeta: metav1.ObjectMeta{ 1113 Name: "cidr-group-1", 1114 }, 1115 Spec: cilium_v2_alpha1.CiliumCIDRGroupSpec{ 1116 ExternalCIDRs: []api.CIDR{api.CIDR("1.1.1.1/32"), api.CIDR("2.2.2.2/32")}, 1117 }, 1118 }, 1119 }, 1120 expected: map[string][]api.CIDR{ 1121 "cidr-group-1": {"1.1.1.1/32", "2.2.2.2/32"}, 1122 }, 1123 }, 1124 { 1125 name: "with refs", 1126 refs: []string{"cidr-group-1", "cidr-group-2"}, 1127 cache: map[string]*cilium_v2_alpha1.CiliumCIDRGroup{ 1128 "cidr-group-1": { 1129 TypeMeta: metav1.TypeMeta{ 1130 APIVersion: "cilium.io/v2alpha1", 1131 Kind: "CiliumCIDRGroup", 1132 }, 1133 ObjectMeta: metav1.ObjectMeta{ 1134 Name: "cidr-group-1", 1135 }, 1136 Spec: cilium_v2_alpha1.CiliumCIDRGroupSpec{ 1137 ExternalCIDRs: []api.CIDR{api.CIDR("1.1.1.1/32"), api.CIDR("2.2.2.2/32")}, 1138 }, 1139 }, 1140 "cidr-group-2": { 1141 TypeMeta: metav1.TypeMeta{ 1142 APIVersion: "cilium.io/v2alpha1", 1143 Kind: "CiliumCIDRGroup", 1144 }, 1145 ObjectMeta: metav1.ObjectMeta{ 1146 Name: "cidr-group-2", 1147 }, 1148 Spec: cilium_v2_alpha1.CiliumCIDRGroupSpec{ 1149 ExternalCIDRs: []api.CIDR{api.CIDR("3.3.3.3/32"), api.CIDR("4.4.4.4/32"), api.CIDR("5.5.5.5/32")}, 1150 }, 1151 }, 1152 }, 1153 expected: map[string][]api.CIDR{ 1154 "cidr-group-1": {"1.1.1.1/32", "2.2.2.2/32"}, 1155 "cidr-group-2": {"3.3.3.3/32", "4.4.4.4/32", "5.5.5.5/32"}, 1156 }, 1157 }, 1158 } 1159 1160 for _, tc := range testCases { 1161 t.Run(tc.name, func(t *testing.T) { 1162 p := &policyWatcher{cidrGroupCache: tc.cache} 1163 got, err := p.cidrGroupRefsToCIDRsSets(tc.refs) 1164 if err != nil && tc.err == "" { 1165 t.Fatalf("unexpected error from cidrGroupRefsToCIDRsSets: %s", err) 1166 } else if err != nil && err.Error() != tc.err { 1167 t.Fatalf("unexpected error divergence from cidrGroupRefsToCIDRsSets: %s != %s", err, tc.err) 1168 } 1169 if !reflect.DeepEqual(got, tc.expected) { 1170 t.Fatalf("expected cidr sets to be %v, got %v", tc.expected, got) 1171 } 1172 }) 1173 } 1174 } 1175 1176 func TestCIDRGroupRefsTranslate(t *testing.T) { 1177 testCases := [...]struct { 1178 name string 1179 cnp *types.SlimCNP 1180 cidrsSets map[string][]api.CIDR 1181 expected *types.SlimCNP 1182 }{ 1183 { 1184 name: "nil Spec", 1185 cnp: &types.SlimCNP{ 1186 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1187 TypeMeta: metav1.TypeMeta{ 1188 APIVersion: "cilium.io/v2", 1189 Kind: "CiliumNetworkPolicy", 1190 }, 1191 ObjectMeta: metav1.ObjectMeta{ 1192 Name: "test-policy", 1193 Namespace: "test-namespace", 1194 }, 1195 }, 1196 }, 1197 cidrsSets: map[string][]api.CIDR{}, 1198 expected: &types.SlimCNP{ 1199 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1200 TypeMeta: metav1.TypeMeta{ 1201 APIVersion: "cilium.io/v2", 1202 Kind: "CiliumNetworkPolicy", 1203 }, 1204 ObjectMeta: metav1.ObjectMeta{ 1205 Name: "test-policy", 1206 Namespace: "test-namespace", 1207 }, 1208 }, 1209 }, 1210 }, 1211 { 1212 name: "nil Ingress and Egress", 1213 cnp: &types.SlimCNP{ 1214 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1215 TypeMeta: metav1.TypeMeta{ 1216 APIVersion: "cilium.io/v2", 1217 Kind: "CiliumNetworkPolicy", 1218 }, 1219 ObjectMeta: metav1.ObjectMeta{ 1220 Name: "test-policy", 1221 Namespace: "test-namespace", 1222 }, 1223 Spec: &api.Rule{}, 1224 Specs: api.Rules{ 1225 {}, 1226 }, 1227 }, 1228 }, 1229 cidrsSets: map[string][]api.CIDR{}, 1230 expected: &types.SlimCNP{ 1231 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1232 TypeMeta: metav1.TypeMeta{ 1233 APIVersion: "cilium.io/v2", 1234 Kind: "CiliumNetworkPolicy", 1235 }, 1236 ObjectMeta: metav1.ObjectMeta{ 1237 Name: "test-policy", 1238 Namespace: "test-namespace", 1239 }, 1240 Spec: &api.Rule{}, 1241 Specs: api.Rules{ 1242 {}, 1243 }, 1244 }, 1245 }, 1246 }, 1247 { 1248 name: "nil FromCidrSet and ToCIDRSet rules", 1249 cnp: &types.SlimCNP{ 1250 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1251 TypeMeta: metav1.TypeMeta{ 1252 APIVersion: "cilium.io/v2", 1253 Kind: "CiliumNetworkPolicy", 1254 }, 1255 ObjectMeta: metav1.ObjectMeta{ 1256 Name: "test-policy", 1257 Namespace: "test-namespace", 1258 }, 1259 Spec: &api.Rule{ 1260 Ingress: []api.IngressRule{}, 1261 Egress: []api.EgressRule{}, 1262 }, 1263 Specs: api.Rules{ 1264 { 1265 Ingress: []api.IngressRule{}, 1266 Egress: []api.EgressRule{}, 1267 }, 1268 }, 1269 }, 1270 }, 1271 cidrsSets: map[string][]api.CIDR{}, 1272 expected: &types.SlimCNP{ 1273 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1274 TypeMeta: metav1.TypeMeta{ 1275 APIVersion: "cilium.io/v2", 1276 Kind: "CiliumNetworkPolicy", 1277 }, 1278 ObjectMeta: metav1.ObjectMeta{ 1279 Name: "test-policy", 1280 Namespace: "test-namespace", 1281 }, 1282 Spec: &api.Rule{ 1283 Ingress: []api.IngressRule{}, 1284 Egress: []api.EgressRule{}, 1285 }, 1286 Specs: api.Rules{ 1287 { 1288 Ingress: []api.IngressRule{}, 1289 Egress: []api.EgressRule{}, 1290 }, 1291 }, 1292 }, 1293 }, 1294 }, 1295 { 1296 name: "nil Ingress and IngressDeny FromCidrSet rule", 1297 cnp: &types.SlimCNP{ 1298 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1299 TypeMeta: metav1.TypeMeta{ 1300 APIVersion: "cilium.io/v2", 1301 Kind: "CiliumNetworkPolicy", 1302 }, 1303 ObjectMeta: metav1.ObjectMeta{ 1304 Name: "test-policy", 1305 Namespace: "test-namespace", 1306 }, 1307 Spec: &api.Rule{ 1308 Ingress: []api.IngressRule{}, 1309 IngressDeny: []api.IngressDenyRule{}, 1310 }, 1311 Specs: api.Rules{ 1312 { 1313 Ingress: []api.IngressRule{}, 1314 IngressDeny: []api.IngressDenyRule{}, 1315 }, 1316 }, 1317 }, 1318 }, 1319 cidrsSets: map[string][]api.CIDR{}, 1320 expected: &types.SlimCNP{ 1321 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1322 TypeMeta: metav1.TypeMeta{ 1323 APIVersion: "cilium.io/v2", 1324 Kind: "CiliumNetworkPolicy", 1325 }, 1326 ObjectMeta: metav1.ObjectMeta{ 1327 Name: "test-policy", 1328 Namespace: "test-namespace", 1329 }, 1330 Spec: &api.Rule{ 1331 Ingress: []api.IngressRule{}, 1332 IngressDeny: []api.IngressDenyRule{}, 1333 }, 1334 Specs: api.Rules{ 1335 { 1336 Ingress: []api.IngressRule{}, 1337 IngressDeny: []api.IngressDenyRule{}, 1338 }, 1339 }, 1340 }, 1341 }, 1342 }, 1343 { 1344 name: "nil Egress and EgressDeny ToCidrSet rule", 1345 cnp: &types.SlimCNP{ 1346 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1347 TypeMeta: metav1.TypeMeta{ 1348 APIVersion: "cilium.io/v2", 1349 Kind: "CiliumNetworkPolicy", 1350 }, 1351 ObjectMeta: metav1.ObjectMeta{ 1352 Name: "test-policy", 1353 Namespace: "test-namespace", 1354 }, 1355 Spec: &api.Rule{ 1356 Egress: []api.EgressRule{}, 1357 EgressDeny: []api.EgressDenyRule{}, 1358 }, 1359 Specs: api.Rules{ 1360 { 1361 Egress: []api.EgressRule{}, 1362 EgressDeny: []api.EgressDenyRule{}, 1363 }, 1364 }, 1365 }, 1366 }, 1367 cidrsSets: map[string][]api.CIDR{}, 1368 expected: &types.SlimCNP{ 1369 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1370 TypeMeta: metav1.TypeMeta{ 1371 APIVersion: "cilium.io/v2", 1372 Kind: "CiliumNetworkPolicy", 1373 }, 1374 ObjectMeta: metav1.ObjectMeta{ 1375 Name: "test-policy", 1376 Namespace: "test-namespace", 1377 }, 1378 Spec: &api.Rule{ 1379 Egress: []api.EgressRule{}, 1380 EgressDeny: []api.EgressDenyRule{}, 1381 }, 1382 Specs: api.Rules{ 1383 { 1384 Egress: []api.EgressRule{}, 1385 EgressDeny: []api.EgressDenyRule{}, 1386 }, 1387 }, 1388 }, 1389 }, 1390 }, 1391 { 1392 name: "with FromCidrSet and ToCIDRSet rules", 1393 cnp: &types.SlimCNP{ 1394 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1395 TypeMeta: metav1.TypeMeta{ 1396 APIVersion: "cilium.io/v2", 1397 Kind: "CiliumNetworkPolicy", 1398 }, 1399 ObjectMeta: metav1.ObjectMeta{ 1400 Name: "test-policy", 1401 Namespace: "test-namespace", 1402 }, 1403 Spec: &api.Rule{ 1404 Ingress: []api.IngressRule{ 1405 { 1406 IngressCommonRule: api.IngressCommonRule{ 1407 FromCIDRSet: api.CIDRRuleSlice{ 1408 { 1409 CIDRGroupRef: "cidr-group-1", 1410 }, 1411 }, 1412 }, 1413 }, 1414 }, 1415 Egress: []api.EgressRule{ 1416 { 1417 EgressCommonRule: api.EgressCommonRule{ 1418 ToCIDRSet: api.CIDRRuleSlice{ 1419 { 1420 CIDRGroupRef: "cidr-group-1-e", 1421 }, 1422 }, 1423 }, 1424 }, 1425 }, 1426 }, 1427 Specs: api.Rules{ 1428 { 1429 Ingress: []api.IngressRule{ 1430 { 1431 IngressCommonRule: api.IngressCommonRule{ 1432 FromCIDRSet: api.CIDRRuleSlice{ 1433 { 1434 CIDRGroupRef: "cidr-group-2", 1435 }, 1436 }, 1437 }, 1438 }, 1439 { 1440 IngressCommonRule: api.IngressCommonRule{ 1441 FromCIDRSet: api.CIDRRuleSlice{ 1442 { 1443 CIDRGroupRef: "cidr-group-3", 1444 }, 1445 }, 1446 }, 1447 }, 1448 }, 1449 Egress: []api.EgressRule{ 1450 { 1451 EgressCommonRule: api.EgressCommonRule{ 1452 ToCIDRSet: api.CIDRRuleSlice{ 1453 { 1454 CIDRGroupRef: "cidr-group-2-e", 1455 }, 1456 }, 1457 }, 1458 }, 1459 { 1460 EgressCommonRule: api.EgressCommonRule{ 1461 ToCIDRSet: api.CIDRRuleSlice{ 1462 { 1463 CIDRGroupRef: "cidr-group-3-e", 1464 }, 1465 }, 1466 }, 1467 }, 1468 }, 1469 }, 1470 }, 1471 }, 1472 }, 1473 cidrsSets: map[string][]api.CIDR{ 1474 "cidr-group-1": {"1.1.1.1/32", "2.2.2.2/32"}, 1475 "cidr-group-2": {"3.3.3.3/32", "4.4.4.4/32", "5.5.5.5/32"}, 1476 "cidr-group-3": {}, 1477 "cidr-group-1-e": {"11.11.11.11/32", "12.12.12.12/32"}, 1478 "cidr-group-2-e": {"13.13.13.13/32", "14.14.14.14/32", "15.15.15.15/32"}, 1479 "cidr-group-3-e": {}, 1480 }, 1481 expected: &types.SlimCNP{ 1482 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1483 TypeMeta: metav1.TypeMeta{ 1484 APIVersion: "cilium.io/v2", 1485 Kind: "CiliumNetworkPolicy", 1486 }, 1487 ObjectMeta: metav1.ObjectMeta{ 1488 Name: "test-policy", 1489 Namespace: "test-namespace", 1490 }, 1491 Spec: &api.Rule{ 1492 Ingress: []api.IngressRule{ 1493 { 1494 IngressCommonRule: api.IngressCommonRule{ 1495 FromCIDRSet: api.CIDRRuleSlice{ 1496 { 1497 Cidr: "1.1.1.1/32", 1498 }, 1499 { 1500 Cidr: "2.2.2.2/32", 1501 }, 1502 }, 1503 }, 1504 }, 1505 }, 1506 Egress: []api.EgressRule{ 1507 { 1508 EgressCommonRule: api.EgressCommonRule{ 1509 ToCIDRSet: api.CIDRRuleSlice{ 1510 { 1511 Cidr: "11.11.11.11/32", 1512 }, 1513 { 1514 Cidr: "12.12.12.12/32", 1515 }, 1516 }, 1517 }, 1518 }, 1519 }, 1520 }, 1521 Specs: api.Rules{ 1522 { 1523 Ingress: []api.IngressRule{ 1524 { 1525 IngressCommonRule: api.IngressCommonRule{ 1526 FromCIDRSet: api.CIDRRuleSlice{ 1527 { 1528 Cidr: "3.3.3.3/32", 1529 }, 1530 { 1531 Cidr: "4.4.4.4/32", 1532 }, 1533 { 1534 Cidr: "5.5.5.5/32", 1535 }, 1536 }, 1537 }, 1538 }, 1539 { 1540 IngressCommonRule: api.IngressCommonRule{ 1541 FromCIDRSet: []api.CIDRRule{}, // Empty list, not nil! 1542 }, 1543 }, 1544 }, 1545 Egress: []api.EgressRule{ 1546 { 1547 EgressCommonRule: api.EgressCommonRule{ 1548 ToCIDRSet: api.CIDRRuleSlice{ 1549 { 1550 Cidr: "13.13.13.13/32", 1551 }, 1552 { 1553 Cidr: "14.14.14.14/32", 1554 }, 1555 { 1556 Cidr: "15.15.15.15/32", 1557 }, 1558 }, 1559 }, 1560 }, 1561 { 1562 EgressCommonRule: api.EgressCommonRule{ 1563 ToCIDRSet: []api.CIDRRule{}, // Empty list, not nil! 1564 }, 1565 }, 1566 }, 1567 }, 1568 }, 1569 }, 1570 }, 1571 }, 1572 { 1573 name: "with IngressDeny FromCidrSet rules", 1574 cnp: &types.SlimCNP{ 1575 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1576 TypeMeta: metav1.TypeMeta{ 1577 APIVersion: "cilium.io/v2", 1578 Kind: "CiliumNetworkPolicy", 1579 }, 1580 ObjectMeta: metav1.ObjectMeta{ 1581 Name: "test-policy", 1582 Namespace: "test-namespace", 1583 }, 1584 Spec: &api.Rule{ 1585 IngressDeny: []api.IngressDenyRule{ 1586 { 1587 IngressCommonRule: api.IngressCommonRule{ 1588 FromCIDRSet: api.CIDRRuleSlice{ 1589 { 1590 CIDRGroupRef: "cidr-group-1", 1591 }, 1592 }, 1593 }, 1594 }, 1595 }, 1596 }, 1597 Specs: api.Rules{ 1598 { 1599 IngressDeny: []api.IngressDenyRule{ 1600 { 1601 IngressCommonRule: api.IngressCommonRule{ 1602 FromCIDRSet: api.CIDRRuleSlice{ 1603 { 1604 CIDRGroupRef: "cidr-group-2", 1605 }, 1606 }, 1607 }, 1608 }, 1609 { 1610 IngressCommonRule: api.IngressCommonRule{ 1611 FromCIDRSet: api.CIDRRuleSlice{ 1612 { 1613 CIDRGroupRef: "cidr-group-3", 1614 }, 1615 }, 1616 }, 1617 }, 1618 }, 1619 }, 1620 }, 1621 }, 1622 }, 1623 cidrsSets: map[string][]api.CIDR{ 1624 "cidr-group-1": {"1.1.1.1/32", "2.2.2.2/32"}, 1625 "cidr-group-2": {"3.3.3.3/32", "4.4.4.4/32", "5.5.5.5/32"}, 1626 "cidr-group-3": {}, 1627 }, 1628 expected: &types.SlimCNP{ 1629 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1630 TypeMeta: metav1.TypeMeta{ 1631 APIVersion: "cilium.io/v2", 1632 Kind: "CiliumNetworkPolicy", 1633 }, 1634 ObjectMeta: metav1.ObjectMeta{ 1635 Name: "test-policy", 1636 Namespace: "test-namespace", 1637 }, 1638 Spec: &api.Rule{ 1639 IngressDeny: []api.IngressDenyRule{ 1640 { 1641 IngressCommonRule: api.IngressCommonRule{ 1642 FromCIDRSet: api.CIDRRuleSlice{ 1643 { 1644 Cidr: "1.1.1.1/32", 1645 }, 1646 { 1647 Cidr: "2.2.2.2/32", 1648 }, 1649 }, 1650 }, 1651 }, 1652 }, 1653 }, 1654 Specs: api.Rules{ 1655 { 1656 IngressDeny: []api.IngressDenyRule{ 1657 { 1658 IngressCommonRule: api.IngressCommonRule{ 1659 FromCIDRSet: api.CIDRRuleSlice{ 1660 { 1661 Cidr: "3.3.3.3/32", 1662 }, 1663 { 1664 Cidr: "4.4.4.4/32", 1665 }, 1666 { 1667 Cidr: "5.5.5.5/32", 1668 }, 1669 }, 1670 }, 1671 }, 1672 { 1673 IngressCommonRule: api.IngressCommonRule{ 1674 FromCIDRSet: []api.CIDRRule{}, // Empty list, not nil! 1675 }, 1676 }, 1677 }, 1678 }, 1679 }, 1680 }, 1681 }, 1682 }, 1683 { 1684 name: "with EgressDeny ToCidrSet rules", 1685 cnp: &types.SlimCNP{ 1686 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1687 TypeMeta: metav1.TypeMeta{ 1688 APIVersion: "cilium.io/v2", 1689 Kind: "CiliumNetworkPolicy", 1690 }, 1691 ObjectMeta: metav1.ObjectMeta{ 1692 Name: "test-policy", 1693 Namespace: "test-namespace", 1694 }, 1695 Spec: &api.Rule{ 1696 EgressDeny: []api.EgressDenyRule{ 1697 { 1698 EgressCommonRule: api.EgressCommonRule{ 1699 ToCIDRSet: api.CIDRRuleSlice{ 1700 { 1701 CIDRGroupRef: "cidr-group-1", 1702 }, 1703 }, 1704 }, 1705 }, 1706 }, 1707 }, 1708 Specs: api.Rules{ 1709 { 1710 EgressDeny: []api.EgressDenyRule{ 1711 { 1712 EgressCommonRule: api.EgressCommonRule{ 1713 ToCIDRSet: api.CIDRRuleSlice{ 1714 { 1715 CIDRGroupRef: "cidr-group-2", 1716 }, 1717 }, 1718 }, 1719 }, 1720 { 1721 EgressCommonRule: api.EgressCommonRule{ 1722 ToCIDRSet: api.CIDRRuleSlice{ 1723 { 1724 CIDRGroupRef: "cidr-group-3", 1725 }, 1726 }, 1727 }, 1728 }, 1729 }, 1730 }, 1731 }, 1732 }, 1733 }, 1734 cidrsSets: map[string][]api.CIDR{ 1735 "cidr-group-1": {"1.1.1.1/32", "2.2.2.2/32"}, 1736 "cidr-group-2": {"3.3.3.3/32", "4.4.4.4/32", "5.5.5.5/32"}, 1737 "cidr-group-3": {}, 1738 }, 1739 expected: &types.SlimCNP{ 1740 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1741 TypeMeta: metav1.TypeMeta{ 1742 APIVersion: "cilium.io/v2", 1743 Kind: "CiliumNetworkPolicy", 1744 }, 1745 ObjectMeta: metav1.ObjectMeta{ 1746 Name: "test-policy", 1747 Namespace: "test-namespace", 1748 }, 1749 Spec: &api.Rule{ 1750 EgressDeny: []api.EgressDenyRule{ 1751 { 1752 EgressCommonRule: api.EgressCommonRule{ 1753 ToCIDRSet: api.CIDRRuleSlice{ 1754 { 1755 Cidr: "1.1.1.1/32", 1756 }, 1757 { 1758 Cidr: "2.2.2.2/32", 1759 }, 1760 }, 1761 }, 1762 }, 1763 }, 1764 }, 1765 Specs: api.Rules{ 1766 { 1767 EgressDeny: []api.EgressDenyRule{ 1768 { 1769 EgressCommonRule: api.EgressCommonRule{ 1770 ToCIDRSet: api.CIDRRuleSlice{ 1771 { 1772 Cidr: "3.3.3.3/32", 1773 }, 1774 { 1775 Cidr: "4.4.4.4/32", 1776 }, 1777 { 1778 Cidr: "5.5.5.5/32", 1779 }, 1780 }, 1781 }, 1782 }, 1783 { 1784 EgressCommonRule: api.EgressCommonRule{ 1785 ToCIDRSet: []api.CIDRRule{}, // Empty list, not nil! 1786 }, 1787 }, 1788 }, 1789 }, 1790 }, 1791 }, 1792 }, 1793 }, 1794 { 1795 name: "with mixed FromCidrSet and ToCIDRSet rules", 1796 cnp: &types.SlimCNP{ 1797 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1798 TypeMeta: metav1.TypeMeta{ 1799 APIVersion: "cilium.io/v2", 1800 Kind: "CiliumNetworkPolicy", 1801 }, 1802 ObjectMeta: metav1.ObjectMeta{ 1803 Name: "test-policy", 1804 Namespace: "test-namespace", 1805 }, 1806 Spec: &api.Rule{ 1807 Ingress: []api.IngressRule{ 1808 { 1809 IngressCommonRule: api.IngressCommonRule{ 1810 FromCIDRSet: api.CIDRRuleSlice{ 1811 { 1812 CIDRGroupRef: "cidr-group-1", 1813 }, 1814 { 1815 Cidr: "1.1.1.1/32", 1816 }, 1817 { 1818 CIDRGroupRef: "cidr-group-2", 1819 }, 1820 { 1821 Cidr: "2.2.2.2/32", 1822 }, 1823 { 1824 Cidr: "3.3.3.3/32", 1825 }, 1826 }, 1827 }, 1828 }, 1829 }, 1830 Egress: []api.EgressRule{ 1831 { 1832 EgressCommonRule: api.EgressCommonRule{ 1833 ToCIDRSet: api.CIDRRuleSlice{ 1834 { 1835 CIDRGroupRef: "cidr-group-1-e", 1836 }, 1837 { 1838 Cidr: "11.11.11.11/32", 1839 }, 1840 { 1841 CIDRGroupRef: "cidr-group-2-e", 1842 }, 1843 { 1844 Cidr: "12.12.12.12/32", 1845 }, 1846 { 1847 Cidr: "13.13.13.13/32", 1848 }, 1849 }, 1850 }, 1851 }, 1852 }, 1853 }, 1854 Specs: api.Rules{ 1855 { 1856 Ingress: []api.IngressRule{ 1857 { 1858 IngressCommonRule: api.IngressCommonRule{ 1859 FromCIDRSet: api.CIDRRuleSlice{ 1860 { 1861 CIDRGroupRef: "cidr-group-3", 1862 }, 1863 { 1864 Cidr: "4.4.4.4/32", 1865 }, 1866 }, 1867 }, 1868 }, 1869 }, 1870 }, 1871 { 1872 Ingress: []api.IngressRule{ 1873 { 1874 IngressCommonRule: api.IngressCommonRule{ 1875 FromCIDRSet: api.CIDRRuleSlice{ 1876 { 1877 CIDRGroupRef: "cidr-group-4", 1878 }, 1879 { 1880 CIDRGroupRef: "cidr-group-5", 1881 }, 1882 { 1883 Cidr: "5.5.5.5/32", 1884 }, 1885 }, 1886 }, 1887 }, 1888 }, 1889 }, 1890 { 1891 Egress: []api.EgressRule{ 1892 { 1893 EgressCommonRule: api.EgressCommonRule{ 1894 ToCIDRSet: api.CIDRRuleSlice{ 1895 { 1896 CIDRGroupRef: "cidr-group-3-e", 1897 }, 1898 { 1899 Cidr: "14.14.14.14/32", 1900 }, 1901 }, 1902 }, 1903 }, 1904 }, 1905 }, 1906 { 1907 Egress: []api.EgressRule{ 1908 { 1909 EgressCommonRule: api.EgressCommonRule{ 1910 ToCIDRSet: api.CIDRRuleSlice{ 1911 { 1912 CIDRGroupRef: "cidr-group-4-e", 1913 }, 1914 { 1915 CIDRGroupRef: "cidr-group-5-e", 1916 }, 1917 { 1918 Cidr: "15.15.15.15/32", 1919 }, 1920 }, 1921 }, 1922 }, 1923 }, 1924 }, 1925 }, 1926 }, 1927 }, 1928 cidrsSets: map[string][]api.CIDR{ 1929 "cidr-group-1": {"6.6.6.6/32", "7.7.7.7/32"}, 1930 "cidr-group-2": {"8.8.8.8/32"}, 1931 "cidr-group-3": {"9.9.9.9/32", "10.10.10.10/32"}, 1932 "cidr-group-4": {}, 1933 "cidr-group-5": {"11.11.11.11/32", "12.12.12.12/32"}, 1934 "cidr-group-1-e": {"16.16.16.16/32", "17.17.17.17/32"}, 1935 "cidr-group-2-e": {"18.18.18.18/32"}, 1936 "cidr-group-3-e": {"19.19.19.19/32", "110.110.110.110/32"}, 1937 "cidr-group-4-e": {}, 1938 "cidr-group-5-e": {"111.111.111.111/32", "112.112.112.112/32"}, 1939 }, 1940 expected: &types.SlimCNP{ 1941 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 1942 TypeMeta: metav1.TypeMeta{ 1943 APIVersion: "cilium.io/v2", 1944 Kind: "CiliumNetworkPolicy", 1945 }, 1946 ObjectMeta: metav1.ObjectMeta{ 1947 Name: "test-policy", 1948 Namespace: "test-namespace", 1949 }, 1950 Spec: &api.Rule{ 1951 Ingress: []api.IngressRule{ 1952 { 1953 IngressCommonRule: api.IngressCommonRule{ 1954 FromCIDRSet: api.CIDRRuleSlice{ 1955 { 1956 Cidr: "1.1.1.1/32", 1957 }, 1958 { 1959 Cidr: "2.2.2.2/32", 1960 }, 1961 { 1962 Cidr: "3.3.3.3/32", 1963 }, 1964 { 1965 Cidr: "6.6.6.6/32", 1966 }, 1967 { 1968 Cidr: "7.7.7.7/32", 1969 }, 1970 { 1971 Cidr: "8.8.8.8/32", 1972 }, 1973 }, 1974 }, 1975 }, 1976 }, 1977 Egress: []api.EgressRule{ 1978 { 1979 EgressCommonRule: api.EgressCommonRule{ 1980 ToCIDRSet: api.CIDRRuleSlice{ 1981 { 1982 Cidr: "11.11.11.11/32", 1983 }, 1984 { 1985 Cidr: "12.12.12.12/32", 1986 }, 1987 { 1988 Cidr: "13.13.13.13/32", 1989 }, 1990 { 1991 Cidr: "16.16.16.16/32", 1992 }, 1993 { 1994 Cidr: "17.17.17.17/32", 1995 }, 1996 { 1997 Cidr: "18.18.18.18/32", 1998 }, 1999 }, 2000 }, 2001 }, 2002 }, 2003 }, 2004 Specs: api.Rules{ 2005 { 2006 Ingress: []api.IngressRule{ 2007 { 2008 IngressCommonRule: api.IngressCommonRule{ 2009 FromCIDRSet: api.CIDRRuleSlice{ 2010 { 2011 Cidr: "4.4.4.4/32", 2012 }, 2013 { 2014 Cidr: "9.9.9.9/32", 2015 }, 2016 { 2017 Cidr: "10.10.10.10/32", 2018 }, 2019 }, 2020 }, 2021 }, 2022 }, 2023 }, 2024 { 2025 Ingress: []api.IngressRule{ 2026 { 2027 IngressCommonRule: api.IngressCommonRule{ 2028 FromCIDRSet: api.CIDRRuleSlice{ 2029 { 2030 Cidr: "5.5.5.5/32", 2031 }, 2032 { 2033 Cidr: "11.11.11.11/32", 2034 }, 2035 { 2036 Cidr: "12.12.12.12/32", 2037 }, 2038 }, 2039 }, 2040 }, 2041 }, 2042 }, 2043 { 2044 Egress: []api.EgressRule{ 2045 { 2046 EgressCommonRule: api.EgressCommonRule{ 2047 ToCIDRSet: api.CIDRRuleSlice{ 2048 { 2049 Cidr: "14.14.14.14/32", 2050 }, 2051 { 2052 Cidr: "19.19.19.19/32", 2053 }, 2054 { 2055 Cidr: "110.110.110.110/32", 2056 }, 2057 }, 2058 }, 2059 }, 2060 }, 2061 }, 2062 { 2063 Egress: []api.EgressRule{ 2064 { 2065 EgressCommonRule: api.EgressCommonRule{ 2066 ToCIDRSet: api.CIDRRuleSlice{ 2067 { 2068 Cidr: "15.15.15.15/32", 2069 }, 2070 { 2071 Cidr: "111.111.111.111/32", 2072 }, 2073 { 2074 Cidr: "112.112.112.112/32", 2075 }, 2076 }, 2077 }, 2078 }, 2079 }, 2080 }, 2081 }, 2082 }, 2083 }, 2084 }, 2085 { 2086 name: "with mixed IngressDeny FromCidrSet rules", 2087 cnp: &types.SlimCNP{ 2088 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 2089 TypeMeta: metav1.TypeMeta{ 2090 APIVersion: "cilium.io/v2", 2091 Kind: "CiliumNetworkPolicy", 2092 }, 2093 ObjectMeta: metav1.ObjectMeta{ 2094 Name: "test-policy", 2095 Namespace: "test-namespace", 2096 }, 2097 Spec: &api.Rule{ 2098 IngressDeny: []api.IngressDenyRule{ 2099 { 2100 IngressCommonRule: api.IngressCommonRule{ 2101 FromCIDRSet: api.CIDRRuleSlice{ 2102 { 2103 CIDRGroupRef: "cidr-group-1", 2104 }, 2105 { 2106 Cidr: "1.1.1.1/32", 2107 }, 2108 { 2109 CIDRGroupRef: "cidr-group-2", 2110 }, 2111 { 2112 Cidr: "2.2.2.2/32", 2113 }, 2114 { 2115 Cidr: "3.3.3.3/32", 2116 }, 2117 }, 2118 }, 2119 }, 2120 }, 2121 }, 2122 Specs: api.Rules{ 2123 { 2124 IngressDeny: []api.IngressDenyRule{ 2125 { 2126 IngressCommonRule: api.IngressCommonRule{ 2127 FromCIDRSet: api.CIDRRuleSlice{ 2128 { 2129 CIDRGroupRef: "cidr-group-3", 2130 }, 2131 { 2132 Cidr: "4.4.4.4/32", 2133 }, 2134 }, 2135 }, 2136 }, 2137 }, 2138 }, 2139 { 2140 IngressDeny: []api.IngressDenyRule{ 2141 { 2142 IngressCommonRule: api.IngressCommonRule{ 2143 FromCIDRSet: api.CIDRRuleSlice{ 2144 { 2145 CIDRGroupRef: "cidr-group-4", 2146 }, 2147 { 2148 CIDRGroupRef: "cidr-group-5", 2149 }, 2150 { 2151 Cidr: "5.5.5.5/32", 2152 }, 2153 }, 2154 }, 2155 }, 2156 }, 2157 }, 2158 }, 2159 }, 2160 }, 2161 cidrsSets: map[string][]api.CIDR{ 2162 "cidr-group-1": {"6.6.6.6/32", "7.7.7.7/32"}, 2163 "cidr-group-2": {"8.8.8.8/32"}, 2164 "cidr-group-3": {"9.9.9.9/32", "10.10.10.10/32"}, 2165 "cidr-group-4": {}, 2166 "cidr-group-5": {"11.11.11.11/32", "12.12.12.12/32"}, 2167 }, 2168 expected: &types.SlimCNP{ 2169 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 2170 TypeMeta: metav1.TypeMeta{ 2171 APIVersion: "cilium.io/v2", 2172 Kind: "CiliumNetworkPolicy", 2173 }, 2174 ObjectMeta: metav1.ObjectMeta{ 2175 Name: "test-policy", 2176 Namespace: "test-namespace", 2177 }, 2178 Spec: &api.Rule{ 2179 IngressDeny: []api.IngressDenyRule{ 2180 { 2181 IngressCommonRule: api.IngressCommonRule{ 2182 FromCIDRSet: api.CIDRRuleSlice{ 2183 { 2184 Cidr: "1.1.1.1/32", 2185 }, 2186 { 2187 Cidr: "2.2.2.2/32", 2188 }, 2189 { 2190 Cidr: "3.3.3.3/32", 2191 }, 2192 { 2193 Cidr: "6.6.6.6/32", 2194 }, 2195 { 2196 Cidr: "7.7.7.7/32", 2197 }, 2198 { 2199 Cidr: "8.8.8.8/32", 2200 }, 2201 }, 2202 }, 2203 }, 2204 }, 2205 }, 2206 Specs: api.Rules{ 2207 { 2208 IngressDeny: []api.IngressDenyRule{ 2209 { 2210 IngressCommonRule: api.IngressCommonRule{ 2211 FromCIDRSet: api.CIDRRuleSlice{ 2212 { 2213 Cidr: "4.4.4.4/32", 2214 }, 2215 { 2216 Cidr: "9.9.9.9/32", 2217 }, 2218 { 2219 Cidr: "10.10.10.10/32", 2220 }, 2221 }, 2222 }, 2223 }, 2224 }, 2225 }, 2226 { 2227 IngressDeny: []api.IngressDenyRule{ 2228 { 2229 IngressCommonRule: api.IngressCommonRule{ 2230 FromCIDRSet: api.CIDRRuleSlice{ 2231 { 2232 Cidr: "5.5.5.5/32", 2233 }, 2234 { 2235 Cidr: "11.11.11.11/32", 2236 }, 2237 { 2238 Cidr: "12.12.12.12/32", 2239 }, 2240 }, 2241 }, 2242 }, 2243 }, 2244 }, 2245 }, 2246 }, 2247 }, 2248 }, 2249 { 2250 name: "with Ingress CIDRGroupRef and ExceptCIDRs rules", 2251 cnp: &types.SlimCNP{ 2252 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 2253 TypeMeta: metav1.TypeMeta{ 2254 APIVersion: "cilium.io/v2", 2255 Kind: "CiliumNetworkPolicy", 2256 }, 2257 ObjectMeta: metav1.ObjectMeta{ 2258 Name: "test-policy", 2259 Namespace: "test-namespace", 2260 }, 2261 Spec: &api.Rule{ 2262 Ingress: []api.IngressRule{ 2263 { 2264 IngressCommonRule: api.IngressCommonRule{ 2265 FromCIDRSet: api.CIDRRuleSlice{ 2266 { 2267 CIDRGroupRef: "cidr-group-1", 2268 ExceptCIDRs: []api.CIDR{"10.96.0.0/12", "10.112.0.0/12"}, 2269 }, 2270 }, 2271 }, 2272 }, 2273 }, 2274 Egress: []api.EgressRule{ 2275 { 2276 EgressCommonRule: api.EgressCommonRule{ 2277 ToCIDRSet: api.CIDRRuleSlice{ 2278 { 2279 CIDRGroupRef: "cidr-group-1-e", 2280 ExceptCIDRs: []api.CIDR{"110.96.0.0/12", "110.112.0.0/12"}, 2281 }, 2282 }, 2283 }, 2284 }, 2285 }, 2286 }, 2287 }, 2288 }, 2289 cidrsSets: map[string][]api.CIDR{ 2290 "cidr-group-1": {"10.0.0.0/8"}, 2291 "cidr-group-1-e": {"110.0.0.0/8"}, 2292 }, 2293 expected: &types.SlimCNP{ 2294 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 2295 TypeMeta: metav1.TypeMeta{ 2296 APIVersion: "cilium.io/v2", 2297 Kind: "CiliumNetworkPolicy", 2298 }, 2299 ObjectMeta: metav1.ObjectMeta{ 2300 Name: "test-policy", 2301 Namespace: "test-namespace", 2302 }, 2303 Spec: &api.Rule{ 2304 Ingress: []api.IngressRule{ 2305 { 2306 IngressCommonRule: api.IngressCommonRule{ 2307 FromCIDRSet: api.CIDRRuleSlice{ 2308 { 2309 Cidr: "10.0.0.0/8", 2310 ExceptCIDRs: []api.CIDR{"10.96.0.0/12", "10.112.0.0/12"}, 2311 }, 2312 }, 2313 }, 2314 }, 2315 }, 2316 Egress: []api.EgressRule{ 2317 { 2318 EgressCommonRule: api.EgressCommonRule{ 2319 ToCIDRSet: api.CIDRRuleSlice{ 2320 { 2321 Cidr: "110.0.0.0/8", 2322 ExceptCIDRs: []api.CIDR{"110.96.0.0/12", "110.112.0.0/12"}, 2323 }, 2324 }, 2325 }, 2326 }, 2327 }, 2328 }, 2329 }, 2330 }, 2331 }, 2332 { 2333 name: "with IngressDeny CIDRGroupRef and ExceptCIDRs rules", 2334 cnp: &types.SlimCNP{ 2335 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 2336 TypeMeta: metav1.TypeMeta{ 2337 APIVersion: "cilium.io/v2", 2338 Kind: "CiliumNetworkPolicy", 2339 }, 2340 ObjectMeta: metav1.ObjectMeta{ 2341 Name: "test-policy", 2342 Namespace: "test-namespace", 2343 }, 2344 Spec: &api.Rule{ 2345 IngressDeny: []api.IngressDenyRule{ 2346 { 2347 IngressCommonRule: api.IngressCommonRule{ 2348 FromCIDRSet: api.CIDRRuleSlice{ 2349 { 2350 CIDRGroupRef: "cidr-group-1", 2351 ExceptCIDRs: []api.CIDR{"10.96.0.0/12", "10.112.0.0/12"}, 2352 }, 2353 }, 2354 }, 2355 }, 2356 }, 2357 }, 2358 }, 2359 }, 2360 cidrsSets: map[string][]api.CIDR{ 2361 "cidr-group-1": {"10.0.0.0/8"}, 2362 }, 2363 expected: &types.SlimCNP{ 2364 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 2365 TypeMeta: metav1.TypeMeta{ 2366 APIVersion: "cilium.io/v2", 2367 Kind: "CiliumNetworkPolicy", 2368 }, 2369 ObjectMeta: metav1.ObjectMeta{ 2370 Name: "test-policy", 2371 Namespace: "test-namespace", 2372 }, 2373 Spec: &api.Rule{ 2374 IngressDeny: []api.IngressDenyRule{ 2375 { 2376 IngressCommonRule: api.IngressCommonRule{ 2377 FromCIDRSet: api.CIDRRuleSlice{ 2378 { 2379 Cidr: "10.0.0.0/8", 2380 ExceptCIDRs: []api.CIDR{"10.96.0.0/12", "10.112.0.0/12"}, 2381 }, 2382 }, 2383 }, 2384 }, 2385 }, 2386 }, 2387 }, 2388 }, 2389 }, 2390 } 2391 2392 for _, tc := range testCases { 2393 t.Run(tc.name, func(t *testing.T) { 2394 translateCIDRGroupRefs(tc.cnp, tc.cidrsSets) 2395 if !reflect.DeepEqual(tc.cnp, tc.expected) { 2396 t.Fatalf("expected translated cnp to be\n%v\n, got\n%v\n", tc.expected, tc.cnp) 2397 } 2398 }) 2399 } 2400 }