Skip to content

Add integration tests #406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add integration tests #406

wants to merge 2 commits into from

Conversation

Pavani-Panakanti
Copy link
Contributor

Issue #, if available:
Add integration tests for the changes in this PR #344

Description of changes:

Before fix

IPBlock Except Test Cases Test CIDR and Except overlap: /16 allow on 3306 + catch-all except /16 should allow on /16 and 3006 port, deny on rest /16 ports, allow all on rest of endpoints
/workplace/pavanipt/aws-network-policy-agent/aws-network-policy-agent/test/integration/policy/except_block_test.go:140
  STEP: Deploying a sample TCP server on ports 3306 & 3307 @ 05/10/25 20:54:08.585
Applied NetworkPolicy YAML:
metadata:
  creationTimestamp: null
  name: egress-policy
  namespace: client
spec:
  egress:
  - ports:
    - port: 3306
      protocol: TCP
    to:
    - ipBlock:
        cidr: 192.168.0.0/16
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 192.168.0.0/16
  podSelector:
    matchLabels:
      app: ipblock-client
  policyTypes:
  - Egress

  [FAILED] in [It] - /workplace/pavanipt/aws-network-policy-agent/aws-network-policy-agent/test/integration/policy/except_block_test.go:149 @ 05/10/25 20:54:42.726
• [FAILED] [60.217 seconds]
IPBlock Except Test Cases Test CIDR and Except overlap: /16 allow on 3306 + catch-all except /16 [It] should allow on /16 and 3006 port, deny on rest /16 ports, allow all on rest of endpoints
/workplace/pavanipt/aws-network-policy-agent/aws-network-policy-agent/test/integration/policy/except_block_test.go:140

  [FAILED] Expected success, but got an error:
      <*errors.errorString | 0xc000124c10>: 
      Expected deny to server on port 3307 but got allow
      {
          s: "Expected deny to server on port 3307 but got allow",
      }
  In [It] at: /workplace/pavanipt/aws-network-policy-agent/aws-network-policy-agent/test/integration/policy/except_block_test.go:149 @ 05/10/25 20:54:42.726
------------------------------
[AfterSuite] 
/workplace/pavanipt/aws-network-policy-agent/aws-network-policy-agent/test/integration/policy/policy_suite_test.go:31
[AfterSuite] PASSED [6.022 seconds]
------------------------------

After the fix

IPBlock Except Test Cases CIDR and Except overlap: /16 allow on 3306 + catch-all except /16 should allow on /16 and 3006 port, deny on rest /16 ports, allow all on rest of endpoints
/workplace/pavanipt/aws-network-policy-agent/aws-network-policy-agent/test/integration/policy/except_block_test.go:143
  STEP: Deploying a sample TCP server on ports 3306 & 3307 @ 05/10/25 23:56:24.898
  STEP: Applying network policy with /16 allow and except rule @ 05/10/25 23:56:27.139
Applied NetworkPolicy YAML:
metadata:
  creationTimestamp: null
  name: egress-policy
  namespace: client
spec:
  egress:
  - ports:
    - port: 3306
      protocol: TCP
    to:
    - ipBlock:
        cidr: 192.168.0.0/16
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 192.168.0.0/16
  podSelector:
    matchLabels:
      app: ipblock-client
  policyTypes:
  - Egress

Creating client pod ipblock-client in namespace client
• [74.401 seconds]
------------------------------
Network Policy Test Cases A network policy is applied against a pod with '.' in its pod name should be successfully applied and removed from the pod
/workplace/pavanipt/aws-network-policy-agent/aws-network-policy-agent/test/integration/policy/policy_test.go:53
  STEP: Creating a network policy that denies all egress traffic @ 05/10/25 23:57:39.299
  STEP: Creating a pod which tries to reach external network @ 05/10/25 23:57:39.31
  STEP: Verifying that the pod is unable to make an egress connection @ 05/10/25 23:57:41.378
  STEP: Removing the network policy @ 05/10/25 23:58:41.408
  STEP: Verifying that the pod is once again able to make an egress connection @ 05/10/25 23:58:41.429
• [134.180 seconds]
------------------------------
[AfterSuite] 
/workplace/pavanipt/aws-network-policy-agent/aws-network-policy-agent/test/integration/policy/policy_suite_test.go:31
[AfterSuite] PASSED [12.017 seconds]
------------------------------

Ran 4 of 4 Specs in 507.682 seconds
SUCCESS! -- 4 Passed | 0 Failed | 0 Pending | 0 Skipped
PASS

Ebpf prog protocol and port evaluation test should allow traffic to both ports when policy uses ANY protocol and ANY port
/workplace/pavanipt/aws-network-policy-agent/aws-network-policy-agent/test/integration/policy/ebpf_test.go:90
  STEP: Deploying a server listening on two ports @ 05/11/25 01:10:13.83
Applied NetworkPolicy YAML:
metadata:
  creationTimestamp: null
  name: any-port-protocol-allow
  namespace: policy
spec:
  egress:
  - ports:
    - {}
    to:
    - ipBlock:
        cidr: 192.168.50.168/32
  podSelector:
    matchLabels:
      app: client-pod
  policyTypes:
  - Egress

DEBUG: Client pod logs:
OPEN-8080
OPEN-9090

• [104.283 seconds]
------------------------------
Ebpf prog protocol and port evaluation test should allow on portA and deny on portB when policy allows only portA and ANY protocol
/workplace/pavanipt/aws-network-policy-agent/aws-network-policy-agent/test/integration/policy/ebpf_test.go:115
  STEP: Deploying a server listening on two ports @ 05/11/25 01:11:58.113
Applied NetworkPolicy YAML:
metadata:
  creationTimestamp: null
  name: single-port-allow
  namespace: policy
spec:
  egress:
  - ports:
    - port: 8080
    to:
    - ipBlock:
        cidr: 192.168.38.61/32
  podSelector:
    matchLabels:
      app: client-pod
  policyTypes:
  - Egress

• [90.180 seconds]
------------------------------
[AfterSuite] 
/workplace/pavanipt/aws-network-policy-agent/aws-network-policy-agent/test/integration/policy/policy_suite_test.go:31
[AfterSuite] PASSED [6.019 seconds]
------------------------------

Ran 2 of 2 Specs in 201.102 seconds
SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 0 Skipped
PASS

Ginkgo ran 1 suite in 3m21.119055487s
Test Suite Passed

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@Pavani-Panakanti Pavani-Panakanti requested a review from a team as a code owner May 11, 2025 02:22
@jayanthvn jayanthvn requested a review from Copilot May 31, 2025 17:11
Copilot
Copilot AI reviewed May 31, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds new integration tests for IPBlock except handling and eBPF port/protocol evaluation, extends the manifest builder to support CIDR exception lists, and updates the test runner script.

  • New except_block_test.go verifies CIDR + except logic with overlapping ranges.
  • New ebpf_rules_test.go checks any-port/any-protocol and selective port policies in the eBPF path.
  • networkpolicyrules.go is refactored to introduce an IPBlock type and support except slices.
  • run-cyclonus-tests.sh is updated to invoke the policy test binary.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
test/integration/policy/except_block_test.go Adds integration test for IPBlock except scenarios
test/integration/policy/ebpf_rules_test.go Adds eBPF integration tests for port/protocol policies
test/framework/manifest/networkpolicyrules.go Introduces IPBlock struct and updates AddPeer API
scripts/run-cyclonus-tests.sh Runs the compiled policy test binary in CI script
Comments suppressed due to low confidence (3)

test/integration/policy/ebpf_rules_test.go:39

  • The namespace variable is not declared in this file. Declare a namespace constant or use a known namespace value before referencing it.
Namespace(namespace).

test/framework/manifest/networkpolicyrules.go:49

  • The code references metav1.LabelSelector but the metav1 package is not imported. Add import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1".
peer.PodSelector = &metav1.LabelSelector{MatchLabels: podSelector}

test/framework/manifest/networkpolicyrules.go:132

  • Similarly, in the Egress builder you reference metav1.LabelSelector without importing metav1. Ensure the import is added or consolidated.
peer.PodSelector = &metav1.LabelSelector{MatchLabels: podSelector}

test/integration/policy/except_block_test.go
clientPod = deployClient(clientName)
})

It("should allow on /16 and 3006 port, deny on rest /16 ports, allow all on rest of endpoints", func() {
Copy link
Preview

Copilot AI May 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test description references port 3006 but the test actually uses port 3306. Update the string to "3306" for accuracy.

Suggested change
It("should allow on /16 and 3006 port, deny on rest /16 ports, allow all on rest of endpoints", func() {
It("should allow on /16 and 3306 port, deny on rest /16 ports, allow all on rest of endpoints", func() {

Copilot uses AI. Check for mistakes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Pavani-Panakanti