OPRUN-3873: Add e2e tests for NetworkPolicies

anik120 · anik120 · commit 98150b65f0f3 · 2025-06-05T10:47:21.000-04:00
diff --git a/test/e2e/network_policy_test.go b/test/e2e/network_policy_test.go
@@ -0,0 +1,247 @@
+package e2e
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	"k8s.io/apimachinery/pkg/api/equality"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+const (
+	olmSystemNamespace      = "olmv1-system"
+	minJustificationLength  = 40
+	catalogdManagerSelector = "control-plane=catalogd-controller-manager"
+	operatorManagerSelector = "control-plane=operator-controller-controller-manager"
+)
+
+// IngressRule defines a k8s IngressRule, along with a justification.
+type IngressRule struct {
+	Ports         []networkingv1.NetworkPolicyPort
+	From          []networkingv1.NetworkPolicyPeer
+	Justification string
+}
+
+// EgressRule defines a k8s EgressRule, along with a justification.
+type EgressRule struct {
+	Ports         []networkingv1.NetworkPolicyPort
+	To            []networkingv1.NetworkPolicyPeer
+	Justification string
+}
+
+// AllowedPolicyDefinition defines the expected structure and justifications for a NetworkPolicy.
+type AllowedPolicyDefinition struct {
+	Selector                          metav1.LabelSelector
+	PolicyTypes                       []networkingv1.PolicyType
+	IngressRules                      []IngressRule
+	EgressRules                       []EgressRule
+	DenyAllIngressByTypeJustification string // Justification if Ingress is in PolicyTypes and IngressRules is empty
+	DenyAllEgressByTypeJustification  string // Justification if Egress is in PolicyTypes and EgressRules is empty
+}
+
+var allowedNetworkPolicies = map[string]AllowedPolicyDefinition{
+	"controller-manager.catalogd": {
+		Selector:    metav1.LabelSelector{MatchLabels: map[string]string{"control-plane": "catalogd-controller-manager"}},
+		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress},
+		IngressRules: []IngressRule{
+			{
+				Ports:         []networkingv1.NetworkPolicyPort{{Protocol: ptr.To(corev1.ProtocolTCP), Port: intOrStrPtr(7443)}},
+				Justification: "Allows Prometheus to scrape metrics from catalogd, providing observability into its performance and health. This is essential for monitoring.",
+			},
+			{
+				Ports:         []networkingv1.NetworkPolicyPort{{Protocol: ptr.To(corev1.ProtocolTCP), Port: intOrStrPtr(8443)}},
+				Justification: "Enables operator-controller to query catalog metadata from catalogd. This is a core function for bundle resolution and operator discovery.",
+			},
+			{
+				Ports:         []networkingv1.NetworkPolicyPort{{Protocol: ptr.To(corev1.ProtocolTCP), Port: intOrStrPtr(9443)}},
+				Justification: "Permits Kubernetes API server to reach catalogd's admission webhook for CRD validation, ensuring integrity of catalog resources.",
+			},
+		},
+		EgressRules: []EgressRule{
+			{
+				// Empty Ports and To means allow all egress
+				Justification: "Permits catalogd to fetch catalog images from various container registries and communicate with the Kubernetes API server for its operational needs.",
+			},
+		},
+	},
+	"controller-manager.operator-controller": {
+		Selector:    metav1.LabelSelector{MatchLabels: map[string]string{"control-plane": "operator-controller-controller-manager"}},
+		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress},
+		IngressRules: []IngressRule{
+			{
+				Ports:         []networkingv1.NetworkPolicyPort{{Protocol: ptr.To(corev1.ProtocolTCP), Port: intOrStrPtr(8443)}},
+				Justification: "Allows Prometheus to scrape metrics from operator-controller, crucial for monitoring its activity, reconciliations, and overall health.",
+			},
+		},
+		EgressRules: []EgressRule{
+			{
+				// Empty Ports and To means allow all egress
+				Justification: "Enables operator-controller to pull bundle images, connect to catalogd's HTTPS server for metadata, and interact with the Kubernetes API server.",
+			},
+		},
+	},
+	"default-deny-all-traffic": {
+		Selector:    metav1.LabelSelector{}, // Empty selector, matches all pods
+		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress},
+		// No IngressRules means deny all ingress if PolicyTypeIngress is present
+		// No EgressRules means deny all egress if PolicyTypeEgress is present
+		DenyAllIngressByTypeJustification: "Denies all ingress traffic to pods selected by this policy by default, unless explicitly allowed by other policy rules, ensuring a baseline secure posture.",
+		DenyAllEgressByTypeJustification:  "Denies all egress traffic from pods selected by this policy by default, unless explicitly allowed by other policy rules, minimizing potential exfiltration paths.",
+	},
+}
+
+func TestNetworkPolicyJustifications(t *testing.T) {
+	ctx := context.Background()
+
+	// Validate justifications have min length
+	for name, policyDef := range allowedNetworkPolicies {
+		for i, rule := range policyDef.IngressRules {
+			assert.GreaterOrEqualf(t, len(rule.Justification), minJustificationLength,
+				"Justification for ingress rule %d in policy %q is too short: %q", i, name, rule.Justification)
+		}
+		for i, rule := range policyDef.EgressRules {
+			assert.GreaterOrEqualf(t, len(rule.Justification), minJustificationLength,
+				"Justification for egress rule %d in policy %q is too short: %q", i, name, rule.Justification)
+		}
+		if policyDef.DenyAllIngressByTypeJustification != "" {
+			assert.GreaterOrEqualf(t, len(policyDef.DenyAllIngressByTypeJustification), minJustificationLength,
+				"DenyAllIngressByTypeJustification for policy %q is too short: %q", name, policyDef.DenyAllIngressByTypeJustification)
+		}
+		if policyDef.DenyAllEgressByTypeJustification != "" {
+			assert.GreaterOrEqualf(t, len(policyDef.DenyAllEgressByTypeJustification), minJustificationLength,
+				"DenyAllEgressByTypeJustification for policy %q is too short: %q", name, policyDef.DenyAllEgressByTypeJustification)
+		}
+	}
+
+	networkPolicyList := &networkingv1.NetworkPolicyList{}
+	err := c.List(ctx, networkPolicyList, client.InNamespace(olmSystemNamespace))
+	require.NoError(t, err, "Failed to list NetworkPolicies in namespace %q", olmSystemNamespace)
+
+	validatedRegistryPolicies := make(map[string]bool)
+
+	for _, clusterPolicyItem := range networkPolicyList.Items {
+		clusterPolicy := clusterPolicyItem
+		policyName := clusterPolicy.Name
+
+		t.Run(fmt.Sprintf("Policy_%s", strings.ReplaceAll(policyName, "-", "_")), func(t *testing.T) {
+			expectedPolicy, found := allowedNetworkPolicies[policyName]
+			require.Truef(t, found, "NetworkPolicy %q found in cluster but not in allowed registry. Namespace: %s", policyName, clusterPolicy.Namespace)
+			validatedRegistryPolicies[policyName] = true
+
+			// 1. Compare PodSelector
+			assert.True(t, equality.Semantic.DeepEqual(expectedPolicy.Selector, clusterPolicy.Spec.PodSelector),
+				"PodSelector mismatch for policy %q. Expected: %+v, Got: %+v", policyName, expectedPolicy.Selector, clusterPolicy.Spec.PodSelector)
+
+			// 2. Compare PolicyTypes
+			require.ElementsMatchf(t, expectedPolicy.PolicyTypes, clusterPolicy.Spec.PolicyTypes,
+				"PolicyTypes mismatch for policy %q.", policyName)
+
+			// 3. Validate Ingress Rules
+			hasIngressPolicyType := false
+			for _, pt := range clusterPolicy.Spec.PolicyTypes {
+				if pt == networkingv1.PolicyTypeIngress {
+					hasIngressPolicyType = true
+					break
+				}
+			}
+
+			if hasIngressPolicyType {
+				if len(clusterPolicy.Spec.Ingress) == 0 {
+					require.Emptyf(t, expectedPolicy.IngressRules,
+						"Policy %q: cluster has no ingress rules (deny all), but registry expects specific ingress rules.", policyName)
+					require.NotEmptyf(t, expectedPolicy.DenyAllIngressByTypeJustification,
+						"Policy %q: cluster has no ingress rules (deny all), but registry has no DenyAllIngressByTypeJustification.", policyName)
+				} else {
+					require.NotEmptyf(t, expectedPolicy.IngressRules,
+						"Policy %q: cluster has ingress rules, but registry expects no specific ingress rules.", policyName)
+					require.Emptyf(t, expectedPolicy.DenyAllIngressByTypeJustification,
+						"Policy %q: cluster has ingress rules, but registry also has DenyAllIngressByTypeJustification.", policyName)
+					require.Lenf(t, clusterPolicy.Spec.Ingress, len(expectedPolicy.IngressRules),
+						"Policy %q: mismatch in number of ingress rules.", policyName)
+
+					for i, clusterRule := range clusterPolicy.Spec.Ingress {
+						expectedRule := expectedPolicy.IngressRules[i]
+						assert.True(t, equality.Semantic.DeepEqual(expectedRule.Ports, clusterRule.Ports),
+							"Policy %q, Ingress Rule %d: Ports mismatch.\nExpected: %+v\nGot:      %+v", policyName, i, expectedRule.Ports, clusterRule.Ports)
+						assert.True(t, equality.Semantic.DeepEqual(expectedRule.From, clusterRule.From),
+							"Policy %q, Ingress Rule %d: From mismatch.\nExpected: %+v\nGot:      %+v", policyName, i, expectedRule.From, clusterRule.From)
+						assert.GreaterOrEqualf(t, len(expectedRule.Justification), minJustificationLength,
+							"Policy %q, Ingress Rule %d: Justification is too short: %q", policyName, i, expectedRule.Justification)
+					}
+				}
+			} else {
+				require.Emptyf(t, clusterPolicy.Spec.Ingress, "Policy %q does not include Ingress in PolicyTypes, but has Ingress rules defined.", policyName)
+				require.Emptyf(t, expectedPolicy.IngressRules, "Policy %q does not include Ingress in PolicyTypes, but registry expects ingress rules.", policyName)
+				require.Emptyf(t, expectedPolicy.DenyAllIngressByTypeJustification, "Policy %q does not include Ingress in PolicyTypes, but registry has DenyAllIngressByTypeJustification.", policyName)
+			}
+
+			// 4. Validate Egress Rules
+			hasEgressPolicyType := false
+			for _, pt := range clusterPolicy.Spec.PolicyTypes {
+				if pt == networkingv1.PolicyTypeEgress {
+					hasEgressPolicyType = true
+					break
+				}
+			}
+
+			if hasEgressPolicyType {
+				if len(clusterPolicy.Spec.Egress) == 0 {
+					require.Emptyf(t, expectedPolicy.EgressRules,
+						"Policy %q: cluster has no egress rules (deny all), but registry expects specific egress rules.", policyName)
+					require.NotEmptyf(t, expectedPolicy.DenyAllEgressByTypeJustification,
+						"Policy %q: cluster has no egress rules (deny all), but registry has no DenyAllEgressByTypeJustification.", policyName)
+				} else {
+					require.NotEmptyf(t, expectedPolicy.EgressRules,
+						"Policy %q: cluster has egress rules, but registry expects no specific egress rules.", policyName)
+					require.Emptyf(t, expectedPolicy.DenyAllEgressByTypeJustification,
+						"Policy %q: cluster has egress rules, but registry also has DenyAllEgressByTypeJustification.", policyName)
+					require.Lenf(t, clusterPolicy.Spec.Egress, len(expectedPolicy.EgressRules),
+						"Policy %q: mismatch in number of egress rules.", policyName)
+
+					for i, clusterRule := range clusterPolicy.Spec.Egress {
+						expectedRule := expectedPolicy.EgressRules[i]
+						assert.True(t, equality.Semantic.DeepEqual(expectedRule.Ports, clusterRule.Ports),
+							"Policy %q, Egress Rule %d: Ports mismatch.\nExpected: %+v\nGot:      %+v", policyName, i, expectedRule.Ports, clusterRule.Ports)
+						assert.True(t, equality.Semantic.DeepEqual(expectedRule.To, clusterRule.To),
+							"Policy %q, Egress Rule %d: To mismatch.\nExpected: %+v\nGot:      %+v", policyName, i, expectedRule.To, clusterRule.To)
+						assert.GreaterOrEqualf(t, len(expectedRule.Justification), minJustificationLength,
+							"Policy %q, Egress Rule %d: Justification is too short: %q", policyName, i, expectedRule.Justification)
+					}
+				}
+			} else {
+				require.Emptyf(t, clusterPolicy.Spec.Egress, "Policy %q does not include Egress in PolicyTypes, but has Egress rules defined.", policyName)
+				require.Emptyf(t, expectedPolicy.EgressRules, "Policy %q does not include Egress in PolicyTypes, but registry expects egress rules.", policyName)
+				require.Emptyf(t, expectedPolicy.DenyAllEgressByTypeJustification, "Policy %q does not include Egress in PolicyTypes, but registry has DenyAllEgressByTypeJustification.", policyName)
+			}
+		})
+	}
+
+	// 5. Ensure all policies in the registry were found in the cluster
+	assert.Equal(t, len(allowedNetworkPolicies), len(validatedRegistryPolicies),
+		"Mismatch between number of expected policies in registry (%d) and number of policies found & validated in cluster (%d). Missing policies from registry: %v", len(allowedNetworkPolicies), len(validatedRegistryPolicies), missingPolicies(allowedNetworkPolicies, validatedRegistryPolicies))
+}
+
+// Helper function to create a pointer to intstr.IntOrString from an int
+func intOrStrPtr(port int32) *intstr.IntOrString {
+	val := intstr.FromInt(int(port))
+	return &val
+}
+
+func missingPolicies(expected map[string]AllowedPolicyDefinition, actual map[string]bool) []string {
+	missing := []string{}
+	for k := range expected {
+		if !actual[k] {
+			missing = append(missing, k)
+		}
+	}
+	return missing
+}
