Skip to content

Add e2e test to detect named ports in NetworkPolicies#31375

Open
machine424 wants to merge 1 commit into
openshift:mainfrom
machine424:nettpol
Open

Add e2e test to detect named ports in NetworkPolicies#31375
machine424 wants to merge 1 commit into
openshift:mainfrom
machine424:nettpol

Conversation

@machine424

@machine424 machine424 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Some network plugins (e.g. OVN-Kubernetes) do not support named ports in NetworkPolicies and may silently convert them into allow-all rules. Add a test that lists all cluster NetworkPolicies and fails if any use named ports instead of numeric ones, with a skip list for now.

Summary by CodeRabbit

  • Tests
    • Added a new validation test suite for cluster NetworkPolicy resources to ensure ports are specified numerically.
    • The test reviews both ingress and egress rules across namespaces and reports any policies that still use named ports, excluding a small set of known exceptions.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

@machine424

Copy link
Copy Markdown
Contributor Author

/pipeline required

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ad2c7744-6f3c-4ad4-9c97-71b3debec935

📥 Commits

Reviewing files that changed from the base of the PR and between f3bcd07 and 419f494.

📒 Files selected for processing (1)
  • test/extended/networking/networkpolicy_validation.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • test/extended/networking/networkpolicy_validation.go

Walkthrough

Adds a Ginkgo test that lists all cluster NetworkPolicies, skips known exceptions, scans ingress and egress ports for named ports, and fails when violations are found.

Changes

NetworkPolicy Port Validation Test

Layer / File(s) Summary
Test setup and validation logic
test/extended/networking/networkpolicy_validation.go
Adds a Ginkgo test that lists NetworkPolicies, skips known exceptions, checks ingress and egress port types, and asserts no violations.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested reviewers: jluhrsen, martinkennelly

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: a new e2e test that detects named ports in NetworkPolicies.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The only Ginkgo titles are static strings; no dynamic names, timestamps, or generated identifiers appear.
Test Structure And Quality ✅ Passed PASS: One focused It only reads NetworkPolicies, creates no resources, uses no waits/Eventually, and has clear failure messages; client usage matches repo patterns.
Microshift Test Compatibility ✅ Passed The new test only uses Kubernetes NetworkPolicy APIs with [apigroup:networking.k8s.io] and no MicroShift-unsupported OpenShift APIs or resources.
Single Node Openshift (Sno) Test Compatibility ✅ Passed The new Ginkgo test only lists NetworkPolicies and checks their ports; it has no multi-node assumptions and no SNO-specific skip is needed.
Topology-Aware Scheduling Compatibility ✅ Passed Adds only an e2e validation test; no manifests, controllers, replicas, affinity, or node selectors were introduced.
Ote Binary Stdout Contract ✅ Passed PASS: the new file has no main/init/TestMain/BeforeSuite/AfterSuite or top-level stdout writes; its only logging (e2e.Logf) is inside an It block.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed The new Ginkgo test only lists cluster NetworkPolicies and checks ports; it contains no IPv4 literals, IP parsing, host formatting, or external connectivity.
No-Weak-Crypto ✅ Passed Changed file is a NetworkPolicy numeric-port test; it contains no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons.
Container-Privileges ✅ Passed Only changed file is a Go e2e test; no K8s/container manifests or privilege flags were added.
No-Sensitive-Data-In-Logs ✅ Passed PASS: The new test only logs NetworkPolicy namespace/name and named port strings; it does not emit passwords, tokens, PII, or other sensitive data.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
test/extended/networking/networkpolicy_validation.go (2)

39-39: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Typo: "Sone CNI" → "Some CNI".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/networking/networkpolicy_validation.go` at line 39, Fix the
typo in the comment inside the NetworkPolicy validation test by changing the
wording in the nearby comment under the networking validation logic from “Sone
CNI” to “Some CNI”; this is only a text correction and should be applied where
the comment mentions named ports in NetworkPolicies.

43-46: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Use a bounded context instead of context.Background().

The List call has no deadline, so it can hang indefinitely if the API server is slow or unresponsive.

⏱️ Suggested fix
-		ctx := context.Background()
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+		defer cancel()

(remember to add "time" to imports)

As per path instructions, Go code should use context.Context for cancellation and timeouts.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/networking/networkpolicy_validation.go` around lines 43 - 46,
The NetworkPolicies list call is using an unbounded context, so it can hang
indefinitely if the API server is slow. Update the NetworkPolicy validation test
to use a bounded context with timeout instead of `context.Background()` near the
`List` call in the validation flow, and add the needed `time` import when
creating that timeout-based context.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/extended/networking/networkpolicy_validation.go`:
- Line 39: Fix the typo in the comment inside the NetworkPolicy validation test
by changing the wording in the nearby comment under the networking validation
logic from “Sone CNI” to “Some CNI”; this is only a text correction and should
be applied where the comment mentions named ports in NetworkPolicies.
- Around line 43-46: The NetworkPolicies list call is using an unbounded
context, so it can hang indefinitely if the API server is slow. Update the
NetworkPolicy validation test to use a bounded context with timeout instead of
`context.Background()` near the `List` call in the validation flow, and add the
needed `time` import when creating that timeout-based context.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 28d1c930-b729-45ed-80e8-b0124854a545

📥 Commits

Reviewing files that changed from the base of the PR and between a40276a and f3bcd07.

📒 Files selected for processing (1)
  • test/extended/networking/networkpolicy_validation.go

@openshift-ci openshift-ci Bot added the ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review label Jul 9, 2026
@openshift-ci
openshift-ci Bot requested review from jluhrsen and martinkennelly July 9, 2026 16:29
@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: machine424
Once this PR has been reviewed and has the lgtm label, please assign kyrtapz for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-trt

openshift-trt Bot commented Jul 9, 2026

Copy link
Copy Markdown

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New tests seen in this PR at sha: f3bcd07

  • "[sig-network] NetworkPolicy should use numeric ports in all platform NetworkPolicies [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]

Some network plugins (e.g. OVN-Kubernetes) do not support named ports in
NetworkPolicies and may silently convert them into allow-all rules. Add
a test that lists all cluster NetworkPolicies and fails if
any use named ports instead of numeric ones, with a skip list for now.
// Known NetworkPolicies that still use named ports.
// Each entry is "namespace/name".
// TODO: remove entries as the owning teams fix them.
networkPoliciesToSkip := []string{

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OCPBUGS
TODO

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

@machine424: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-serial-2of2 419f494 link true /test e2e-aws-ovn-serial-2of2
ci/prow/e2e-vsphere-ovn-upi 419f494 link true /test e2e-vsphere-ovn-upi
ci/prow/e2e-gcp-ovn 419f494 link true /test e2e-gcp-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant