diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go index be80e36ae8f..0a0ea96644a 100644 --- a/test/e2e/antreapolicy_test.go +++ b/test/e2e/antreapolicy_test.go @@ -2995,3 +2995,79 @@ func TestAntreaClusterNetworkPolicyStats(t *testing.T) { } k8sUtils.Cleanup(namespaces) } + +func testInvalidACNPPodSelectorNsSelectorMatchExpressions(t *testing.T) { + invalidLSErr := fmt.Errorf("invalid Antrea NetworkPolicy with namespaceSelector but matchExpressions invalid") + + allowAction := crdv1alpha1.RuleActionAllow + selectorA := metav1.LabelSelector{MatchLabels: map[string]string{"env": "dummy"}} + nsSelectA := metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "env", Operator: "xxx", Values: []string{"xxxx"}}}} + + var acnp = &crdv1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: testNamespace, Name: "cnptest", Labels: map[string]string{"antrea-e2e": "cnp1"}}, + Spec: crdv1alpha1.ClusterNetworkPolicySpec{ + AppliedTo: []crdv1alpha1.NetworkPolicyPeer{ + {PodSelector: &selectorA}, + {NamespaceSelector: &nsSelectA}, + }, + Priority: 10, + Ingress: []crdv1alpha1.Rule{ + { + Action: &allowAction, + }, + }, + }, + } + + if _, err := k8sUtils.CreateOrUpdateACNP(acnp); err == nil { + failOnError(invalidLSErr, t) + } +} + +func testInvalidCGPPodSelectorNsSelectorMatchExpressions(t *testing.T) { + invalidLSErr := fmt.Errorf("invalid clustergroup with namespaceSelector but matchExpressions invalid") + + nsSelectA := metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "env", Operator: "xxx", Values: []string{"xxxx"}}}} + + cgName := "cg-test" + cg := &crdv1alpha2.ClusterGroup{ + ObjectMeta: metav1.ObjectMeta{ + Name: cgName, + }, + Spec: crdv1alpha2.GroupSpec{ + NamespaceSelector: &nsSelectA, + }, + } + if _, err := k8sUtils.CreateOrUpdateCG(cg); err == nil { + // Above creation of CG must fail as it is an invalid spec. + failOnError(invalidLSErr, t) + } +} + +func TestInvalidLabelSelectorInResource(t *testing.T) { + data, err := setupTest(t) + if err != nil { + t.Fatalf("Error when setting up test: %v", err) + } + defer teardownTest(t, data) + initK8s := func() { + skipIfAntreaPolicyDisabled(t, data) + var err error + // k8sUtils is a global var + k8sUtils, err = NewKubernetesUtils(data) + failOnError(err, t) + } + if k8sUtils == nil { + initK8s() + } + + t.Run("TestGroupInvalidLabelSelectorInResource", func(t *testing.T) { + t.Run("Case=InvalidACNPPodSelectorNsSelectorMatchExpressions", func(t *testing.T) { + testInvalidACNPPodSelectorNsSelectorMatchExpressions(t) + }) + t.Run("CASE=InvalidCGPPodSelectorNsSelectorMatchExpressions", func(t *testing.T) { + testInvalidCGPPodSelectorNsSelectorMatchExpressions(t) + }) + }) +}