Merge pull request #55186 from bcreane/named-port-egress

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. NetworkPolicy e2e: named port egress test **What this PR does / why we need it**: Add an e2e NetworkPolicy test that ensures that an egress rule that specifies a named port properly applies to egress traffic. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #52040 **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
2017-11-19 19:57:17 -08:00 · 2017-11-19 19:57:17 -08:00 · dcdb423ef4
parent 6b97376a53 1e7f01e9a2
commit dcdb423ef4
1 changed files with 42 additions and 0 deletions
--- a/test/e2e/network/network_policy.go
+++ b/test/e2e/network/network_policy.go
@ -310,6 +310,48 @@ var _ = SIGDescribe("NetworkPolicy", func() {
 				testCannotConnect(f, f.Namespace, "client-b", service, 81)
 			})
 		})
+
+		It("should allow egress access on one named port [Feature:NetworkPolicy]", func() {
+			clientPodName := "client-a"
+			protocolUDP := v1.ProtocolUDP
+			policy := &networkingv1.NetworkPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "allow-client-a-via-named-port-egress-rule",
+				},
+				Spec: networkingv1.NetworkPolicySpec{
+					// Apply this policy to client-a
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{
+							"pod-name": clientPodName,
+						},
+					},
+					// Allow traffic to only one named port: "serve-80".
+					Egress: []networkingv1.NetworkPolicyEgressRule{{
+						Ports: []networkingv1.NetworkPolicyPort{
+							{
+								Port: &intstr.IntOrString{Type: intstr.String, StrVal: "serve-80"},
+							},
+							// Allow DNS look-ups
+							{
+								Protocol: &protocolUDP,
+								Port:     &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
+							},
+						},
+					}},
+				},
+			}
+
+			policy, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(policy)
+			Expect(err).NotTo(HaveOccurred())
+			defer cleanupNetworkPolicy(f, policy)
+
+			By("Creating client-a which should be able to contact the server.", func() {
+				testCanConnect(f, f.Namespace, clientPodName, service, 80)
+			})
+			By("Creating client-a which should not be able to contact the server on port 81.", func() {
+				testCannotConnect(f, f.Namespace, clientPodName, service, 81)
+			})
+		})
 	})
 })