add e2e test for networkpolicy of openshift-config-operator

[zhouying7780]

No description provided.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: zhouying7780
Once this PR has been reviewed and has the lgtm label, please assign jcaamano for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• test/extended/networking/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 090d7cbb-7e26-408c-aafd-ad9a69ea3408

📥 Commits

Reviewing files that changed from the base of the PR and between 8cf1f04 and 50f9fb9.

📒 Files selected for processing (1)

• test/extended/networking/config_operator_networkpolicy.go

🚧 Files skipped from review as they are similar to previous changes (1)

• test/extended/networking/config_operator_networkpolicy.go

---

Walkthrough

Adds a new Ginkgo end-to-end test suite that validates NetworkPolicy behavior by creating ephemeral server and client pods to verify connectivity across IPv4/IPv6, exercising deny/allow ingress/egress rules, and checking OpenShift config-operator NetworkPolicy enforcement including DNS egress handling and namespace-level policy enumeration.

Changes

Cohort / File(s)

Summary

NetworkPolicy Test Suite test/extended/networking/config_operator_networkpolicy.go

New Ginkgo/Gomega test file (+~636 lines) adding end-to-end tests for NetworkPolicy enforcement: pod readiness and short-lived client connectivity checks (agnhost/netexec) across IPv4/IPv6; default-deny, ingress-allow, egress-allow scenarios; OpenShift config-operator policy validation (port-specific allow/deny, DNS egress detection and checks); namespace policy enumeration and pod readiness verification. Includes helper functions for pod creation, IP formatting, policy construction, polling/wait logic, and DNS service IP retrieval.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.3)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

test/extended/networking/config_operator_networkpolicy.go (2)

38-43: Remove misplaced defer ginkgo.GinkgoRecover().

GinkgoRecover() is intended for use inside goroutines spawned within test specs to catch panics. At the Describe block level, it has no effect since the function returns immediately after registering callbacks.

Suggested fix

 var _ = ginkgo.Describe("[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy", func() {
-	defer ginkgo.GinkgoRecover()
-
 	oc := exutil.NewCLI("config-operator-networkpolicy-e2e")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/networking/config_operator_networkpolicy.go` around lines 38 -
43, Remove the misplaced defer ginkgo.GinkgoRecover() call from the top-level
ginkgo.Describe block (the Describe closure where oc := exutil.NewCLI... and f
:= oc.KubeFramework() are defined); GinkgoRecover() should only be used inside
goroutines spawned in specs, so simply delete the line "defer
ginkgo.GinkgoRecover()" from that Describe function (no other changes required
unless you add goroutines, in which case call ginkgo.GinkgoRecover() inside
those goroutines).

---

423-435: wait.PollImmediate is deprecated—migrate to wait.PollUntilContextTimeout.

The deprecation is documented in k8s.io/apimachinery and explicitly recommends PollUntilContextTimeout as the replacement. This applies to all four usages in this file (lines 425, 457, 534, 552).

Example migration for expectConnectivityForIP

-	err := wait.PollImmediate(5*time.Second, 2*time.Minute, func() (bool, error) {
+	err := wait.PollUntilContextTimeout(context.Background(), 5*time.Second, 2*time.Minute, true, func(ctx context.Context) (bool, error) {
 		succeeded, err := runConnectivityCheck(kubeClient, namespace, clientLabels, serverIP, port)
 		if err != nil {
 			return false, err
 		}
 		return succeeded == shouldSucceed, nil
 	})

The true parameter sets immediate mode, matching PollImmediate behavior. No need for nested context timeouts.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/networking/config_operator_networkpolicy.go` around lines 423 -
435, Replace wait.PollImmediate calls with wait.PollUntilContextTimeout using a
background context and immediate=true to preserve behavior: for example in
expectConnectivityForIP (and the three other occurrences in this file) create a
ctx (e.g., context.Background()) and call wait.PollUntilContextTimeout(ctx,
5*time.Second, 2*time.Minute, true, func(ctx context.Context) (bool, error) { /*
move existing body here, change closure signature to accept ctx and return
(bool,error) */ }), leaving the existing connectivity check logic and
gomega.Expect unchanged; ensure any inner closure returns the same success
boolean and error as before.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/extended/networking/config_operator_networkpolicy.go`:
- Around line 525-530: The code dereferences
ContainerStatuses[0].State.Terminated without guarding for nil, which can panic;
in the function waiting for pod completion (e.g., waitForPodCompletion) check
that completed.Status.ContainerStatuses is non-empty and that
ContainerStatuses[0].State is non-nil and ContainerStatuses[0].State.Terminated
is non-nil before reading ExitCode, and if Terminated is nil return a
descriptive error (including namespace/name) instead of proceeding; update the
logic around exitCode/return to only compute exitCode when Terminated exists and
otherwise surface the error so framework.Logf and the boolean result aren't
based on a nil dereference.

---

Nitpick comments:
In `@test/extended/networking/config_operator_networkpolicy.go`:
- Around line 38-43: Remove the misplaced defer ginkgo.GinkgoRecover() call from
the top-level ginkgo.Describe block (the Describe closure where oc :=
exutil.NewCLI... and f := oc.KubeFramework() are defined); GinkgoRecover()
should only be used inside goroutines spawned in specs, so simply delete the
line "defer ginkgo.GinkgoRecover()" from that Describe function (no other
changes required unless you add goroutines, in which case call
ginkgo.GinkgoRecover() inside those goroutines).
- Around line 423-435: Replace wait.PollImmediate calls with
wait.PollUntilContextTimeout using a background context and immediate=true to
preserve behavior: for example in expectConnectivityForIP (and the three other
occurrences in this file) create a ctx (e.g., context.Background()) and call
wait.PollUntilContextTimeout(ctx, 5*time.Second, 2*time.Minute, true, func(ctx
context.Context) (bool, error) { /* move existing body here, change closure
signature to accept ctx and return (bool,error) */ }), leaving the existing
connectivity check logic and gomega.Expect unchanged; ensure any inner closure
returns the same success boolean and error as before.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7640fa04-74a9-4944-a68b-e94f16a687b9

📥 Commits

Reviewing files that changed from the base of the PR and between 3318a72 and 8cf1f04.

📒 Files selected for processing (1)

• test/extended/networking/config_operator_networkpolicy.go

[openshift-ci-robot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[zhouying7780]

/retest-required

[openshift-trt]

Job Failure Risk Analysis for sha: 8cf1f04

Job Name	Failure Risk
pull-ci-openshift-origin-main-e2e-vsphere-ovn	High [Monitor:known-image-checker][sig-arch] Only known images used by tests This test has passed 99.95% of 6230 runs on release 4.22 [Overall] in the last week.
pull-ci-openshift-origin-main-e2e-vsphere-ovn-upi	High [Monitor:known-image-checker][sig-arch] Only known images used by tests This test has passed 99.95% of 6230 runs on release 4.22 [Overall] in the last week.

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: 8cf1f04

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-fips	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that failed 2 time(s) against the current commit
pull-ci-openshift-origin-main-e2e-gcp-ovn	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-gcp-ovn	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-gcp-ovn	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-gcp-ovn	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit, and also failed 1 time(s).
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit, and also failed 1 time(s).
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit, and also failed 1 time(s).
pull-ci-openshift-origin-main-e2e-vsphere-ovn	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that failed 2 time(s) against the current commit
pull-ci-openshift-origin-main-e2e-vsphere-ovn-upi	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that failed 2 time(s) against the current commit

New tests seen in this PR at sha: 8cf1f04

• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" [Total: 10, Pass: 9, Fail: 1, Flake: 0]
• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 10, Pass: 10, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 10, Pass: 10, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 10, Pass: 2, Fail: 8, Flake: 0]

[openshift-ci-robot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[zhouying7780]

/test e2e-vsphere-ovn

[zhouying7780]

/test e2e-gcp-ovn

[zhouying7780]

/test e2e-vsphere-ovn-upi

[zhouying7780]

/test e2e-metal-ipi-ovn-ipv6

[zhouying7780]

/test e2e-aws-ovn-fips

[openshift-ci]

@zhouying7780: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-vsphere-ovn-upi	50f9fb9	link	true	/test e2e-vsphere-ovn-upi
ci/prow/e2e-vsphere-ovn	50f9fb9	link	true	/test e2e-vsphere-ovn
ci/prow/e2e-metal-ipi-ovn-ipv6	50f9fb9	link	true	/test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-aws-ovn-fips	50f9fb9	link	true	/test e2e-aws-ovn-fips
ci/prow/e2e-gcp-ovn	50f9fb9	link	true	/test e2e-gcp-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-trt]

Job Failure Risk Analysis for sha: 50f9fb9

Job Name	Failure Risk
pull-ci-openshift-origin-main-e2e-gcp-ovn	High [Monitor:known-image-checker][sig-arch] Only known images used by tests This test has passed 99.95% of 6346 runs on release 4.22 [Overall] in the last week.
pull-ci-openshift-origin-main-e2e-vsphere-ovn	High [Monitor:known-image-checker][sig-arch] Only known images used by tests This test has passed 99.95% of 6346 runs on release 4.22 [Overall] in the last week.

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: 50f9fb9

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-fips	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-aws-ovn-fips	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-aws-ovn-fips	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-aws-ovn-fips	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit, and also failed 1 time(s).
pull-ci-openshift-origin-main-e2e-gcp-ovn	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that failed 2 time(s) against the current commit
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit, and also failed 1 time(s).
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit, and also failed 1 time(s).
pull-ci-openshift-origin-main-e2e-vsphere-ovn	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that failed 2 time(s) against the current commit
pull-ci-openshift-origin-main-e2e-vsphere-ovn-upi	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-vsphere-ovn-upi	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-vsphere-ovn-upi	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-vsphere-ovn-upi	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit, and also failed 1 time(s).

New tests seen in this PR at sha: 50f9fb9

• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" [Total: 10, Pass: 9, Fail: 1, Flake: 0]
• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 10, Pass: 10, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 10, Pass: 10, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 10, Pass: 3, Fail: 7, Flake: 0]