diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy.go b/pkg/controller/networkpolicy/clusternetworkpolicy.go index dbf54687e90..451ed333d8e 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy.go @@ -17,6 +17,7 @@ package networkpolicy import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/client-go/tools/cache" "k8s.io/klog" @@ -135,18 +136,23 @@ func (n *NetworkPolicyController) deleteCNP(old interface{}) { n.deleteDereferencedAddressGroups(oldInternalNP) } -// toAntreaServicesForCRD converts a secv1alpha1.NetworkPolicyPort object to an -// Antrea Service object. -func toAntreaServicesForCRD(npPorts []secv1alpha1.NetworkPolicyPort) []networking.Service { +// toAntreaServicesForCRD converts a slice of secv1alpha1.NetworkPolicyPort +// objects to a slice of Antrea Service objects. A bool is returned along with +// the Service objects to indicate whether any named port exists. +func toAntreaServicesForCRD(npPorts []secv1alpha1.NetworkPolicyPort) ([]networking.Service, bool) { var antreaServices []networking.Service + var namedPortExists bool for _, npPort := range npPorts { + if npPort.Port != nil && npPort.Port.Type == intstr.String { + namedPortExists = true + } antreaService := networking.Service{ Protocol: toAntreaProtocol(npPort.Protocol), Port: npPort.Port, } antreaServices = append(antreaServices, antreaService) } - return antreaServices + return antreaServices, namedPortExists } // toAntreaIPBlockForCRD converts a secv1alpha1.IPBlock to an Antrea IPBlock. @@ -174,24 +180,23 @@ func getTierPriority(tier string) networking.TierPriority { return tierPriorityMap[tier] } -func (n *NetworkPolicyController) toAntreaPeerForCRD(peers []secv1alpha1.NetworkPolicyPeer, cnp *secv1alpha1.ClusterNetworkPolicy, dir networking.Direction) *networking.NetworkPolicyPeer { +func (n *NetworkPolicyController) toAntreaPeerForCRD(peers []secv1alpha1.NetworkPolicyPeer, cnp *secv1alpha1.ClusterNetworkPolicy, dir networking.Direction, namedPortExists bool) *networking.NetworkPolicyPeer { var addressGroups []string // Empty NetworkPolicyPeer is supposed to match all addresses. // It's treated as an IPBlock "0.0.0.0/0". if len(peers) == 0 { - // For an ingress Peer, skip adding the AddressGroup matching all Pods - // because in case of ingress Rule, the named Port resolution happens on - // Pods in AppliedToGroup. - if dir == networking.DirectionIn { + // For an egress Peer that specifies any named ports, it creates or + // reuses the AddressGroup matching all Pods in all Namespaces and + // appends the AddressGroup UID to the returned Peer such that it can be + // used to resolve the named ports. + // For other cases it uses the IPBlock "0.0.0.0/0" to avoid the overhead + // of handling member updates of the AddressGroup. + if dir == networking.DirectionIn || !namedPortExists { return &matchAllPeer } - // For an egress Peer, create an AddressGroup matching all Pods in all - // Namespaces such that it can be used to resolve named Ports. This - // AddressGroup is set in the NetworkPolicyPeer of matchAllPeer. allPodsGroupUID := n.createAddressGroupForCRD(matchAllPodsPeerCrd, cnp) podsPeer := matchAllPeer - addressGroups = append(addressGroups, allPodsGroupUID) - podsPeer.AddressGroups = addressGroups + podsPeer.AddressGroups = append(addressGroups, allPodsGroupUID) return &podsPeer } var ipBlocks []networking.IPBlock @@ -253,10 +258,11 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *secv1alpha1.C // Compute NetworkPolicyRule for Egress Rule. for idx, ingressRule := range cnp.Spec.Ingress { // Set default action to ALLOW to allow traffic. + services, namedPortExists := toAntreaServicesForCRD(ingressRule.Ports) rules = append(rules, networking.NetworkPolicyRule{ Direction: networking.DirectionIn, - From: *n.toAntreaPeerForCRD(ingressRule.From, cnp, networking.DirectionIn), - Services: toAntreaServicesForCRD(ingressRule.Ports), + From: *n.toAntreaPeerForCRD(ingressRule.From, cnp, networking.DirectionIn, namedPortExists), + Services: services, Action: ingressRule.Action, Priority: int32(idx), }) @@ -264,10 +270,11 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *secv1alpha1.C // Compute NetworkPolicyRule for Egress Rule. for idx, egressRule := range cnp.Spec.Egress { // Set default action to ALLOW to allow traffic. + services, namedPortExists := toAntreaServicesForCRD(egressRule.Ports) rules = append(rules, networking.NetworkPolicyRule{ Direction: networking.DirectionOut, - To: *n.toAntreaPeerForCRD(egressRule.To, cnp, networking.DirectionOut), - Services: toAntreaServicesForCRD(egressRule.Ports), + To: *n.toAntreaPeerForCRD(egressRule.To, cnp, networking.DirectionOut, namedPortExists), + Services: services, Action: egressRule.Action, Priority: int32(idx), }) diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go index 90db92f414a..2a5a75de98e 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go @@ -21,7 +21,6 @@ import ( "testing" "github.com/stretchr/testify/assert" - v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" @@ -31,32 +30,46 @@ import ( ) func TestToAntreaServicesForCRD(t *testing.T) { - tcpProto := v1.ProtocolTCP - portNum := intstr.FromInt(80) tables := []struct { - ports []secv1alpha1.NetworkPolicyPort - expValues []networking.Service + ports []secv1alpha1.NetworkPolicyPort + expServices []networking.Service + expNamedPortExists bool }{ { - getCNPPorts(tcpProto), - []networking.Service{ + ports: []secv1alpha1.NetworkPolicyPort{ { - Protocol: toAntreaProtocol(&tcpProto), - Port: &portNum, + Protocol: &k8sProtocolTCP, + Port: &int80, }, }, + expServices: []networking.Service{ + { + Protocol: toAntreaProtocol(&k8sProtocolTCP), + Port: &int80, + }, + }, + expNamedPortExists: false, + }, + { + ports: []secv1alpha1.NetworkPolicyPort{ + { + Protocol: &k8sProtocolTCP, + Port: &strHTTP, + }, + }, + expServices: []networking.Service{ + { + Protocol: toAntreaProtocol(&k8sProtocolTCP), + Port: &strHTTP, + }, + }, + expNamedPortExists: true, }, } for _, table := range tables { - services := toAntreaServicesForCRD(table.ports) - service := services[0] - expValue := table.expValues[0] - if *service.Protocol != *expValue.Protocol { - t.Errorf("Unexpected Antrea Protocol in Antrea Service. Expected %v, got %v", *expValue.Protocol, *service.Protocol) - } - if *service.Port != *expValue.Port { - t.Errorf("Unexpected Antrea Port in Antrea Service. Expected %v, got %v", *expValue.Port, *service.Port) - } + services, namedPortExist := toAntreaServicesForCRD(table.ports) + assert.Equal(t, table.expServices, services) + assert.Equal(t, table.expNamedPortExists, namedPortExist) } } @@ -123,10 +136,11 @@ func TestToAntreaPeerForCRD(t *testing.T) { matchAllPodsPeer := matchAllPeer matchAllPodsPeer.AddressGroups = []string{getNormalizedUID(toGroupSelector("", nil, &selectorAll).NormalizedName)} tests := []struct { - name string - inPeers []secv1alpha1.NetworkPolicyPeer - outPeer networking.NetworkPolicyPeer - direction networking.Direction + name string + inPeers []secv1alpha1.NetworkPolicyPeer + outPeer networking.NetworkPolicyPeer + direction networking.Direction + namedPortExists bool }{ { name: "pod-ns-selector-peer-ingress", @@ -205,16 +219,23 @@ func TestToAntreaPeerForCRD(t *testing.T) { direction: networking.DirectionIn, }, { - name: "empty-peer-egress", + name: "empty-peer-egress-with-named-port", + inPeers: []secv1alpha1.NetworkPolicyPeer{}, + outPeer: matchAllPodsPeer, + direction: networking.DirectionOut, + namedPortExists: true, + }, + { + name: "empty-peer-egress-without-named-port", inPeers: []secv1alpha1.NetworkPolicyPeer{}, - outPeer: matchAllPodsPeer, + outPeer: matchAllPeer, direction: networking.DirectionOut, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { _, npc := newController() - actualPeer := npc.toAntreaPeerForCRD(tt.inPeers, testCNPObj, tt.direction) + actualPeer := npc.toAntreaPeerForCRD(tt.inPeers, testCNPObj, tt.direction, tt.namedPortExists) if !reflect.DeepEqual(tt.outPeer.AddressGroups, (*actualPeer).AddressGroups) { t.Errorf("Unexpected AddressGroups in Antrea Peer conversion. Expected %v, got %v", tt.outPeer.AddressGroups, (*actualPeer).AddressGroups) } @@ -981,13 +1002,3 @@ func getCNP() *secv1alpha1.ClusterNetworkPolicy { return npObj } - -func getCNPPorts(proto v1.Protocol) []secv1alpha1.NetworkPolicyPort { - portNum := intstr.FromInt(80) - port := secv1alpha1.NetworkPolicyPort{ - Protocol: &proto, - Port: &portNum, - } - ports := []secv1alpha1.NetworkPolicyPort{port} - return ports -} diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go index dbc37d9779a..ea79ff6fa3b 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller.go @@ -33,6 +33,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/wait" coreinformers "k8s.io/client-go/informers/core/v1" @@ -474,18 +475,23 @@ func toAntreaProtocol(npProtocol *v1.Protocol) *networking.Protocol { return &internalProtocol } -// toAntreaServices converts a networkingv1.NetworkPolicyPort object to an -// Antrea Service object. -func toAntreaServices(npPorts []networkingv1.NetworkPolicyPort) []networking.Service { +// toAntreaServices converts a slice of networkingv1.NetworkPolicyPort objects +// to a slice of Antrea Service objects. A bool is returned along with the +// Service objects to indicate whether any named port exists. +func toAntreaServices(npPorts []networkingv1.NetworkPolicyPort) ([]networking.Service, bool) { var antreaServices []networking.Service + var namedPortExists bool for _, npPort := range npPorts { + if npPort.Port != nil && npPort.Port.Type == intstr.String { + namedPortExists = true + } antreaService := networking.Service{ Protocol: toAntreaProtocol(npPort.Protocol), Port: npPort.Port, } antreaServices = append(antreaServices, antreaService) } - return antreaServices + return antreaServices, namedPortExists } // toAntreaIPBlock converts a networkingv1.IPBlock to an Antrea IPBlock. @@ -524,10 +530,11 @@ func (n *NetworkPolicyController) processNetworkPolicy(np *networkingv1.NetworkP // Compute NetworkPolicyRule for Ingress Rule. for _, ingressRule := range np.Spec.Ingress { ingressRuleExists = true + services, namedPortExists := toAntreaServices(ingressRule.Ports) rules = append(rules, networking.NetworkPolicyRule{ Direction: networking.DirectionIn, - From: *n.toAntreaPeer(ingressRule.From, np, networking.DirectionIn), - Services: toAntreaServices(ingressRule.Ports), + From: *n.toAntreaPeer(ingressRule.From, np, networking.DirectionIn, namedPortExists), + Services: services, Priority: defaultRulePriority, Action: &defaultAction, }) @@ -535,10 +542,11 @@ func (n *NetworkPolicyController) processNetworkPolicy(np *networkingv1.NetworkP // Compute NetworkPolicyRule for Egress Rule. for _, egressRule := range np.Spec.Egress { egressRuleExists = true + services, namedPortExists := toAntreaServices(egressRule.Ports) rules = append(rules, networking.NetworkPolicyRule{ Direction: networking.DirectionOut, - To: *n.toAntreaPeer(egressRule.To, np, networking.DirectionOut), - Services: toAntreaServices(egressRule.Ports), + To: *n.toAntreaPeer(egressRule.To, np, networking.DirectionOut, namedPortExists), + Services: services, Priority: defaultRulePriority, Action: &defaultAction, }) @@ -575,25 +583,24 @@ func (n *NetworkPolicyController) processNetworkPolicy(np *networkingv1.NetworkP return internalNetworkPolicy } -func (n *NetworkPolicyController) toAntreaPeer(peers []networkingv1.NetworkPolicyPeer, np *networkingv1.NetworkPolicy, dir networking.Direction) *networking.NetworkPolicyPeer { +func (n *NetworkPolicyController) toAntreaPeer(peers []networkingv1.NetworkPolicyPeer, np *networkingv1.NetworkPolicy, dir networking.Direction, namedPortExists bool) *networking.NetworkPolicyPeer { var addressGroups []string // Empty NetworkPolicyPeer is supposed to match all addresses. // See https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-allow-all-ingress-traffic. // It's treated as an IPBlock "0.0.0.0/0". if len(peers) == 0 { - // For an ingress Peer, skip adding the AddressGroup matching all Pods - // because in case of ingress Rule, the named Port resolution happens on - // Pods in AppliedToGroup. - if dir == networking.DirectionIn { + // For an egress Peer that specifies any named ports, it creates or + // reuses the AddressGroup matching all Pods in all Namespaces and + // appends the AddressGroup UID to the returned Peer such that it can be + // used to resolve the named ports. + // For other cases it uses the IPBlock "0.0.0.0/0" to avoid the overhead + // of handling member updates of the AddressGroup. + if dir == networking.DirectionIn || !namedPortExists { return &matchAllPeer } - // For an egress Peer, create an AddressGroup matching all Pods in all - // Namespaces such that it can be used to resolve named Ports. This - // AddressGroup is set in the NetworkPolicyPeer of matchAllPeer. allPodsGroupUID := n.createAddressGroup(matchAllPodsPeer, np) podsPeer := matchAllPeer - addressGroups = append(addressGroups, allPodsGroupUID) - podsPeer.AddressGroups = addressGroups + podsPeer.AddressGroups = append(addressGroups, allPodsGroupUID) return &podsPeer } var ipBlocks []networking.IPBlock diff --git a/pkg/controller/networkpolicy/networkpolicy_controller_test.go b/pkg/controller/networkpolicy/networkpolicy_controller_test.go index 3914cf988f0..dd46794b889 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller_test.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller_test.go @@ -47,6 +47,19 @@ var alwaysReady = func() bool { return true } const informerDefaultResync time.Duration = 30 * time.Second +var ( + k8sProtocolUDP = v1.ProtocolUDP + k8sProtocolTCP = v1.ProtocolTCP + k8sProtocolSCTP = v1.ProtocolSCTP + + protocolTCP = networking.ProtocolTCP + + int80 = intstr.FromInt(80) + int81 = intstr.FromInt(81) + + strHTTP = intstr.FromString("http") +) + type networkPolicyController struct { *NetworkPolicyController podStore cache.Store @@ -114,9 +127,6 @@ func newClientset(objects ...runtime.Object) *fake.Clientset { } func TestAddNetworkPolicy(t *testing.T) { - protocolTCP := networking.ProtocolTCP - intstr80, intstr81 := intstr.FromInt(80), intstr.FromInt(81) - int80, int81 := intstr.FromInt(80), intstr.FromInt(81) selectorA := metav1.LabelSelector{MatchLabels: map[string]string{"foo1": "bar1"}} selectorB := metav1.LabelSelector{MatchLabels: map[string]string{"foo2": "bar2"}} selectorC := metav1.LabelSelector{MatchLabels: map[string]string{"foo3": "bar3"}} @@ -157,7 +167,7 @@ func TestAddNetworkPolicy(t *testing.T) { expAddressGroups: 0, }, { - name: "default-allow-egress", + name: "default-allow-egress-without-named-port", inputPolicy: &networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "nsA", Name: "npB", UID: "uidB"}, Spec: networkingv1.NetworkPolicySpec{ @@ -172,7 +182,7 @@ func TestAddNetworkPolicy(t *testing.T) { Namespace: "nsA", Rules: []networking.NetworkPolicyRule{{ Direction: networking.DirectionOut, - To: matchAllPeerEgress, + To: matchAllPeer, Services: nil, Priority: defaultRulePriority, Action: &defaultAction, @@ -180,6 +190,46 @@ func TestAddNetworkPolicy(t *testing.T) { AppliedToGroups: []string{getNormalizedUID(toGroupSelector("nsA", &metav1.LabelSelector{}, nil).NormalizedName)}, }, expAppliedToGroups: 1, + expAddressGroups: 0, + }, + { + name: "default-allow-egress-with-named-port", + inputPolicy: &networkingv1.NetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Namespace: "nsA", Name: "npB", UID: "uidB"}, + Spec: networkingv1.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{}, + PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}, + Egress: []networkingv1.NetworkPolicyEgressRule{ + { + Ports: []networkingv1.NetworkPolicyPort{ + { + Protocol: &k8sProtocolTCP, + Port: &strHTTP, + }, + }, + }, + }, + }, + }, + expPolicy: &antreatypes.NetworkPolicy{ + UID: "uidB", + Name: "npB", + Namespace: "nsA", + Rules: []networking.NetworkPolicyRule{{ + Direction: networking.DirectionOut, + To: matchAllPeerEgress, + Services: []networking.Service{ + { + Protocol: &protocolTCP, + Port: &strHTTP, + }, + }, + Priority: defaultRulePriority, + Action: &defaultAction, + }}, + AppliedToGroups: []string{getNormalizedUID(toGroupSelector("nsA", &metav1.LabelSelector{}, nil).NormalizedName)}, + }, + expAppliedToGroups: 1, expAddressGroups: 1, }, { @@ -234,7 +284,7 @@ func TestAddNetworkPolicy(t *testing.T) { { Ports: []networkingv1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []networkingv1.NetworkPolicyPeer{ @@ -249,7 +299,7 @@ func TestAddNetworkPolicy(t *testing.T) { { Ports: []networkingv1.NetworkPolicyPort{ { - Port: &intstr81, + Port: &int81, }, }, To: []networkingv1.NetworkPolicyPeer{ @@ -311,7 +361,7 @@ func TestAddNetworkPolicy(t *testing.T) { { Ports: []networkingv1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []networkingv1.NetworkPolicyPeer{ @@ -323,7 +373,7 @@ func TestAddNetworkPolicy(t *testing.T) { { Ports: []networkingv1.NetworkPolicyPort{ { - Port: &intstr81, + Port: &int81, }, }, From: []networkingv1.NetworkPolicyPeer{ @@ -1552,17 +1602,14 @@ func TestGenerateNormalizedName(t *testing.T) { } func TestToAntreaProtocol(t *testing.T) { - udpProto := v1.ProtocolUDP - tcpProto := v1.ProtocolTCP - sctpProto := v1.ProtocolSCTP tables := []struct { proto *v1.Protocol expInternalProto networking.Protocol }{ {nil, networking.ProtocolTCP}, - {&udpProto, networking.ProtocolUDP}, - {&tcpProto, networking.ProtocolTCP}, - {&sctpProto, networking.ProtocolSCTP}, + {&k8sProtocolUDP, networking.ProtocolUDP}, + {&k8sProtocolTCP, networking.ProtocolTCP}, + {&k8sProtocolSCTP, networking.ProtocolSCTP}, } for _, table := range tables { protocol := toAntreaProtocol(table.proto) @@ -1573,32 +1620,46 @@ func TestToAntreaProtocol(t *testing.T) { } func TestToAntreaServices(t *testing.T) { - tcpProto := v1.ProtocolTCP - portNum := intstr.FromInt(80) tables := []struct { - ports []networkingv1.NetworkPolicyPort - expValues []networking.Service + ports []networkingv1.NetworkPolicyPort + expSedrvices []networking.Service + expNamedPortExists bool }{ { - getK8sNetworkPolicyPorts(tcpProto), - []networking.Service{ + ports: []networkingv1.NetworkPolicyPort{ + { + Protocol: &k8sProtocolTCP, + Port: &int80, + }, + }, + expSedrvices: []networking.Service{ + { + Protocol: toAntreaProtocol(&k8sProtocolTCP), + Port: &int80, + }, + }, + expNamedPortExists: false, + }, + { + ports: []networkingv1.NetworkPolicyPort{ + { + Protocol: &k8sProtocolTCP, + Port: &strHTTP, + }, + }, + expSedrvices: []networking.Service{ { - Protocol: toAntreaProtocol(&tcpProto), - Port: &portNum, + Protocol: toAntreaProtocol(&k8sProtocolTCP), + Port: &strHTTP, }, }, + expNamedPortExists: true, }, } for _, table := range tables { - services := toAntreaServices(table.ports) - service := services[0] - expValue := table.expValues[0] - if *service.Protocol != *expValue.Protocol { - t.Errorf("Unexpected Antrea Protocol in Antrea Service. Expected %v, got %v", *expValue.Protocol, *service.Protocol) - } - if *service.Port != *expValue.Port { - t.Errorf("Unexpected Antrea Port in Antrea Service. Expected %v, got %v", *expValue.Port, *service.Port) - } + services, namedPortExist := toAntreaServices(table.ports) + assert.Equal(t, table.expSedrvices, services) + assert.Equal(t, table.expNamedPortExists, namedPortExist) } } @@ -1673,10 +1734,11 @@ func TestToAntreaPeer(t *testing.T) { matchAllPodsPeer := matchAllPeer matchAllPodsPeer.AddressGroups = []string{getNormalizedUID(toGroupSelector("", nil, &selectorAll).NormalizedName)} tests := []struct { - name string - inPeers []networkingv1.NetworkPolicyPeer - outPeer networking.NetworkPolicyPeer - direction networking.Direction + name string + inPeers []networkingv1.NetworkPolicyPeer + outPeer networking.NetworkPolicyPeer + direction networking.Direction + namedPortExist bool }{ { name: "pod-ns-selector-peer-ingress", @@ -1789,16 +1851,23 @@ func TestToAntreaPeer(t *testing.T) { direction: networking.DirectionIn, }, { - name: "empty-peer-egress", + name: "empty-peer-egress-with-named-port", + inPeers: []networkingv1.NetworkPolicyPeer{}, + outPeer: matchAllPodsPeer, + direction: networking.DirectionOut, + namedPortExist: true, + }, + { + name: "empty-peer-egress-without-named-port", inPeers: []networkingv1.NetworkPolicyPeer{}, - outPeer: matchAllPodsPeer, + outPeer: matchAllPeer, direction: networking.DirectionOut, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { _, npc := newController() - actualPeer := npc.toAntreaPeer(tt.inPeers, testNPObj, tt.direction) + actualPeer := npc.toAntreaPeer(tt.inPeers, testNPObj, tt.direction, tt.namedPortExist) if !reflect.DeepEqual(tt.outPeer.AddressGroups, (*actualPeer).AddressGroups) { t.Errorf("Unexpected AddressGroups in Antrea Peer conversion. Expected %v, got %v", tt.outPeer.AddressGroups, (*actualPeer).AddressGroups) } @@ -1815,8 +1884,6 @@ func TestToAntreaPeer(t *testing.T) { } func TestProcessNetworkPolicy(t *testing.T) { - protocolTCP := networking.ProtocolTCP - intstr80, intstr81 := intstr.FromInt(80), intstr.FromInt(81) selectorA := metav1.LabelSelector{MatchLabels: map[string]string{"foo1": "bar1"}} selectorB := metav1.LabelSelector{MatchLabels: map[string]string{"foo2": "bar2"}} selectorC := metav1.LabelSelector{MatchLabels: map[string]string{"foo3": "bar3"}} @@ -1882,7 +1949,7 @@ func TestProcessNetworkPolicy(t *testing.T) { { Ports: []networkingv1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []networkingv1.NetworkPolicyPeer{ @@ -1897,7 +1964,7 @@ func TestProcessNetworkPolicy(t *testing.T) { { Ports: []networkingv1.NetworkPolicyPort{ { - Port: &intstr81, + Port: &int81, }, }, To: []networkingv1.NetworkPolicyPeer{ @@ -1923,7 +1990,7 @@ func TestProcessNetworkPolicy(t *testing.T) { Services: []networking.Service{ { Protocol: &protocolTCP, - Port: &intstr80, + Port: &int80, }, }, Priority: defaultRulePriority, @@ -1937,7 +2004,7 @@ func TestProcessNetworkPolicy(t *testing.T) { Services: []networking.Service{ { Protocol: &protocolTCP, - Port: &intstr81, + Port: &int81, }, }, Priority: defaultRulePriority, @@ -1959,7 +2026,7 @@ func TestProcessNetworkPolicy(t *testing.T) { { Ports: []networkingv1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []networkingv1.NetworkPolicyPeer{ @@ -1971,7 +2038,7 @@ func TestProcessNetworkPolicy(t *testing.T) { { Ports: []networkingv1.NetworkPolicyPort{ { - Port: &intstr81, + Port: &int81, }, }, From: []networkingv1.NetworkPolicyPeer{ @@ -1996,7 +2063,7 @@ func TestProcessNetworkPolicy(t *testing.T) { Services: []networking.Service{ { Protocol: &protocolTCP, - Port: &intstr80, + Port: &int80, }, }, Priority: defaultRulePriority, @@ -2010,7 +2077,7 @@ func TestProcessNetworkPolicy(t *testing.T) { Services: []networking.Service{ { Protocol: &protocolTCP, - Port: &intstr81, + Port: &int81, }, }, Priority: defaultRulePriority, @@ -2306,17 +2373,6 @@ func TestDeleteFinalStateUnknownNetworkPolicy(t *testing.T) { assert.True(t, ok, "Missing event on channel") } -// util functions for testing. -func getK8sNetworkPolicyPorts(proto v1.Protocol) []networkingv1.NetworkPolicyPort { - portNum := intstr.FromInt(80) - port := networkingv1.NetworkPolicyPort{ - Protocol: &proto, - Port: &portNum, - } - ports := []networkingv1.NetworkPolicyPort{port} - return ports -} - func getK8sNetworkPolicyObj() *networkingv1.NetworkPolicy { ns := metav1.NamespaceDefault npName := "testing-1"