github.com/cilium/cilium@v1.16.2/pkg/policy/k8s/cilium_network_policy_test.go (about)

     1  // SPDX-License-Identifier: Apache-2.0
     2  // Copyright Authors of Cilium
     3  
     4  package k8s
     5  
     6  import (
     7  	"testing"
     8  
     9  	"github.com/sirupsen/logrus"
    10  	"github.com/stretchr/testify/assert"
    11  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    12  
    13  	"github.com/cilium/cilium/pkg/k8s"
    14  	cilium_v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
    15  	"github.com/cilium/cilium/pkg/k8s/resource"
    16  	k8sSynced "github.com/cilium/cilium/pkg/k8s/synced"
    17  	"github.com/cilium/cilium/pkg/k8s/types"
    18  	"github.com/cilium/cilium/pkg/option"
    19  	"github.com/cilium/cilium/pkg/policy"
    20  	"github.com/cilium/cilium/pkg/policy/api"
    21  )
    22  
    23  func Test_GH33432(t *testing.T) {
    24  	policyAdd := make(chan api.Rules, 1)
    25  	policyManager := &fakePolicyManager{
    26  		OnPolicyAdd: func(rules api.Rules, opts *policy.AddOptions) (newRev uint64, err error) {
    27  			policyAdd <- rules
    28  			return 0, nil
    29  		},
    30  	}
    31  
    32  	cnp := &types.SlimCNP{
    33  		CiliumNetworkPolicy: &cilium_v2.CiliumNetworkPolicy{
    34  			TypeMeta: metav1.TypeMeta{
    35  				APIVersion: "cilium.io/v2",
    36  				Kind:       "CiliumNetworkPolicy",
    37  			},
    38  			ObjectMeta: metav1.ObjectMeta{
    39  				Name:      "cnp-gh-33432",
    40  				Namespace: "test",
    41  			},
    42  			Spec: &api.Rule{
    43  				EndpointSelector: api.NewESFromLabels(),
    44  				Egress: []api.EgressRule{
    45  					{
    46  						EgressCommonRule: api.EgressCommonRule{
    47  							ToCIDR:      []api.CIDR{"1.1.1.1/32"},
    48  							ToEndpoints: nil, // initially ToEndpoints is a nil slice
    49  						},
    50  						ToPorts: []api.PortRule{{
    51  							Ports: []api.PortProtocol{
    52  								{Port: "80", Protocol: api.ProtoTCP},
    53  							},
    54  						}},
    55  					},
    56  				},
    57  			},
    58  		},
    59  	}
    60  	cnpKey := resource.NewKey(cnp)
    61  	cnpResourceID := resourceIDForCiliumNetworkPolicy(cnpKey, cnp)
    62  
    63  	logger := logrus.New()
    64  	logger.SetLevel(logrus.DebugLevel)
    65  
    66  	p := &policyWatcher{
    67  		log:                logrus.NewEntry(logger),
    68  		config:             &option.DaemonConfig{},
    69  		k8sResourceSynced:  &k8sSynced.Resources{CacheStatus: make(k8sSynced.CacheStatus)},
    70  		k8sAPIGroups:       &k8sSynced.APIGroups{},
    71  		policyManager:      policyManager,
    72  		svcCache:           fakeServiceCache{},
    73  		cnpCache:           map[resource.Key]*types.SlimCNP{},
    74  		toServicesPolicies: map[resource.Key]struct{}{},
    75  		cnpByServiceID:     map[k8s.ServiceID]map[resource.Key]struct{}{},
    76  	}
    77  
    78  	err := p.onUpsert(cnp, cnpKey, k8sAPIGroupCiliumNetworkPolicyV2, cnpResourceID)
    79  	assert.NoError(t, err)
    80  
    81  	// added rules should have a nil ToEndpoints slice
    82  	rules := <-policyAdd
    83  	assert.Len(t, rules, 1)
    84  	assert.Len(t, rules[0].Egress, 1)
    85  	assert.Equal(t, api.CIDRSlice{"1.1.1.1/32"}, rules[0].Egress[0].EgressCommonRule.ToCIDR)
    86  	assert.Len(t, rules[0].Egress[0].ToPorts, 1)
    87  	assert.Len(t, rules[0].Egress[0].ToPorts[0].Ports, 1)
    88  	assert.Equal(t, []api.PortProtocol{{Port: "80", Protocol: api.ProtoTCP}}, rules[0].Egress[0].ToPorts[0].Ports)
    89  	assert.Nil(t, rules[0].Egress[0].EgressCommonRule.ToEndpoints)
    90  
    91  	updCNP := cnp.DeepCopy()
    92  	updCNP.Generation++
    93  
    94  	// update ToEndpoints with an empty non-nil slice
    95  	updCNP.Spec.Egress[0].ToEndpoints = []api.EndpointSelector{}
    96  
    97  	updCNPKey := resource.NewKey(updCNP)
    98  	updCNPResourceID := resourceIDForCiliumNetworkPolicy(updCNPKey, updCNP)
    99  
   100  	err = p.onUpsert(updCNP, updCNPKey, k8sAPIGroupCiliumNetworkPolicyV2, updCNPResourceID)
   101  	assert.NoError(t, err)
   102  
   103  	// policy update should be propagated and the new rules should be the same
   104  	// except for the empty non-nil ToEndpoints slice
   105  	rules = <-policyAdd
   106  	assert.Len(t, rules, 1)
   107  	assert.Len(t, rules[0].Egress, 1)
   108  	assert.Equal(t, api.CIDRSlice{"1.1.1.1/32"}, rules[0].Egress[0].EgressCommonRule.ToCIDR)
   109  	assert.Len(t, rules[0].Egress[0].ToPorts, 1)
   110  	assert.Len(t, rules[0].Egress[0].ToPorts[0].Ports, 1)
   111  	assert.Equal(t, []api.PortProtocol{{Port: "80", Protocol: api.ProtoTCP}}, rules[0].Egress[0].ToPorts[0].Ports)
   112  	assert.NotNil(t, rules[0].Egress[0].EgressCommonRule.ToEndpoints)
   113  	assert.Len(t, rules[0].Egress[0].EgressCommonRule.ToEndpoints, 0)
   114  }