add anp/banp e2e case

Signed-off-by: 马洪贞 <[email protected]>

.gitignore

@@ -49,3 +49,4 @@ cacert.pem
 ovn-req.pem
 ovn-cert.pem
 ovn-privkey.pem
+anp-test-report.yaml

Makefile

@@ -83,6 +83,10 @@ KWOK_IMAGE = registry.k8s.io/kwok/kwok:$(KWOK_VERSION)
 
 VPC_NAT_GW_IMG = $(REGISTRY)/vpc-nat-gateway:$(VERSION)
 
+ANP_TEST_IMAGE = registry.k8s.io/e2e-test-images/agnhost:2.45
+ANP_CR_YAML = https://raw.githubusercontent.com/kubernetes-sigs/network-policy-api/main/config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml
+BANP_CR_YAML = https://raw.githubusercontent.com/kubernetes-sigs/network-policy-api/main/config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml
+
 E2E_NETWORK = bridge
 ifneq ($(VLAN_ID),)
 E2E_NETWORK = kube-ovn-vlan
@@ -476,6 +480,7 @@ kind-install-chart: kind-load-image kind-untaint-control-plane
 		--set networking.ENABLE_SSL=$(shell echo $${ENABLE_SSL:-false}) \
 		--set func.ENABLE_BIND_LOCAL_IP=$(shell echo $${ENABLE_BIND_LOCAL_IP:-true}) \
 		--set func.ENABLE_OVN_IPSEC=$(shell echo $${ENABLE_OVN_IPSEC:-false}) \
+		--set func.ENABLE_ANP=$(shell echo $${ENABLE_ANP:-false}) \
 		--set func.ENABLE_IC=$(shell kubectl get node --show-labels | grep -qw "ovn.kubernetes.io/ic-gw" && echo true || echo false)
 
 .PHONY: kind-install-chart-ssl
@@ -490,6 +495,7 @@ kind-upgrade-chart: kind-load-image
 		--set networking.ENABLE_SSL=$(shell echo $${ENABLE_SSL:-false}) \
 		--set func.ENABLE_BIND_LOCAL_IP=$(shell echo $${ENABLE_BIND_LOCAL_IP:-true}) \
 		--set func.ENABLE_OVN_IPSEC=$(shell echo $${ENABLE_OVN_IPSEC:-false}) \
+		--set func.ENABLE_ANP=$(shell echo $${ENABLE_ANP:-false}) \
 		--set func.ENABLE_IC=$(shell kubectl get node --show-labels | grep -qw "ovn.kubernetes.io/ic-gw" && echo true || echo false)
 	kubectl -n kube-system wait pod --for=condition=ready -l app=ovs --timeout=60s
 
@@ -918,6 +924,13 @@ kind-install-kwok:
 kind-install-ovn-ipsec:
 	@$(MAKE) ENABLE_OVN_IPSEC=true kind-install
 
+.PHONY: kind-install-anp
+kind-install-anp: kind-load-image
+	$(call kind_load_image,kube-ovn,$(ANP_TEST_IMAGE),1)
+	kubectl apply -f "$(ANP_CR_YAML)"
+	kubectl apply -f "$(BANP_CR_YAML)"
+	@$(MAKE) ENABLE_ANP=true kind-install
+
 .PHONY: kind-reload
 kind-reload: kind-reload-ovs
 	kubectl delete pod -n kube-system -l app=kube-ovn-controller

Makefile.e2e

@@ -229,3 +229,8 @@ kube-ovn-ipsec-e2e:
 	E2E_NETWORK_MODE=$(E2E_NETWORK_MODE) \
 	ginkgo $(GINKGO_OUTPUT_OPT) $(GINKGO_PARALLEL_OPT) --randomize-all -v \
 		--focus=CNI:Kube-OVN ./test/e2e/ipsec/ipsec.test -- $(TEST_BIN_ARGS)
+
+.PHONY: kube-ovn-anp-e2e
+kube-ovn-anp-e2e:
+	KUBECONFIG=$(KUBECONFIG) ./test/anp/conformance.sh
+

charts/kube-ovn/templates/controller-deploy.yaml

@@ -136,6 +136,7 @@ spec:
           - --node-local-dns-ip={{- .Values.networking.NODE_LOCAL_DNS_IP }}
           - --secure-serving={{- .Values.func.SECURE_SERVING }}
           - --enable-ovn-ipsec={{- .Values.func.ENABLE_OVN_IPSEC }}
+          - --enable-anp={{- .Values.func.ENABLE_ANP }}
           securityContext:
             runAsUser: {{ include "kubeovn.runAsUser" . }}
             privileged: false

charts/kube-ovn/values.yaml

@@ -74,6 +74,7 @@ func:
   ENABLE_IC: false
   ENABLE_NAT_GW: true
   ENABLE_OVN_IPSEC: false
+  ENABLE_ANP: false
 
 ipv4:
   POD_CIDR: "10.16.0.0/16"

dist/images/install.sh

@@ -40,6 +40,7 @@ OVS_VSCTL_CONCURRENCY=${OVS_VSCTL_CONCURRENCY:-100}
 ENABLE_COMPACT=${ENABLE_COMPACT:-false}
 SECURE_SERVING=${SECURE_SERVING:-false}
 ENABLE_OVN_IPSEC=${ENABLE_OVN_IPSEC:-false}
+ENABLE_ANP=${ENABLE_ANP:-false}
 
 # debug
 DEBUG_WRAPPER=${DEBUG_WRAPPER:-}
@@ -4295,6 +4296,7 @@ spec:
           - --node-local-dns-ip=$NODE_LOCAL_DNS_IP
           - --enable-ovn-ipsec=$ENABLE_OVN_IPSEC
           - --secure-serving=${SECURE_SERVING}
+          - --enable-anp=$ENABLE_ANP
           securityContext:
             runAsUser: ${RUN_AS_USER}
             privileged: false

test/anp/anp_test.go

@@ -0,0 +1,89 @@
+package anp
+
+import (
+	"fmt"
+	"os"
+	"testing"
+	"time"
+
+	"gopkg.in/yaml.v3"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
+	netpolv1alpha1 "sigs.k8s.io/network-policy-api/apis/v1alpha1"
+	"sigs.k8s.io/network-policy-api/conformance/tests"
+	netpolv1config "sigs.k8s.io/network-policy-api/conformance/utils/config"
+	"sigs.k8s.io/network-policy-api/conformance/utils/suite"
+)
+
+const (
+	NetworkPolicyAPIRepoURL = "https://raw.githubusercontent.com/kubernetes-sigs/network-policy-api/v0.1.5"
+	reportFileName          = "anp-test-report.yaml"
+)
+
+var baseManifests = fmt.Sprintf("%s/conformance/base/manifests.yaml", NetworkPolicyAPIRepoURL)
+
+func TestAdminNetworkPolicyConformance(t *testing.T) {
+	t.Log("Configuring environment for adminnetworkpolicies conformance tests")
+	cfg, err := config.GetConfig()
+	if err != nil {
+		t.Fatalf("Error loading Kubernetes config: %v", err)
+	}
+	client, err := client.New(cfg, client.Options{})
+	if err != nil {
+		t.Fatalf("Error initializing Kubernetes client: %v", err)
+	}
+	kubeConfig, err := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(clientcmd.NewDefaultClientConfigLoadingRules(), &clientcmd.ConfigOverrides{}).ClientConfig()
+	if err != nil {
+		t.Fatalf("error building Kube config for client-go: %v", err)
+	}
+	clientset, err := kubernetes.NewForConfig(kubeConfig)
+	if err != nil {
+		t.Fatalf("error when creating Kubernetes ClientSet: %v", err)
+	}
+	err = netpolv1alpha1.AddToScheme(client.Scheme())
+	if err != nil {
+		t.Fatalf("Error initializing API scheme: %v", err)
+	}
+
+	t.Log("Starting the admin network policy conformance test suite")
+	profiles := sets.Set[suite.ConformanceProfileName]{}
+	profiles.Insert(suite.ConformanceProfileName(suite.SupportAdminNetworkPolicy))
+	profiles.Insert(suite.ConformanceProfileName(suite.SupportBaselineAdminNetworkPolicy))
+	cSuite, err := suite.NewConformanceProfileTestSuite(
+		suite.ConformanceProfileOptions{
+			Options: suite.Options{
+				Client:               client,
+				ClientSet:            clientset,
+				KubeConfig:           *cfg,
+				Debug:                true,
+				CleanupBaseResources: true,
+				SupportedFeatures:    suite.CoreFeatures,
+				BaseManifests:        baseManifests,
+				TimeoutConfig:        netpolv1config.TimeoutConfig{GetTimeout: 300 * time.Second},
+			},
+			ConformanceProfiles: profiles,
+		})
+	if err != nil {
+		t.Fatalf("error creating conformance test suite: %v", err)
+	}
+	cSuite.Setup(t)
+	cSuite.Run(t, tests.ConformanceTests)
+
+	report, err := cSuite.Report()
+	if err != nil {
+		t.Fatalf("error generating conformance profile report: %v", err)
+	}
+	t.Logf("Printing report...%v", report)
+
+	rawReport, err := yaml.Marshal(report)
+	if err != nil {
+		t.Fatalf("error marshalling conformance profile report: %v", err)
+	}
+	err = os.WriteFile("../../"+reportFileName, rawReport, 0600)
+	if err != nil {
+		t.Fatalf("error writing conformance profile report: %v", err)
+	}
+}

test/anp/conformance.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -ex
+
+# setting this env prevents ginkgo e2e from trying to run provider setup
+export KUBERNETES_CONFORMANCE_TEST=y
+
+pushd ./test/anp
+go mod download
+go test -timeout=0 -v -kubeconfig ${KUBECONFIG}
+popd

test/anp/go.mod

@@ -0,0 +1,57 @@
+module github.com/kubeovn/kube-ovn/test/anp
+
+go 1.22.6
+
+require (
+	gopkg.in/yaml.v3 v3.0.1
+	k8s.io/apimachinery v0.30.3
+	k8s.io/client-go v0.30.3
+	sigs.k8s.io/controller-runtime v0.18.4
+	sigs.k8s.io/network-policy-api v0.1.5
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/imdario/mergo v0.3.6 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/moby/spdystream v0.2.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stretchr/testify v1.8.4 // indirect
+	golang.org/x/net v0.23.0 // indirect
+	golang.org/x/oauth2 v0.12.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/term v0.18.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/api v0.30.3 // indirect
+	k8s.io/klog/v2 v2.120.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+)