int-test: Add integration test with separated networks

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Author: zeeke

pkg/nftables/enforce.go

@@ -41,7 +41,7 @@ func (n *NFTables) enforcePolicy(ctx context.Context, pod *corev1.Pod, interface
 	// Find the interfaces on the pod that belong to the networks of the policy (Policy-for annotation)
 	matchedInterfaces := getMatchedInterfaces(interfaces, policy.Networks)
 	if len(matchedInterfaces) == 0 {
-		logger.Info("No matched interfaces found, skipping")
+		logger.Info("No matched interfaces found, skipping", "policyNetworks", policy.Networks, "interfaces", interfaces)
 		return nil
 	}
 

pkg/nftables/nftables_integration_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/containernetworking/plugins/pkg/ns"
 	"github.com/containernetworking/plugins/pkg/testutils"
 	"github.com/go-logr/logr"
+	"github.com/go-logr/logr/funcr"
 	multiv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta1"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -24,10 +25,17 @@ import (
 	"github.com/k8snetworkplumbingwg/multi-network-policy-nftables/pkg/datastore"
 )
 
+var logger logr.Logger = funcr.New(func(prefix, args string) {
+	// if prefix == "" {
+	// 	GinkgoWriter.Printf("%s\n", args)
+	// } else {
+	GinkgoWriter.Printf("%s %s\n", prefix, args)
+	// }
+}, funcr.Options{Verbosity: 6})
+
 var _ = Describe("NFTables Simple Integration Tests", func() {
 	var (
 		ctx               context.Context
-		logger            logr.Logger
 		targetPod         *corev1.Pod
 		matchedInterfaces []Interface
 
@@ -44,7 +52,6 @@ var _ = Describe("NFTables Simple Integration Tests", func() {
 
 	BeforeEach(func() {
 		ctx = context.Background()
-		logger = logr.Discard()
 
 		// Create target pod (the one policies apply to)
 		targetPod = &corev1.Pod{
@@ -280,6 +287,182 @@ var _ = Describe("NFTables Simple Integration Tests", func() {
 	})
 })
 
+var _ = FDescribe("Multiple NetworkAttachmentDefinitions Integration Tests", func() {
+	/*
+		                   ┌─────────────┐        ┌─────────────┐
+		                   │  << NAD >>  │        │  << NAD >>  │
+		                   │ RedNetwork  │        │ BlueNetwork │
+		                   │             │        │             │
+		                   └─────────────┘        └─────────────┘
+
+		┌────────────┐     ┌─────────────┐        ┌─────────────┐     ┌────────────┐
+		│            │     │             │        │             │     │            │
+		│ red-pod-a  ├──┐  │  << MNP >>  │        │  << MNP >>  │  ┌──┼ blue-pod-a │
+		│            │  │  │  RedPolicy  │        │ BluePolicy  │  │  │            │
+		└────────────┘  │  │             │        │             │  │  └────────────┘
+		                │  └─────────────┘        └─────────────┘  │
+		┌────────────┐  │                                          │  ┌────────────┐
+		│            │  │ 10.0.1.0/24                  10.0.2.0/24 │  │            │
+		│ red-pod-b  ├──┴───────────┐                   ┌──────────┴──┤ blue-pod-b │
+		│            │        ┌──┬──┴─────┬──────┬──────┴──┬──┐       │            │
+		└────────────┘        │  │ ethred │      │ ethblue │  │       └────────────┘
+		                      │  └────────┘      └─────────┘  │
+		                      │                               │
+		                      │          TargetPod            │
+		                      │                               │
+		                      └───────────────────────────────┘
+	*/
+	var (
+		targetPod      *corev1.Pod
+		redPodA        *corev1.Pod
+		redPodB        *corev1.Pod
+		bluePodA       *corev1.Pod
+		bluePodB       *corev1.Pod
+		redInterfaces  []Interface
+		blueInterfaces []Interface
+	)
+
+	BeforeEach(func() {
+		// Create target pod (the one policies apply to)
+		targetPod = &corev1.Pod{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "target-pod",
+				Namespace: "test-ns",
+				Labels:    map[string]string{"app": "target-pod"},
+				Annotations: map[string]string{
+					"k8s.v1.cni.cncf.io/networks":       "red-net,blue-net",
+					"k8s.v1.cni.cncf.io/network-status": `[{"name":"test-ns/red-net","interface":"ethred","ips":["10.0.1.1","2001:db8:1::1"],"dns":{}},{"name":"test-ns/blue-net","interface":"ethblue","ips":["10.0.2.1","2001:db8:2::1"],"dns":{}}]`,
+				},
+			},
+			Spec:   corev1.PodSpec{HostNetwork: false},
+			Status: corev1.PodStatus{Phase: corev1.PodRunning},
+		}
+
+		redInterfaces = []Interface{{Name: "ethred", Network: "test-ns/red-net", IPs: []string{"10.0.1.1", "2001:db8:1::1"}}}
+		blueInterfaces = []Interface{{Name: "ethblue", Network: "test-ns/blue-net", IPs: []string{"10.0.2.1", "2001:db8:2::1"}}}
+
+		// Create test pods for comprehensive test
+		redPodA = createPodSingleInterface("red-pod-a", "test-ns/red-net",
+			map[string]string{"app": "red-pod-a"},
+			"10.0.1.10", "2001:db8:1::10")
+
+		redPodB = createPodSingleInterface("red-pod-b", "test-ns/red-net",
+			map[string]string{"app": "red-pod-b"},
+			"10.0.1.11", "2001:db8:1::11")
+
+		bluePodA = createPodSingleInterface("blue-pod-a", "test-ns/blue-net",
+			map[string]string{"app": "blue-pod-a"},
+			"10.0.2.10", "2001:db8:2::10")
+
+		bluePodB = createPodSingleInterface("blue-pod-b", "test-ns/blue-net",
+			map[string]string{"app": "blue-pod-b"},
+			"10.0.2.11", "2001:db8:2::11")
+	})
+
+	It("should handle policies on different networks", func(ctx context.Context) {
+		defer GinkgoRecover()
+
+		netNS, err := testutils.NewNS()
+		Expect(err).NotTo(HaveOccurred())
+		defer netNS.Close()
+
+		err = netNS.Do(func(_ ns.NetNS) error {
+			runtime.LockOSThread()
+			defer runtime.UnlockOSThread()
+
+			nftablesWithPods := &NFTables{
+				Client: createFakeClient([]*corev1.Pod{targetPod, redPodA, redPodB, bluePodA, bluePodB}),
+			}
+
+			redPolicy := &datastore.Policy{
+				Name:      "red-policy",
+				Namespace: "test-ns",
+				Networks:  []string{"test-ns/red-net"},
+				Spec: multiv1beta1.MultiNetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"app": "target-pod"},
+					},
+					PolicyTypes: []multiv1beta1.MultiPolicyType{
+						multiv1beta1.PolicyTypeIngress,
+						multiv1beta1.PolicyTypeEgress,
+					},
+					Ingress: []multiv1beta1.MultiNetworkPolicyIngressRule{{
+						From: []multiv1beta1.MultiNetworkPolicyPeer{createPolicyPeer(map[string]string{"app": "red-pod-a"})},
+					}},
+					Egress: []multiv1beta1.MultiNetworkPolicyEgressRule{{
+						To: []multiv1beta1.MultiNetworkPolicyPeer{createPolicyPeer(map[string]string{"app": "red-pod-b"})},
+					}},
+				},
+			}
+
+			bluePolicy := &datastore.Policy{
+				Name:      "blue-policy",
+				Namespace: "test-ns",
+				Networks:  []string{"test-ns/blue-net"},
+				Spec: multiv1beta1.MultiNetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"app": "target-pod"},
+					},
+					PolicyTypes: []multiv1beta1.MultiPolicyType{
+						multiv1beta1.PolicyTypeIngress,
+						multiv1beta1.PolicyTypeEgress,
+					},
+					Ingress: []multiv1beta1.MultiNetworkPolicyIngressRule{{
+						From: []multiv1beta1.MultiNetworkPolicyPeer{createPolicyPeer(map[string]string{"app": "blue-pod-a"})},
+					}},
+					Egress: []multiv1beta1.MultiNetworkPolicyEgressRule{{
+						To: []multiv1beta1.MultiNetworkPolicyPeer{createPolicyPeer(map[string]string{"app": "blue-pod-b"})},
+					}},
+				},
+			}
+
+			err = nftablesWithPods.enforcePolicy(ctx, targetPod, redInterfaces, redPolicy, logger)
+			if err != nil {
+				return err
+			}
+
+			err = nftablesWithPods.enforcePolicy(ctx, targetPod, blueInterfaces, bluePolicy, logger)
+			if err != nil {
+				return err
+			}
+
+			err = verifyNFTablesGoldenFile("multiple-networks-policy.nft")
+			if err != nil {
+				return err
+			}
+
+			return nil
+		})
+		Expect(err).NotTo(HaveOccurred())
+	})
+})
+
+func createPolicyPeer(matchLabels map[string]string) multiv1beta1.MultiNetworkPolicyPeer {
+	return multiv1beta1.MultiNetworkPolicyPeer{
+		PodSelector: &metav1.LabelSelector{
+			MatchLabels: matchLabels,
+		},
+	}
+}
+
+func createPodSingleInterface(name, network string, labels map[string]string, ipv4Net, ipv6Net string) *corev1.Pod {
+	networkStatus := fmt.Sprintf(`[{"name":"%s","interface":"eth1","ips":["%s","%s"],"dns":{}}]`, network, ipv4Net, ipv6Net)
+
+	return &corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: "test-ns",
+			Labels:    labels,
+			Annotations: map[string]string{
+				"k8s.v1.cni.cncf.io/networks":       network,
+				"k8s.v1.cni.cncf.io/network-status": networkStatus,
+			},
+		},
+		Spec:   corev1.PodSpec{HostNetwork: false},
+		Status: corev1.PodStatus{Phase: corev1.PodRunning},
+	}
+}
+
 // Helper function to create a dual-stack pod
 func createDualStackPod(name, namespace string, labels map[string]string, ipv4Net1, ipv4Net2, ipv6Net1, ipv6Net2 string) *corev1.Pod {
 	// We assume that the network attachment definition is common. There is no restriction per namespace

pkg/nftables/testdata/golden/multiple-networks-policy.nft

@@ -0,0 +1,122 @@
+table inet multi_networkpolicy {
+	comment "MultiNetworkPolicy"
+	set smi-7cef63aba7df2a3e78ee4cae8eef6bfe {
+		type ifname
+		comment "Managed interfaces set for test-ns/red-policy"
+		elements = { "ethred" }
+	}
+
+	set snp-7cef63aba7df2a3e78ee4cae8eef6bfe_ingress_ipv4_ethred_0 {
+		type ipv4_addr
+		comment "Addresses for test-ns/red-policy"
+		elements = { 10.0.1.10 }
+	}
+
+	set snp-7cef63aba7df2a3e78ee4cae8eef6bfe_ingress_ipv6_ethred_0 {
+		type ipv6_addr
+		comment "Addresses for test-ns/red-policy"
+		elements = { 2001:db8:1::10 }
+	}
+
+	set snp-7cef63aba7df2a3e78ee4cae8eef6bfe_egress_ipv4_ethred_0 {
+		type ipv4_addr
+		comment "Addresses for test-ns/red-policy"
+		elements = { 10.0.1.11 }
+	}
+
+	set snp-7cef63aba7df2a3e78ee4cae8eef6bfe_egress_ipv6_ethred_0 {
+		type ipv6_addr
+		comment "Addresses for test-ns/red-policy"
+		elements = { 2001:db8:1::11 }
+	}
+
+	set smi-b458cc915046bc2c60158623677c6364 {
+		type ifname
+		comment "Managed interfaces set for test-ns/blue-policy"
+		elements = { "ethblue" }
+	}
+
+	set snp-b458cc915046bc2c60158623677c6364_ingress_ipv4_ethblue_0 {
+		type ipv4_addr
+		comment "Addresses for test-ns/blue-policy"
+		elements = { 10.0.2.10 }
+	}
+
+	set snp-b458cc915046bc2c60158623677c6364_ingress_ipv6_ethblue_0 {
+		type ipv6_addr
+		comment "Addresses for test-ns/blue-policy"
+		elements = { 2001:db8:2::10 }
+	}
+
+	set snp-b458cc915046bc2c60158623677c6364_egress_ipv4_ethblue_0 {
+		type ipv4_addr
+		comment "Addresses for test-ns/blue-policy"
+		elements = { 10.0.2.11 }
+	}
+
+	set snp-b458cc915046bc2c60158623677c6364_egress_ipv6_ethblue_0 {
+		type ipv6_addr
+		comment "Addresses for test-ns/blue-policy"
+		elements = { 2001:db8:2::11 }
+	}
+
+	chain input {
+		comment "Input Dispatcher"
+		type filter hook input priority filter; policy accept;
+		iifname @smi-7cef63aba7df2a3e78ee4cae8eef6bfe jump ingress comment "test-ns/red-policy"
+		iifname @smi-b458cc915046bc2c60158623677c6364 jump ingress comment "test-ns/blue-policy"
+	}
+
+	chain output {
+		comment "Output Dispatcher"
+		type filter hook output priority filter; policy accept;
+		oifname @smi-7cef63aba7df2a3e78ee4cae8eef6bfe jump egress comment "test-ns/red-policy"
+		oifname @smi-b458cc915046bc2c60158623677c6364 jump egress comment "test-ns/blue-policy"
+	}
+
+	chain ingress {
+		comment "Ingress Policies"
+		ct state established,related accept comment "Connection tracking"
+		jump common-ingress comment "Jump to common"
+		jump cnp-7cef63aba7df2a3e78ee4cae8eef6bfe comment "test-ns/red-policy"
+		jump cnp-b458cc915046bc2c60158623677c6364 comment "test-ns/blue-policy"
+		drop comment "Drop rule"
+	}
+
+	chain common-ingress {
+		comment "Common Policies"
+	}
+
+	chain egress {
+		comment "Egress Policies"
+		ct state established,related accept comment "Connection tracking"
+		jump common-egress comment "Jump to common"
+		jump cnp-7cef63aba7df2a3e78ee4cae8eef6bfe comment "test-ns/red-policy"
+		jump cnp-b458cc915046bc2c60158623677c6364 comment "test-ns/blue-policy"
+		drop comment "Drop rule"
+	}
+
+	chain common-egress {
+		comment "Common Policies"
+	}
+
+	chain cnp-7cef63aba7df2a3e78ee4cae8eef6bfe {
+		comment "MultiNetworkPolicy test-ns/red-policy"
+		iifname "ethred" ip saddr 10.0.1.1 accept
+		iifname "ethred" ip6 saddr 2001:db8:1::1 accept
+		iifname "ethred" ip saddr @snp-7cef63aba7df2a3e78ee4cae8eef6bfe_ingress_ipv4_ethred_0 accept
+		iifname "ethred" ip6 saddr @snp-7cef63aba7df2a3e78ee4cae8eef6bfe_ingress_ipv6_ethred_0 accept
+		oifname "ethred" ip daddr @snp-7cef63aba7df2a3e78ee4cae8eef6bfe_egress_ipv4_ethred_0 accept
+		oifname "ethred" ip6 daddr @snp-7cef63aba7df2a3e78ee4cae8eef6bfe_egress_ipv6_ethred_0 accept
+	}
+
+	chain cnp-b458cc915046bc2c60158623677c6364 {
+		comment "MultiNetworkPolicy test-ns/blue-policy"
+		iifname "ethblue" ip saddr 10.0.2.1 accept
+		iifname "ethblue" ip6 saddr 2001:db8:2::1 accept
+		iifname "ethblue" ip saddr @snp-b458cc915046bc2c60158623677c6364_ingress_ipv4_ethblue_0 accept
+		iifname "ethblue" ip6 saddr @snp-b458cc915046bc2c60158623677c6364_ingress_ipv6_ethblue_0 accept
+		oifname "ethblue" ip daddr @snp-b458cc915046bc2c60158623677c6364_egress_ipv4_ethblue_0 accept
+		oifname "ethblue" ip6 daddr @snp-b458cc915046bc2c60158623677c6364_egress_ipv6_ethblue_0 accept
+	}
+}