github.com/cilium/cilium@v1.16.2/pkg/policy/k8s/cilium_network_policy_test.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Cilium 3 4 package k8s 5 6 import ( 7 "testing" 8 9 "github.com/sirupsen/logrus" 10 "github.com/stretchr/testify/assert" 11 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 12 13 "github.com/cilium/cilium/pkg/k8s" 14 cilium_v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" 15 "github.com/cilium/cilium/pkg/k8s/resource" 16 k8sSynced "github.com/cilium/cilium/pkg/k8s/synced" 17 "github.com/cilium/cilium/pkg/k8s/types" 18 "github.com/cilium/cilium/pkg/option" 19 "github.com/cilium/cilium/pkg/policy" 20 "github.com/cilium/cilium/pkg/policy/api" 21 ) 22 23 func Test_GH33432(t *testing.T) { 24 policyAdd := make(chan api.Rules, 1) 25 policyManager := &fakePolicyManager{ 26 OnPolicyAdd: func(rules api.Rules, opts *policy.AddOptions) (newRev uint64, err error) { 27 policyAdd <- rules 28 return 0, nil 29 }, 30 } 31 32 cnp := &types.SlimCNP{ 33 CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{ 34 TypeMeta: metav1.TypeMeta{ 35 APIVersion: "cilium.io/v2", 36 Kind: "CiliumNetworkPolicy", 37 }, 38 ObjectMeta: metav1.ObjectMeta{ 39 Name: "cnp-gh-33432", 40 Namespace: "test", 41 }, 42 Spec: &api.Rule{ 43 EndpointSelector: api.NewESFromLabels(), 44 Egress: []api.EgressRule{ 45 { 46 EgressCommonRule: api.EgressCommonRule{ 47 ToCIDR: []api.CIDR{"1.1.1.1/32"}, 48 ToEndpoints: nil, // initially ToEndpoints is a nil slice 49 }, 50 ToPorts: []api.PortRule{{ 51 Ports: []api.PortProtocol{ 52 {Port: "80", Protocol: api.ProtoTCP}, 53 }, 54 }}, 55 }, 56 }, 57 }, 58 }, 59 } 60 cnpKey := resource.NewKey(cnp) 61 cnpResourceID := resourceIDForCiliumNetworkPolicy(cnpKey, cnp) 62 63 logger := logrus.New() 64 logger.SetLevel(logrus.DebugLevel) 65 66 p := &policyWatcher{ 67 log: logrus.NewEntry(logger), 68 config: &option.DaemonConfig{}, 69 k8sResourceSynced: &k8sSynced.Resources{CacheStatus: make(k8sSynced.CacheStatus)}, 70 k8sAPIGroups: &k8sSynced.APIGroups{}, 71 policyManager: policyManager, 72 svcCache: fakeServiceCache{}, 73 cnpCache: map[resource.Key]*types.SlimCNP{}, 74 toServicesPolicies: map[resource.Key]struct{}{}, 75 cnpByServiceID: map[k8s.ServiceID]map[resource.Key]struct{}{}, 76 } 77 78 err := p.onUpsert(cnp, cnpKey, k8sAPIGroupCiliumNetworkPolicyV2, cnpResourceID) 79 assert.NoError(t, err) 80 81 // added rules should have a nil ToEndpoints slice 82 rules := <-policyAdd 83 assert.Len(t, rules, 1) 84 assert.Len(t, rules[0].Egress, 1) 85 assert.Equal(t, api.CIDRSlice{"1.1.1.1/32"}, rules[0].Egress[0].EgressCommonRule.ToCIDR) 86 assert.Len(t, rules[0].Egress[0].ToPorts, 1) 87 assert.Len(t, rules[0].Egress[0].ToPorts[0].Ports, 1) 88 assert.Equal(t, []api.PortProtocol{{Port: "80", Protocol: api.ProtoTCP}}, rules[0].Egress[0].ToPorts[0].Ports) 89 assert.Nil(t, rules[0].Egress[0].EgressCommonRule.ToEndpoints) 90 91 updCNP := cnp.DeepCopy() 92 updCNP.Generation++ 93 94 // update ToEndpoints with an empty non-nil slice 95 updCNP.Spec.Egress[0].ToEndpoints = []api.EndpointSelector{} 96 97 updCNPKey := resource.NewKey(updCNP) 98 updCNPResourceID := resourceIDForCiliumNetworkPolicy(updCNPKey, updCNP) 99 100 err = p.onUpsert(updCNP, updCNPKey, k8sAPIGroupCiliumNetworkPolicyV2, updCNPResourceID) 101 assert.NoError(t, err) 102 103 // policy update should be propagated and the new rules should be the same 104 // except for the empty non-nil ToEndpoints slice 105 rules = <-policyAdd 106 assert.Len(t, rules, 1) 107 assert.Len(t, rules[0].Egress, 1) 108 assert.Equal(t, api.CIDRSlice{"1.1.1.1/32"}, rules[0].Egress[0].EgressCommonRule.ToCIDR) 109 assert.Len(t, rules[0].Egress[0].ToPorts, 1) 110 assert.Len(t, rules[0].Egress[0].ToPorts[0].Ports, 1) 111 assert.Equal(t, []api.PortProtocol{{Port: "80", Protocol: api.ProtoTCP}}, rules[0].Egress[0].ToPorts[0].Ports) 112 assert.NotNil(t, rules[0].Egress[0].EgressCommonRule.ToEndpoints) 113 assert.Len(t, rules[0].Egress[0].EgressCommonRule.ToEndpoints, 0) 114 }