kubeovn · oilbeater · Feb 26, 2026 · Feb 26, 2026 · Feb 26, 2026 · gemini-code-assist
diff --git a/test/e2e/cnp-domain/e2e_test.go b/test/e2e/cnp-domain/e2e_test.go
@@ -12,6 +12,7 @@
 	"github.com/onsi/ginkgo/v2"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/test/e2e"
@@ -111,7 +112,30 @@
 	}
 
 	testNetworkConnectivity := func(target string, shouldSucceed bool, description string) {
-		testNetworkConnectivityWithRetry(target, shouldSucceed, description, 20, 2*time.Second)
+		testNetworkConnectivityWithRetry(target, shouldSucceed, description, 30, 3*time.Second)
+	}
+
+	// waitForDNSResolversReady waits for all DNSNameResolver CRs associated with a CNP
+	// to be created and have at least one resolved address. This ensures the OVN ACL
+	// address sets are populated before connectivity checks.
+	waitForDNSResolversReady := func(name string, expectedCount int) {
+		ginkgo.By(fmt.Sprintf("Waiting for %d DNSNameResolver(s) to be ready for CNP %s", expectedCount, name))
+		dnsClient := f.DNSNameResolverClient()
+		labelSelector := fmt.Sprintf("anp=%s", name)
+
+		err := wait.PollUntilContextTimeout(context.TODO(), 2*time.Second, 60*time.Second, true, func(_ context.Context) (bool, error) {
-		err := wait.PollUntilContextTimeout(context.TODO(), 2*time.Second, 60*time.Second, true, func(_ context.Context) (bool, error) {
+err := wait.PollUntilContextTimeout(f.Context, 2*time.Second, 60*time.Second, true, func(_ context.Context) (bool, error) {
-		err := wait.PollUntilContextTimeout(context.TODO(), 2*time.Second, 60*time.Second, true, func(_ context.Context) (bool, error) {
+err := wait.PollUntilContextTimeout(f.Context, 2*time.Second, 60*time.Second, true, func(_ context.Context) (bool, error) {
+			resolverList := dnsClient.ListByLabel(labelSelector)
+			if len(resolverList.Items) < expectedCount {
+				return false, nil
+			}
+			for _, resolver := range resolverList.Items {
+				if len(resolver.Status.ResolvedNames) == 0 {
+					return false, nil
+				}
+			}
+			return true, nil
+		})
+		framework.ExpectNoError(err, "DNSNameResolvers for CNP %s failed to be ready within timeout", name)
 	}
 
 	framework.ConformanceIt("should create CNP with domainName deny rule and verify connectivity behavior", func() {
@@ -158,6 +182,7 @@
 		framework.ExpectEqual(cnp.Spec.Priority, int32(55))
 		framework.ExpectEqual(cnp.Spec.Subject.Namespaces.MatchLabels["kubernetes.io/metadata.name"], namespaceName)
 
+		waitForDNSResolversReady(cnpName, 1)
 		testNetworkConnectivity("https://www.baidu.com", false, "Testing connectivity to baidu.com after applying CNP (should be blocked)")
 
 		ginkgo.By("Deleting ClusterNetworkPolicy " + cnpName)
@@ -229,6 +254,8 @@
 		framework.ExpectEqual(string(peer2.DomainNames[0]), "*.google.com.")
 		framework.ExpectEqual(cnp2.Spec.Priority, int32(45))
 
+		waitForDNSResolversReady(cnpName, 1)
+		waitForDNSResolversReady(cnpName2, 1)
 		testNetworkConnectivity("https://www.baidu.com", false, "Testing connectivity to baidu.com after applying both CNPs (should be blocked)")
 		testNetworkConnectivity("https://www.google.com", true, "Testing connectivity to google.com after applying both CNPs (should be allowed)")
 
@@ -288,6 +315,7 @@
 		updatedCNP, _ := cnpClient.Update(context.TODO(), createdCNP, metav1.UpdateOptions{})
 		framework.Logf("Successfully updated ClusterNetworkPolicy with baidu.com deny rule: %s", updatedCNP.Name)
 
+		waitForDNSResolversReady(cnpName, 1)
 		testNetworkConnectivity("https://www.baidu.com", false, "Testing connectivity to baidu.com after adding deny rule (should be blocked)")
 		testNetworkConnectivity("https://www.google.com", true, "Testing connectivity to google.com after adding baidu.com deny rule (should still succeed)")
 
@@ -299,6 +327,8 @@
 		updatedcnp2, _ := cnpClient.Update(context.TODO(), updatedCNP, metav1.UpdateOptions{})
 		framework.Logf("Successfully updated ClusterNetworkPolicy with both deny rules: %s", updatedcnp2.Name)
 
+		waitForDNSResolversReady(cnpName, 2)
+
 		testNetworkConnectivity("https://www.baidu.com", false, "Testing connectivity to baidu.com after adding both deny rules (should be blocked)")
 		testNetworkConnectivity("https://www.google.com", false, "Testing connectivity to google.com after adding both deny rules (should be blocked)")
 
@@ -373,6 +403,7 @@
 		framework.ExpectEqual(len(cnp.Spec.Egress), 2)
 		framework.ExpectEqual(cnp.Spec.Priority, int32(80))
 
+		waitForDNSResolversReady(cnpName, 1)
 		testNetworkConnectivity("https://www.baidu.com", false, "Testing connectivity to baidu.com after applying cnp (should be blocked)")
 		testNetworkConnectivity("https://www.google.com", true, "Testing connectivity to google.com after applying cnp (should be allowed)")
 		testNetworkConnectivity("https://8.8.8.8", false, "Testing connectivity to 8.8.8.8 after applying cnp (should be blocked by CIDR rule)")
@@ -421,6 +452,7 @@
 		framework.ExpectEqual(len(cnp.Spec.Egress), 1)
 		framework.ExpectEqual(cnp.Spec.Priority, int32(85))
 
+		waitForDNSResolversReady(cnpName, 1)
 		testNetworkConnectivity("https://www.baidu.com", false, "Testing connectivity to www.baidu.com after applying cnp (should be blocked by wildcard)")
 		testNetworkConnectivity("https://api.baidu.com", false, "Testing connectivity to api.baidu.com after applying cnp (should be blocked by wildcard)")
 		testNetworkConnectivity("https://news.baidu.com", false, "Testing connectivity to news.baidu.com after applying cnp (should be blocked by wildcard)")