e2e: test for port ranges

e2e/tests/port-range.bats

@@ -0,0 +1,50 @@
+#!/usr/bin/env bats
+
+setup() {
+	cd $BATS_TEST_DIRNAME
+	load "common"
+	pod_a_net1=$(get_net1_ip "test-port-range" "pod-a")
+	pod_b_net1=$(get_net1_ip "test-port-range" "pod-b")
+}
+
+@test "setup environments" {
+	# create test manifests
+	kubectl create -f port-range.yml
+
+	# verify all pods are available
+	run kubectl -n test-port-range wait --for=condition=ready -l app=test-port-range pod --timeout=${kubewait_timeout}
+	[ "$status" -eq  "0" ]
+
+	sleep 3
+}
+
+@test "test-port-range check pod-a -> pod-b 5555 OK" {
+	# nc should succeed from client-a to server by policy
+	run kubectl -n test-port-range exec pod-a -- sh -c "echo x | nc -w 1 ${pod_b_net1} 5555"
+	[ "$status" -eq  "0" ]
+}
+
+@test "test-port-range check pod-a -> pod-b 6666 KO" {
+	# nc should succeed from client-a to server by policy
+	run kubectl -n test-port-range exec pod-a -- sh -c "echo x | nc -w 1 ${pod_b_net1} 6666"
+	[ "$status" -eq  "1" ]
+}
+
+@test "test-port-range check pod-b -> pod-a 5555 KO" {
+	# nc should succeed from client-a to server by policy
+	run kubectl -n test-port-range exec pod-b -- sh -c "echo x | nc -w 1 ${pod_a_net1} 5555"
+	[ "$status" -eq  "1" ]
+}
+
+@test "test-port-range check pod-b -> pod-a 6666 OK" {
+	# nc should succeed from client-a to server by policy
+	run kubectl -n test-port-range exec pod-b -- sh -c "echo x | nc -w 1 ${pod_a_net1} 6666"
+	[ "$status" -eq  "0" ]
+}
+
+@test "cleanup environments" {
+	# remove test manifests
+	kubectl delete -f port-range.yml
+	run kubectl -n test-port-range wait --for=delete -l app=test-port-range pod --timeout=${kubewait_timeout}
+	[ "$status" -eq  "0" ]
+}

e2e/tests/port-range.yml

@@ -0,0 +1,99 @@
+---
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+  namespace: default
+  name: macvlan1-simple
+spec: 
+  config: '{
+            "cniVersion": "0.3.1",
+            "name": "macvlan1-simple",
+            "plugins": [
+                {
+                    "type": "macvlan",
+                    "mode": "bridge",
+                    "ipam":{
+                      "type":"host-local",
+                      "subnet":"2.2.6.0/24",
+                      "rangeStart":"2.2.6.8",
+                      "rangeEnd":"2.2.6.67"
+                    }
+                }]
+        }'
+---
+# namespace for MultiNetworkPolicy 
+apiVersion: v1
+kind: Namespace
+metadata:
+    name: test-port-range
+---
+# Pods
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-a
+  namespace: test-port-range
+  annotations:
+    k8s.v1.cni.cncf.io/networks: default/macvlan1-simple
+  labels:
+    app: test-port-range
+    name: pod-a
+spec:
+  containers:
+  - name: netcat-tcp-5555
+    image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
+    command: ["nc", "-klp", "5555"]
+    securityContext:
+      privileged: true
+  - name: netcat-tcp-6666
+    image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
+    command: ["nc", "-klp", "6666"]
+    securityContext:
+      privileged: true
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-b
+  namespace: test-port-range
+  annotations:
+    k8s.v1.cni.cncf.io/networks: default/macvlan1-simple
+  labels:
+    app: test-port-range
+    name: pod-b
+spec:
+  containers:
+  - name: netcat-tcp-5555
+    image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
+    command: ["nc", "-klp", "5555"]
+    securityContext:
+      privileged: true
+  - name: netcat-tcp-6666
+    image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
+    command: ["nc", "-klp", "6666"]
+    securityContext:
+      privileged: true
+---
+# MultiNetworkPolicies
+apiVersion: k8s.cni.cncf.io/v1beta1
+kind: MultiNetworkPolicy
+metadata:
+  name: test-multinetwork-policy-simple-1
+  namespace: test-port-range
+  annotations:
+    k8s.v1.cni.cncf.io/policy-for: default/macvlan1-simple
+spec:
+  podSelector:
+    matchLabels:
+      name: pod-a
+  policyTypes:
+  - Egress
+  - Ingress
+  egress:
+  - ports:
+    - port: 5000
+      endPort: 5900
+  ingress:
+  - ports:
+    - port: 6000
+      endPort: 6900