OPRUN-3873: Add e2e tests for NetworkPolicies

anik120 · anik120 · commit 6091ffa83e9b · 2025-06-05T14:38:42.000-04:00
diff --git a/test/e2e/network_policy_test.go b/test/e2e/network_policy_test.go
@@ -0,0 +1,251 @@
+package e2e
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	"k8s.io/apimachinery/pkg/api/equality"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+const (
+	olmSystemNamespace      = "olmv1-system"
+	minJustificationLength  = 40
+	catalogdManagerSelector = "control-plane=catalogd-controller-manager"
+	operatorManagerSelector = "control-plane=operator-controller-controller-manager"
+)
+
+type PortWithJustification struct {
+	Port          []networkingv1.NetworkPolicyPort
+	Justification string
+}
+
+// IngressRule defines a k8s IngressRule, along with a justification.
+type IngressRule struct {
+	Ports []PortWithJustification
+	From  []networkingv1.NetworkPolicyPeer
+}
+
+// EgressRule defines a k8s EgressRule, along with a justification.
+type EgressRule struct {
+	Ports []PortWithJustification
+	To    []networkingv1.NetworkPolicyPeer
+}
+
+// AllowedPolicyDefinition defines the expected structure and justifications for a NetworkPolicy.
+type AllowedPolicyDefinition struct {
+	Selector                          metav1.LabelSelector
+	PolicyTypes                       []networkingv1.PolicyType
+	IngressRule                       IngressRule
+	EgressRule                        EgressRule
+	DenyAllIngressByTypeJustification string // Justification if Ingress is in PolicyTypes and IngressRules is empty
+	DenyAllEgressByTypeJustification  string // Justification if Egress is in PolicyTypes and EgressRules is empty
+}
+
+var allowedNetworkPolicies = map[string]AllowedPolicyDefinition{
+	"catalogd-controller-manager": {
+		Selector:    metav1.LabelSelector{MatchLabels: map[string]string{"control-plane": "catalogd-controller-manager"}},
+		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress},
+		IngressRule: IngressRule{
+			Ports: []PortWithJustification{
+				{
+					Port:          []networkingv1.NetworkPolicyPort{{Protocol: ptr.To(corev1.ProtocolTCP), Port: intOrStrPtr(8443)}},
+					Justification: "Allows Prometheus to scrape metrics from catalogd, which is essential for monitoring its performance and health.",
+				},
+				{
+					Port:          []networkingv1.NetworkPolicyPort{{Protocol: ptr.To(corev1.ProtocolTCP), Port: intOrStrPtr(9443)}},
+					Justification: "Permits Kubernetes API server to reach catalogd's mutating admission webhook, ensuring integrity of catalog resources.",
+				},
+				{
+					Port:          []networkingv1.NetworkPolicyPort{{Protocol: ptr.To(corev1.ProtocolTCP), Port: intOrStrPtr(7443)}},
+					Justification: "Enables clients (eg. operator-controller) to query catalog metadata from catalogd, which is a core function for bundle resolution and operator discovery.",
+				},
+			},
+		},
+		EgressRule: EgressRule{
+			Ports: []PortWithJustification{
+				{
+					Port:          nil, // Empty Ports means allow all egress
+					Justification: "Permits catalogd to fetch catalog images from arbitrary container registries and communicate with the Kubernetes API server for its operational needs.",
+				},
+			},
+		},
+	},
+	"operator-controller-controller-manager": {
+		Selector:    metav1.LabelSelector{MatchLabels: map[string]string{"control-plane": "operator-controller-controller-manager"}},
+		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress},
+		IngressRule: IngressRule{
+			Ports: []PortWithJustification{
+				{
+					Port:          []networkingv1.NetworkPolicyPort{{Protocol: ptr.To(corev1.ProtocolTCP), Port: intOrStrPtr(8443)}},
+					Justification: "Allows Prometheus to scrape metrics from operator-controller, which is crucial for monitoring its activity, reconciliations, and overall health.",
+				},
+			},
+		},
+		EgressRule: EgressRule{
+			Ports: []PortWithJustification{
+				{
+					Port:          nil, // Empty Ports means allow all egress
+					Justification: "Enables operator-controller to pull bundle images from arbitrary image registries, connect to catalogd's HTTPS server for metadata, and interact with the Kubernetes API server.",
+				},
+			},
+		},
+	},
+	"default-deny-all-traffic": {
+		Selector:    metav1.LabelSelector{}, // Empty selector, matches all pods
+		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress},
+		// No IngressRules means deny all ingress if PolicyTypeIngress is present
+		// No EgressRules means deny all egress if PolicyTypeEgress is present
+		DenyAllIngressByTypeJustification: "Denies all ingress traffic to pods selected by this policy by default, unless explicitly allowed by other policy rules, ensuring a baseline secure posture.",
+		DenyAllEgressByTypeJustification:  "Denies all egress traffic from pods selected by this policy by default, unless explicitly allowed by other policy rules, minimizing potential exfiltration paths.",
+	},
+}
+
+func TestNetworkPolicyJustifications(t *testing.T) {
+	ctx := context.Background()
+
+	// Validate justifications have min length
+	for name, policyDef := range allowedNetworkPolicies {
+		for i, pwj := range policyDef.IngressRule.Ports {
+			assert.GreaterOrEqualf(t, len(pwj.Justification), minJustificationLength,
+				"Justification for ingress rule %d in policy %q is too short: %q", i, name, pwj.Justification)
+		}
+		for i, rule := range policyDef.EgressRule.Ports {
+			assert.GreaterOrEqualf(t, len(rule.Justification), minJustificationLength,
+				"Justification for egress rule %d in policy %q is too short: %q", i, name, rule.Justification)
+		}
+		if policyDef.DenyAllIngressByTypeJustification != "" {
+			assert.GreaterOrEqualf(t, len(policyDef.DenyAllIngressByTypeJustification), minJustificationLength,
+				"DenyAllIngressByTypeJustification for policy %q is too short: %q", name, policyDef.DenyAllIngressByTypeJustification)
+		}
+		if policyDef.DenyAllEgressByTypeJustification != "" {
+			assert.GreaterOrEqualf(t, len(policyDef.DenyAllEgressByTypeJustification), minJustificationLength,
+				"DenyAllEgressByTypeJustification for policy %q is too short: %q", name, policyDef.DenyAllEgressByTypeJustification)
+		}
+	}
+
+	networkPolicyList := &networkingv1.NetworkPolicyList{}
+	err := c.List(ctx, networkPolicyList, client.InNamespace(olmSystemNamespace))
+	require.NoError(t, err, "Failed to list NetworkPolicies in namespace %q", olmSystemNamespace)
+
+	validatedRegistryPolicies := make(map[string]bool)
+
+	for _, clusterPolicyItem := range networkPolicyList.Items {
+		clusterPolicy := clusterPolicyItem
+		policyName := clusterPolicy.Name
+
+		t.Run(fmt.Sprintf("Policy_%s", strings.ReplaceAll(policyName, "-", "_")), func(t *testing.T) {
+			expectedPolicy, found := allowedNetworkPolicies[policyName]
+			require.Truef(t, found, "NetworkPolicy %q found in cluster but not in allowed registry. Namespace: %s", policyName, clusterPolicy.Namespace)
+			validatedRegistryPolicies[policyName] = true
+
+			// 1. Compare PodSelector
+			assert.True(t, equality.Semantic.DeepEqual(expectedPolicy.Selector, clusterPolicy.Spec.PodSelector),
+				"PodSelector mismatch for policy %q. Expected: %+v, Got: %+v", policyName, expectedPolicy.Selector, clusterPolicy.Spec.PodSelector)
+
+			// 2. Compare PolicyTypes
+			require.ElementsMatchf(t, expectedPolicy.PolicyTypes, clusterPolicy.Spec.PolicyTypes,
+				"PolicyTypes mismatch for policy %q.", policyName)
+
+			// 3. Validate Ingress Rules
+			if len(clusterPolicy.Spec.Ingress) > 0 {
+				if len(clusterPolicy.Spec.Ingress[0].Ports) == 0 { // Cluster policy denies all ingress
+					// Expect DenyAll justification and no specific IngressRule.Ports in our definition
+					require.Emptyf(t, expectedPolicy.IngressRule.Ports,
+						"Policy %q: cluster has no ingress rules (denies all), but registry IngressRule.Ports is not empty.", policyName)
+					require.Emptyf(t, expectedPolicy.IngressRule.From,
+						"Policy %q: cluster has no ingress rules (denies all), but registry IngressRule.From is not empty.", policyName)
+					require.NotEmptyf(t, expectedPolicy.DenyAllIngressByTypeJustification,
+						"Policy %q: cluster has no ingress rules (denies all), but registry has no DenyAllIngressByTypeJustification.", policyName)
+				} else { // Cluster policy has ingress rule with ports defined
+					clusterIngressRule := clusterPolicy.Spec.Ingress[0]
+					expectedIngressRule := expectedPolicy.IngressRule
+
+					require.Emptyf(t, expectedPolicy.DenyAllIngressByTypeJustification,
+						"Policy %q: cluster has an ingress rule, but registry also has DenyAllIngressByTypeJustification.", policyName)
+
+					// Compare 'From'
+					assert.True(t, equality.Semantic.DeepEqual(expectedIngressRule.From, clusterIngressRule.From),
+						"Policy %q, Ingress Rule: 'From' mismatch.\nExpected: %+v\nGot:      %+v", policyName, expectedIngressRule.From, clusterIngressRule.From)
+
+					// Compare 'Ports'
+					var allExpectedPorts []networkingv1.NetworkPolicyPort
+					for _, pwj := range expectedIngressRule.Ports {
+						allExpectedPorts = append(allExpectedPorts, pwj.Port...)
+					}
+					require.ElementsMatchf(t, allExpectedPorts, clusterIngressRule.Ports,
+						"Policy %q, Ingress Rule: 'Ports' mismatch based on PortWithJustification aggregation.", policyName)
+				}
+			} else { // No Ingress policy type
+				require.Emptyf(t, clusterPolicy.Spec.Ingress, "Policy %q does not include Ingress in PolicyTypes, but has Ingress rules defined.", policyName)
+				require.Emptyf(t, expectedPolicy.IngressRule.Ports, "Policy %q does not include Ingress in PolicyTypes, but registry IngressRule.Ports is not empty.", policyName)
+				require.Emptyf(t, expectedPolicy.IngressRule.From, "Policy %q does not include Ingress in PolicyTypes, but registry IngressRule.From is not empty.", policyName)
+				require.Emptyf(t, expectedPolicy.DenyAllIngressByTypeJustification, "Policy %q does not include Ingress in PolicyTypes, but registry has DenyAllIngressByTypeJustification.", policyName)
+			}
+
+			// 4. Validate Egress Rules
+			if len(clusterPolicy.Spec.Egress) > 0 {
+				if len(clusterPolicy.Spec.Egress[0].Ports) == 0 { // Cluster policy denies all egress
+					require.Emptyf(t, expectedPolicy.EgressRule.Ports,
+						"Policy %q: cluster has no egress rules (denies all), but registry EgressRule.Ports is not empty.", policyName)
+					require.Emptyf(t, expectedPolicy.EgressRule.To,
+						"Policy %q: cluster has no egress rules (denies all), but registry EgressRule.To is not empty.", policyName)
+					require.NotEmptyf(t, expectedPolicy.DenyAllEgressByTypeJustification,
+						"Policy %q: cluster has no egress rules (denies all), but registry has no DenyAllEgressByTypeJustification.", policyName)
+				} else { // Cluster policy has an egress rule with ports defined
+					clusterEgressRule := clusterPolicy.Spec.Egress[0]
+					expectedEgressRule := expectedPolicy.EgressRule
+
+					require.Emptyf(t, expectedPolicy.DenyAllEgressByTypeJustification,
+						"Policy %q: cluster has an egress rule, but registry also has DenyAllEgressByTypeJustification.", policyName)
+
+					// Compare 'To'
+					assert.True(t, equality.Semantic.DeepEqual(expectedEgressRule.To, clusterEgressRule.To),
+						"Policy %q, Egress Rule: 'To' mismatch.\nExpected: %+v\nGot:      %+v", policyName, expectedEgressRule.To, clusterEgressRule.To)
+
+					// Compare 'Ports'
+					var allExpectedPorts []networkingv1.NetworkPolicyPort
+					for _, pwj := range expectedEgressRule.Ports {
+						allExpectedPorts = append(allExpectedPorts, pwj.Port...)
+					}
+					require.ElementsMatchf(t, allExpectedPorts, clusterEgressRule.Ports,
+						"Policy %q, Egress Rule: 'Ports' mismatch based on PortWithJustification aggregation.", policyName)
+				}
+			} else { // No Egress policy type
+				require.Emptyf(t, clusterPolicy.Spec.Egress, "Policy %q does not include Egress in PolicyTypes, but has Egress rules defined.", policyName)
+				require.Emptyf(t, expectedPolicy.EgressRule.Ports, "Policy %q does not include Egress in PolicyTypes, but registry EgressRule.Ports is not empty.", policyName)
+				require.Emptyf(t, expectedPolicy.EgressRule.To, "Policy %q does not include Egress in PolicyTypes, but registry EgressRule.To is not empty.", policyName)
+				require.Emptyf(t, expectedPolicy.DenyAllEgressByTypeJustification, "Policy %q does not include Egress in PolicyTypes, but registry has DenyAllEgressByTypeJustification.", policyName)
+			}
+		})
+	}
+
+	// 5. Ensure all policies in the registry were found in the cluster
+	assert.Equal(t, len(allowedNetworkPolicies), len(validatedRegistryPolicies),
+		"Mismatch between number of expected policies in registry (%d) and number of policies found & validated in cluster (%d). Missing policies from registry: %v", len(allowedNetworkPolicies), len(validatedRegistryPolicies), missingPolicies(allowedNetworkPolicies, validatedRegistryPolicies))
+}
+
+// Helper function to create a pointer to intstr.IntOrString from an int
+func intOrStrPtr(port int32) *intstr.IntOrString {
+	val := intstr.FromInt(int(port))
+	return &val
+}
+
+func missingPolicies(expected map[string]AllowedPolicyDefinition, actual map[string]bool) []string {
+	missing := []string{}
+	for k := range expected {
+		if !actual[k] {
+			missing = append(missing, k)
+		}
+	}
+	return missing
+}
