Merge pull request #109 from tssurya/add-conformance-tests-banp

Add BANP conformance tests for .Spec.Ingress and .Spec.Egress fields

conformance/base/baseline_admin_network_policy/core-egress-sctp-rules.yaml

@@ -0,0 +1,53 @@
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: BaselineAdminNetworkPolicy
+metadata:
+  name: default
+spec:
+  subject:
+    namespaces:
+      matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-ravenclaw
+  egress:
+  - name: "allow-to-gryffindor-everything"
+    action: "Allow"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+  - name: "deny-to-gryffindor-everything"
+    action: "Deny"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+  - name: "deny-to-slytherin-at-port-9003"
+    action: "Deny"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-slytherin
+    ports:
+      - portNumber:
+          protocol: SCTP
+          port: 9003
+  - name: "allow-to-hufflepuff-at-port-9003"
+    action: "Allow"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-hufflepuff
+    ports:
+      - portNumber:
+          protocol: SCTP
+          port: 9003
+  - name: "deny-to-hufflepuff-everything-else"
+    action: "Deny"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-hufflepuff

conformance/base/baseline_admin_network_policy/core-egress-tcp-rules.yaml

@@ -0,0 +1,53 @@
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: BaselineAdminNetworkPolicy
+metadata:
+  name: default
+spec:
+  subject:
+    namespaces:
+      matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+  egress:
+  - name: "allow-to-ravenclaw-everything"
+    action: "Allow"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-ravenclaw
+  - name: "deny-to-ravenclaw-everything"
+    action: "Deny"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-ravenclaw
+  - name: "deny-to-slytherin-at-port-80"
+    action: "Deny"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-slytherin
+    ports:
+      - portNumber:
+          protocol: TCP
+          port: 80
+  - name: "allow-to-hufflepuff-at-port-8080"
+    action: "Allow"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-hufflepuff
+    ports:
+      - portNumber:
+          protocol: TCP
+          port: 8080
+  - name: "deny-to-hufflepuff-everything-else"
+    action: "Deny"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-hufflepuff

conformance/base/baseline_admin_network_policy/core-egress-udp-rules.yaml

@@ -0,0 +1,53 @@
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: BaselineAdminNetworkPolicy
+metadata:
+  name: default
+spec:
+  subject:
+    namespaces:
+      matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-hufflepuff
+  egress:
+  - name: "allow-to-ravenclaw-everything"
+    action: "Allow"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-ravenclaw
+  - name: "deny-to-ravenclaw-everything"
+    action: "Deny"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-ravenclaw
+  - name: "deny-to-slytherin-at-port-5353"
+    action: "Deny"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-slytherin
+    ports:
+      - portNumber:
+          protocol: UDP
+          port: 5353
+  - name: "allow-to-gryffindor-at-port-53"
+    action: "Allow"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+    ports:
+      - portNumber:
+          protocol: UDP
+          port: 53
+  - name: "deny-to-gryffindor-everything-else"
+    action: "Deny"
+    to:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-gryffindor

conformance/base/baseline_admin_network_policy/core-ingress-sctp-rules.yaml

@@ -0,0 +1,53 @@
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: BaselineAdminNetworkPolicy
+metadata:
+  name: default
+spec:
+  subject:
+    namespaces:
+      matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-ravenclaw
+  ingress:
+  - name: "allow-from-gryffindor-everything"
+    action: "Allow"
+    from:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+  - name: "deny-from-gryffindor-everything"
+    action: "Deny"
+    from:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+  - name: "deny-from-slytherin-at-port-9003"
+    action: "Deny"
+    from:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-slytherin
+    ports:
+      - portNumber:
+          protocol: SCTP
+          port: 9003
+  - name: "allow-from-hufflepuff-at-port-9003"
+    action: "Allow"
+    from:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-hufflepuff
+    ports:
+      - portNumber:
+          protocol: SCTP
+          port: 9003
+  - name: "deny-from-hufflepuff-everything-else"
+    action: "Deny"
+    from:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-hufflepuff

conformance/base/baseline_admin_network_policy/core-ingress-tcp-rules.yaml

@@ -0,0 +1,53 @@
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: BaselineAdminNetworkPolicy
+metadata:
+  name: default
+spec:
+  subject:
+    namespaces:
+      matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+  ingress:
+  - name: "allow-from-ravenclaw-everything"
+    action: "Allow"
+    from:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-ravenclaw
+  - name: "deny-from-ravenclaw-everything"
+    action: "Deny"
+    from:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-ravenclaw
+  - name: "deny-from-slytherin-at-port-80"
+    action: "Deny"
+    from:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-slytherin
+    ports:
+      - portNumber:
+          protocol: TCP
+          port: 80
+  - name: "allow-from-hufflepuff-at-port-80"
+    action: "Allow"
+    from:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-hufflepuff
+    ports:
+      - portNumber:
+          protocol: TCP
+          port: 80
+  - name: "deny-from-hufflepuff-everything-else"
+    action: "Deny"
+    from:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-hufflepuff

conformance/base/baseline_admin_network_policy/core-ingress-udp-rules.yaml

@@ -0,0 +1,53 @@
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: BaselineAdminNetworkPolicy
+metadata:
+  name: default
+spec:
+  subject:
+    namespaces:
+      matchLabels:
+          kubernetes.io/metadata.name: network-policy-conformance-hufflepuff
+  ingress:
+  - name: "allow-from-ravenclaw-everything"
+    action: "Allow"
+    from:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-ravenclaw
+  - name: "deny-from-ravenclaw-everything"
+    action: "Deny"
+    from:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-ravenclaw
+  - name: "deny-from-slytherin-at-port-5353"
+    action: "Deny"
+    from:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-slytherin
+    ports:
+      - portNumber:
+          protocol: UDP
+          port: 5353
+  - name: "allow-from-gryffindor-at-port-53"
+    action: "Allow"
+    from:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+    ports:
+      - portNumber:
+          protocol: UDP
+          port: 53
+  - name: "deny-from-gryffindor-everything-else"
+    action: "Deny"
+    from:
+    - namespaces:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-gryffindor

conformance/tests/admin-network-policy-core-egress-sctp-rules.go

@@ -42,7 +42,7 @@ var AdminNetworkPolicyEgressSCTP = suite.ConformanceTest{
 	Features: []suite.SupportedFeature{
 		suite.SupportAdminNetworkPolicy,
 	},
-	Manifests: []string{"tests/admin-network-policy-core-egress-sctp-rules_base.yaml"},
+	Manifests: []string{"base/admin_network_policy/core-egress-sctp-rules.yaml"},
 	Test: func(t *testing.T, s *suite.ConformanceTestSuite) {
 
 		t.Run("Should support an 'allow-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) {

conformance/tests/admin-network-policy-core-egress-tcp-rules.go

@@ -42,7 +42,7 @@ var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{
 	Features: []suite.SupportedFeature{
 		suite.SupportAdminNetworkPolicy,
 	},
-	Manifests: []string{"tests/admin-network-policy-core-egress-tcp-rules_base.yaml"},
+	Manifests: []string{"base/admin_network_policy/core-egress-tcp-rules.yaml"},
 	Test: func(t *testing.T, s *suite.ConformanceTestSuite) {
 
 		t.Run("Should support an 'allow-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) {

conformance/tests/admin-network-policy-core-egress-udp-rules.go

@@ -42,7 +42,7 @@ var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{
 	Features: []suite.SupportedFeature{
 		suite.SupportAdminNetworkPolicy,
 	},
-	Manifests: []string{"tests/admin-network-policy-core-egress-udp-rules_base.yaml"},
+	Manifests: []string{"base/admin_network_policy/core-egress-udp-rules.yaml"},
 	Test: func(t *testing.T, s *suite.ConformanceTestSuite) {
 
 		t.Run("Should support an 'allow-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) {

conformance/tests/admin-network-policy-core-ingress-sctp-rules.go

@@ -42,7 +42,7 @@ var AdminNetworkPolicyIngressSCTP = suite.ConformanceTest{
 	Features: []suite.SupportedFeature{
 		suite.SupportAdminNetworkPolicy,
 	},
-	Manifests: []string{"tests/admin-network-policy-core-ingress-sctp-rules_base.yaml"},
+	Manifests: []string{"base/admin_network_policy/core-ingress-sctp-rules.yaml"},
 	Test: func(t *testing.T, s *suite.ConformanceTestSuite) {
 
 		t.Run("Should support an 'allow-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) {

conformance/tests/admin-network-policy-core-ingress-tcp-rules.go

@@ -42,7 +42,7 @@ var AdminNetworkPolicyIngressTCP = suite.ConformanceTest{
 	Features: []suite.SupportedFeature{
 		suite.SupportAdminNetworkPolicy,
 	},
-	Manifests: []string{"tests/admin-network-policy-core-ingress-tcp-rules_base.yaml"},
+	Manifests: []string{"base/admin_network_policy/core-ingress-tcp-rules.yaml"},
 	Test: func(t *testing.T, s *suite.ConformanceTestSuite) {
 
 		t.Run("Should support an 'allow-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) {

conformance/tests/admin-network-policy-core-ingress-udp-rules.go

@@ -42,7 +42,7 @@ var AdminNetworkPolicyIngressUDP = suite.ConformanceTest{
 	Features: []suite.SupportedFeature{
 		suite.SupportAdminNetworkPolicy,
 	},
-	Manifests: []string{"tests/admin-network-policy-core-ingress-udp-rules_base.yaml"},
+	Manifests: []string{"base/admin_network_policy/core-ingress-udp-rules.yaml"},
 	Test: func(t *testing.T, s *suite.ConformanceTestSuite) {
 
 		t.Run("Should support an 'allow-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) {