API-1768:e2e network policy tests

[kaleemsiddiqu]

tests for network policy

Summary by CodeRabbit

• Tests

  • Added parallel and disruptive operator test suites
  • Added network policy conformance tests with reconciliation verification
  • Added network policy enforcement tests covering cross-namespace, metrics, and port scenarios
  • Added E2E helpers for creating/validating NetworkPolicies, pods, connectivity, and a cluster-operator availability polling helper

• Chores

  • Promoted Gomega to a direct module requirement

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds comprehensive NetworkPolicy end-to-end tests and helpers, a new exported ClusterOperator polling helper, two test suites in the test runner extension (operator/parallel and operator/disruptive), and a small go.mod dependency adjustment.

Changes

Cohort / File(s)	Summary
Test runner config cmd/cluster-kube-apiserver-operator-tests-ext/main.go	Comment punctuation fix and registration of two new test suites: .../operator/parallel (Parallelism: 1, selects tests tagged [Operator] excluding [Serial]) and .../operator/disruptive (Parallelism: 1, selects [Disruptive], sets ClusterStability to Disruptive).
NetworkPolicy stability tests test/e2e/network_policy.go	New Ginkgo suite that fetches and validates four NetworkPolicy objects across operator and operand namespaces, asserts shapes/selectors/ports, and exercises delete/patch/restore reconciliation with event logging.
NetworkPolicy enforcement tests test/e2e/network_policy_enforcement.go	New Ginkgo suite that creates server/client pods and probes connectivity to verify NetworkPolicy enforcement across namespaces, ports, and label/namespace selector permutations.
E2E test helpers (large) test/e2e/helpers.go	New helper library for tests: client config, namespace creation, pod lifecycle/IP helpers, NetworkPolicy fetch/assert/patch/restore, connectivity probe creators/readers, event/log formatting, and utility predicates (high lines/logic density — review patch/restore, connectivity polling, selector/port-match logic).
ClusterOperator helper test/library/cluster_operator.go	Added exported WaitForClusterOperatorAvailableNotProgressingNotDegraded(t, client, name) that polls until ClusterOperator reports Available=true, Progressing=false, Degraded=false; treats NotFound as transient.
Dependency manifest go.mod	Added github.com/onsi/gomega v1.35.1 to the main require block (now declared as a direct dependency).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 7 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Test suite has multiple quality issues: assertion messages lack meaningful context, tests combine unrelated scenarios, false positive cases exist, and validation helpers don't fully verify expected state.	Add meaningful failure messages to assertions, split combined tests, remove/fix false positive cases, update validation helpers to verify Spec.Ingress and Spec.Egress are empty.
Microshift Test Compatibility	⚠️ Warning	New e2e tests use ClusterOperator API and openshift system namespaces without MicroShift compatibility protection or apigroup tags.	Add [apigroup:config.openshift.io] tags to test names or use IsMicroShiftCluster() guards to skip MicroShift-incompatible tests.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly references the main change: adding e2e network policy tests, which is directly supported by the new test files (network_policy.go, network_policy_enforcement.go) and helper utilities added in this PR.
Stable And Deterministic Test Names	✅ Passed	All test names are static strings with no dynamic content, following Ginkgo conventions and guidelines.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The newly added e2e tests for NetworkPolicy are compatible with Single Node OpenShift. Tests create simple pods for connectivity verification without multi-node assumptions, node affinity, topology constraints, or special scheduling requirements.
Topology-Aware Scheduling Compatibility	✅ Passed	Pull request adds only E2E test files and test utilities with no deployment manifests, operator code, or controllers that introduce scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	The pull request does not violate the OTE Binary Stdout Contract. All stdout writes are properly encapsulated within test execution contexts or use GinkgoWriter.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Code demonstrates excellent IPv6 compatibility with proper IP detection, RFC-compliant formatting, no IPv4-only assumptions, and cluster-internal connectivity patterns.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/network_policy_enforcement.go`:
- Around line 161-188: The testMetricsIngressOpenAccess spec and its assertions
disagree: the description implies metrics ingress is open from any namespace but
expectConnectivity() denies openshift-etcd; either change the spec text to
describe selective allow rules or change the assertion to allow openshift-etcd
on port 8443 so it matches an “open access” policy. Locate
testMetricsIngressOpenAccess and update the failing expectConnectivity call (the
call using namespace "openshift-etcd", kasOperatorIPs, 8443) to expect true, or
alternatively narrow the spec description and the createServerPod/label
selectors so the denied case is testing a different policy—ensure
expectConnectivity, createServerPod, and the human-readable g.By(...) lines
consistently reflect the intended policy.
- Around line 218-246: The tests are probing ports that netexecPod doesn't
listen on, causing false negatives; update the tests to probe only the single
port passed into netexecPod (the port argument used when calling netexecPod)
instead of hardcoded ports like 12345/9999/80, or alternatively modify
netexecPod to expose every port the tests expect; specifically locate uses of
netexecPod and replace hardcoded probe/connection ports with the port variable
supplied to netexecPod so the connectivity checks truly exercise NetworkPolicy
filtering.
- Around line 96-100: Before creating pods and probing connectivity in
testKubeAPIServerOperatorNetworkPolicyEnforcement, wait for the kube-apiserver
operator to be present and reconciled: insert a blocking call (reuse the
existing test helper used by the network policy tests) such as
waitForOperatorReady("kube-apiserver-operator", kubeClient, kubeConfig, timeout)
right after kubeClient is created and before any pod creation/probing; apply the
same wait before the other live-check blocks in this function (the later probes
around the other kube-apiserver checks) so policy rollout/reconciliation
completes prior to executing tests.

In `@test/e2e/network_policy.go`:
- Around line 139-152: The requireDefaultDeny helper currently only validates an
empty PodSelector and that both PolicyTypes are present; update
requireDefaultDeny to also assert that policy.Spec.Ingress and
policy.Spec.Egress slices are empty (no allow rules) by checking
len(policy.Spec.Ingress) == 0 and len(policy.Spec.Egress) == 0 and failing with
a descriptive message (including policy.Namespace and policy.Name) if either
contains entries; keep existing PodSelector and PolicyTypes checks intact so the
function enforces both presence of Ingress/Egress types and absence of any allow
rules.
- Around line 259-272: The restoreNetworkPolicy function currently treats any
re-created NetworkPolicy with the same name as success and hides non-NotFound
Get errors; modify restoreNetworkPolicy to accept or capture the expected policy
spec (e.g., pass in an expected *networkingv1.NetworkPolicy or fetch and store
the original spec before deletion), then in the wait.PollImmediate loop call
client.NetworkingV1().NetworkPolicies(namespace).Get and if
apierrors.IsNotFound(err) return false, nil, but for other errors return false,
err so they surface immediately; when a policy is returned compare its Spec to
the expected Spec (using reflect.DeepEqual or an appropriate equality helper)
and only return true when the specs match; also add the import apierrors
"k8s.io/apimachinery/pkg/api/errors" to the imports.
- Around line 192-199: Replace the non-failing logger function
logEgressAllowAllTCP with an assertion-based helper: call
hasEgressAllowAllTCP(policy.Spec.Egress) and use a Gomega Expect to assert it is
true (e.g., Expect(hasEgressAllowAllTCP(...))).Include a clear failure message
that mentions the policy name/namespace (policy.Namespace, policy.Name) so tests
fail when the allow-all egress rule is missing; keep g.GinkgoHelper() and remove
only the non-failing GinkgoWriter-only branches so callers (previously using
logEgressAllowAllTCP) will fail the test on missing rule.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3f382f9c-c7c6-418f-9420-e81c72bfcc2d

📥 Commits

Reviewing files that changed from the base of the PR and between 6df1155 and 304edbb.

📒 Files selected for processing (5)

• cmd/cluster-kube-apiserver-operator-tests-ext/main.go
• go.mod
• test/e2e/network_policy.go
• test/e2e/network_policy_enforcement.go
• test/library/cluster_operator.go

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/retest

[dusk125]

/lgtm
/retest-required

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/cluster-kube-apiserver-operator-tests-ext/main.go`:
- Around line 82-88: The comment above the extension.AddSuite call is
inaccurate: update the comment to reflect the actual Qualifiers filter (which
selects tests with "[Operator]" and excludes "[Serial]") or change the
Qualifiers to also require "[Parallel]" to match the current comment; adjust the
text near oteextension.Suite (Name, Parallelism, Qualifiers) so the
human-readable comment and the implemented filter are consistent (either
"selects [Operator] tests excluding [Serial]" or change the Qualifiers to
`name.contains("[Parallel]") && name.contains("[Operator]")` to preserve the
original "[Parallel] + [Operator]" intent).

In `@test/library/cluster_operator.go`:
- Around line 19-39: The function
WaitForClusterOperatorAvailableNotProgressingNotDegraded currently takes an
unused t testing.TB parameter and there is a duplicate function
WaitForKubeAPIServerClusterOperatorAvailableNotProgressingNotDegraded that
repeats the same polling logic with "kube-apiserver" hardcoded—remove the unused
t parameter from WaitForClusterOperatorAvailableNotProgressingNotDegraded,
delete the duplicate
WaitForKubeAPIServerClusterOperatorAvailableNotProgressingNotDegraded, and
update all callers (e.g. the two sites in test/e2e/network_policy.go) to call
the single generic helper with the name string only; ensure the remaining
function signature and its internal use of client.ClusterOperators().Get(...,
name, ...) and the polling logic (including IsStatusConditionPresentAndEqual
checks) remain unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 8f31ca8e-0100-44f0-a2b5-16eedee13af4

📥 Commits

Reviewing files that changed from the base of the PR and between 10f9051 and e14fcc4.

📒 Files selected for processing (4)

• cmd/cluster-kube-apiserver-operator-tests-ext/main.go
• test/e2e/network_policy.go
• test/e2e/network_policy_enforcement.go
• test/library/cluster_operator.go

✅ Files skipped from review due to trivial changes (1)

• test/e2e/network_policy_enforcement.go

🚧 Files skipped from review as they are similar to previous changes (1)

• test/e2e/network_policy.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify current call sites for signature impact.
rg -nP --type=go '\bWaitForClusterOperatorAvailableNotProgressingNotDegraded\s*\(' -C2

# Verify duplicate polling implementations that should be consolidated.
rg -nP --type=go -C2 'func\s+WaitFor(KubeAPIServerClusterOperatorAvailableNotProgressingNotDegraded|ClusterOperatorAvailableNotProgressingNotDegraded)\b|wait\.Poll\(WaitPollInterval,\s*WaitPollTimeout\)'

Repository: openshift/cluster-kube-apiserver-operator

Length of output: 2799

---

🏁 Script executed:

#!/bin/bash

# Read the full implementations of both functions from cluster_operator.go
cat -n test/library/cluster_operator.go | sed -n '17,70p'

Repository: openshift/cluster-kube-apiserver-operator

Length of output: 3599

---

🏁 Script executed:

#!/bin/bash

# Search for all call sites of WaitForClusterOperatorAvailableNotProgressingNotDegraded
rg -n '\bWaitForClusterOperatorAvailableNotProgressingNotDegraded\b' --type=go

# Also search for any other similar duplicated polling patterns
wc -l test/library/cluster_operator.go

Repository: openshift/cluster-kube-apiserver-operator

Length of output: 716

---

Remove the unused t parameter and consolidate duplicate polling logic.

The t testing.TB parameter at line 19 is never used in the function body. Additionally, WaitForKubeAPIServerClusterOperatorAvailableNotProgressingNotDegraded duplicates the entire polling logic with "kube-apiserver" hardcoded—this duplication creates a maintenance burden and drift risk. Consolidating both into a single generic helper eliminates both issues.

♻️ Proposed refactor

-func WaitForClusterOperatorAvailableNotProgressingNotDegraded(t testing.TB, client configclient.ConfigV1Interface, name string) error {
+func WaitForClusterOperatorAvailableNotProgressingNotDegraded(client configclient.ConfigV1Interface, name string) error {
 	err := wait.Poll(WaitPollInterval, WaitPollTimeout, func() (bool, error) {
 		clusterOperator, err := client.ClusterOperators().Get(context.TODO(), name, metav1.GetOptions{})
 		if errors.IsNotFound(err) {
 			fmt.Printf("ClusterOperator/%s does not yet exist.\n", name)
 			return false, nil
 		}
 		if err != nil {
 			fmt.Printf("Unable to retrieve ClusterOperator/%s: %v\n", name, err)
 			return false, err
 		}
 		conditions := clusterOperator.Status.Conditions
 		available := clusteroperatorhelpers.IsStatusConditionPresentAndEqual(conditions, configv1.OperatorAvailable, configv1.ConditionTrue)
 		notProgressing := clusteroperatorhelpers.IsStatusConditionPresentAndEqual(conditions, configv1.OperatorProgressing, configv1.ConditionFalse)
 		notDegraded := clusteroperatorhelpers.IsStatusConditionPresentAndEqual(conditions, configv1.OperatorDegraded, configv1.ConditionFalse)
 		done := available && notProgressing && notDegraded
 		fmt.Printf("ClusterOperator/%s: Available: %v  Progressing: %v  Degraded: %v\n", name, available, !notProgressing, !notDegraded)
 		return done, nil
 	})
 	return err
}

 func WaitForKubeAPIServerClusterOperatorAvailableNotProgressingNotDegraded(t *testing.T, client configclient.ConfigV1Interface) {
+	t.Helper()
-	err := wait.Poll(WaitPollInterval, WaitPollTimeout, func() (bool, error) {
-		clusterOperator, err := client.ClusterOperators().Get(context.TODO(), "kube-apiserver", metav1.GetOptions{})
-		if errors.IsNotFound(err) {
-			fmt.Println("ClusterOperator/kube-apiserver does not yet exist.")
-			return false, nil
-		}
-		if err != nil {
-			fmt.Println("Unable to retrieve ClusterOperator/kube-apiserver:", err)
-			return false, err
-		}
-		conditions := clusterOperator.Status.Conditions
-		available := clusteroperatorhelpers.IsStatusConditionPresentAndEqual(conditions, configv1.OperatorAvailable, configv1.ConditionTrue)
-		notProgressing := clusteroperatorhelpers.IsStatusConditionPresentAndEqual(conditions, configv1.OperatorProgressing, configv1.ConditionFalse)
-		notDegraded := clusteroperatorhelpers.IsStatusConditionPresentAndEqual(conditions, configv1.OperatorDegraded, configv1.ConditionFalse)
-		done := available && notProgressing && notDegraded
-		fmt.Printf("ClusterOperator/kube-apiserver: Available: %v  Progressing: %v  Degraded: %v\n", available, !notProgressing, !notDegraded)
-		return done, nil
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	if err := WaitForClusterOperatorAvailableNotProgressingNotDegraded(client, "kube-apiserver"); err != nil {
+		t.Fatal(err)
+	}
 }

Update the two call sites in test/e2e/network_policy.go (lines 52, 97) to remove the first argument:

-err = test.WaitForClusterOperatorAvailableNotProgressingNotDegraded(g.GinkgoTB(), configClient, "kube-apiserver")
+err = test.WaitForClusterOperatorAvailableNotProgressingNotDegraded(configClient, "kube-apiserver")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/library/cluster_operator.go` around lines 19 - 39, The function
WaitForClusterOperatorAvailableNotProgressingNotDegraded currently takes an
unused t testing.TB parameter and there is a duplicate function
WaitForKubeAPIServerClusterOperatorAvailableNotProgressingNotDegraded that
repeats the same polling logic with "kube-apiserver" hardcoded—remove the unused
t parameter from WaitForClusterOperatorAvailableNotProgressingNotDegraded,
delete the duplicate
WaitForKubeAPIServerClusterOperatorAvailableNotProgressingNotDegraded, and
update all callers (e.g. the two sites in test/e2e/network_policy.go) to call
the single generic helper with the name string only; ensure the remaining
function signature and its internal use of client.ClusterOperators().Get(...,
name, ...) and the polling logic (including IsStatusConditionPresentAndEqual
checks) remain unchanged.

[kaleemsiddiqu]

/retitle API-1768:e2e network policy tests

[openshift-ci-robot]

@kaleemsiddiqu: This pull request references API-1768 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

tests for network policy

Summary by CodeRabbit

• Tests
• Added parallel operator test suite for concurrent validation
• Added network policy conformance tests including reconciliation verification
• Added network policy enforcement tests across multiple namespaces
• Enhanced operator availability monitoring with new polling helpers

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[kaleemsiddiqu]

/retest

[gangwgr]

/retest-required

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/retest

[dusk125]

/lgtm

[kaleemsiddiqu]

/verified by @kaleemsiddiqu
executed these tests locally.

$ ./cluster-kube-apiserver-operator-tests-ext list|grep "NetworkPolicy"
    "name": "[sig-api-machinery] kube-apiserver operator [Operator][NetworkPolicy] should ensure kube-apiserver NetworkPolicies are defined [Suite:openshift/cluster-kube-apiserver-operator/conformance/parallel]",
    "name": "[sig-api-machinery] kube-apiserver operator [Serial][Operator][NetworkPolicy] should restore kube-apiserver NetworkPolicies after delete or mutation[Timeout:30m] [Suite:openshift/cluster-kube-apiserver-operator/conformance/serial]",
    "name": "[sig-api-machinery] kube-apiserver operator [Operator][NetworkPolicy] should enforce NetworkPolicy allow/deny basics in a test namespace",
    "name": "[sig-api-machinery] kube-apiserver operator [Operator][NetworkPolicy] should enforce kube-apiserver-operator NetworkPolicies",
    "name": "[sig-api-machinery] kube-apiserver operator [Operator][NetworkPolicy] should enforce cross-namespace ingress traffic",
    "name": "[sig-api-machinery] kube-apiserver operator [Operator][NetworkPolicy] should allow metrics but block other ports",
    "name": "[sig-api-machinery] kube-apiserver operator [Operator][NetworkPolicy] should allow metrics ingress from any namespace",
$ 

[kaleemsiddiqu]

/retest

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rh-roman for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/retest

[openshift-ci]

@kaleemsiddiqu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-operator-encryption-kms-2of2	f92bf10	link	false	/test e2e-gcp-operator-encryption-kms-2of2
ci/prow/e2e-gcp-operator-encryption-kms-1of2	f92bf10	link	false	/test e2e-gcp-operator-encryption-kms-1of2
ci/prow/e2e-gcp-operator-encryption-aescbc	f92bf10	link	false	/test e2e-gcp-operator-encryption-aescbc
ci/prow/e2e-gcp-operator-encryption-single-node	f92bf10	link	false	/test e2e-gcp-operator-encryption-single-node
ci/prow/e2e-gcp-operator-encryption-rotation-aesgcm	f92bf10	link	false	/test e2e-gcp-operator-encryption-rotation-aesgcm
ci/prow/e2e-gcp-operator-encryption-perf-aescbc	f92bf10	link	false	/test e2e-gcp-operator-encryption-perf-aescbc
ci/prow/e2e-gcp-operator-encryption-aesgcm	f92bf10	link	false	/test e2e-gcp-operator-encryption-aesgcm
ci/prow/e2e-gcp-operator-encryption-perf-aesgcm	f92bf10	link	false	/test e2e-gcp-operator-encryption-perf-aesgcm
ci/prow/e2e-gcp-operator-encryption-rotation-single-node	f92bf10	link	false	/test e2e-gcp-operator-encryption-rotation-single-node
ci/prow/e2e-gcp-operator-encryption-perf-single-node	f92bf10	link	false	/test e2e-gcp-operator-encryption-perf-single-node
ci/prow/e2e-gcp-operator-encryption-rotation-aescbc	f92bf10	link	false	/test e2e-gcp-operator-encryption-rotation-aescbc
ci/prow/e2e-aws-ovn-serial-2of2	93c198c	link	true	/test e2e-aws-ovn-serial-2of2
ci/prow/e2e-aws-ovn-upgrade	93c198c	link	true	/test e2e-aws-ovn-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.