Add e2e tests for storage network policy labels

duanwei33 · duanwei33 · commit 4580205e8fe3 · 2025-10-14T21:15:06.000+08:00
This commit adds comprehensive e2e tests to verify that storage-related
operators and controllers have the required network policy labels and
that NetworkPolicy resources exist with correct pod selectors.

Changes:
- Add namespace constants to helpers.go for reuse across storage tests
- Add storage_networkpolicy.go with tests for CSO and CSI operators
- Verify required network policy labels on deployments
- Validate NetworkPolicy resources in storage namespaces
- Skip these tests on MicroShift clusters where they are not applicable

The tests check:
1. CSO operators: cluster-storage-operator, vsphere-problem-detector-operator,
   csi-snapshot-controller-operator, and csi-snapshot-controller
2. CSI operators: AWS EBS/EFS, Azure Disk/File, GCP PD/Filestore, vSphere,
   IBM VPC Block, OpenStack Cinder/Manila, and SMB drivers
3. NetworkPolicy resources in openshift-cluster-storage-operator and
   openshift-cluster-csi-drivers namespaces
diff --git a/test/extended/storage/helpers.go b/test/extended/storage/helpers.go
@@ -21,6 +21,13 @@ const (
 	defaultPollingTime    = 2 * time.Second
 )
 
+// Storage operator and CSI driver namespace constants
+const (
+	CSONamespace       = "openshift-cluster-storage-operator" // Cluster Storage Operator namespace
+	CSINamespace       = "openshift-cluster-csi-drivers"      // Default CSI driver operators namespace
+	ManilaCSINamespace = "openshift-manila-csi-driver"        // Manila CSI driver namespace (OpenStack only)
+)
+
 // IsCSOHealthy checks whether the Cluster Storage Operator is healthy
 func IsCSOHealthy(oc *exutil.CLI) (bool, error) {
 	// CSO healthyStatus:[degradedStatus:False, progressingStatus:False, availableStatus:True, upgradeableStatus:True]
diff --git a/test/extended/storage/storage_networkpolicy.go b/test/extended/storage/storage_networkpolicy.go
@@ -0,0 +1,378 @@
+package storage
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	g "github.com/onsi/ginkgo/v2"
+	o "github.com/onsi/gomega"
+	exutil "github.com/openshift/origin/test/extended/util"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	e2e "k8s.io/kubernetes/test/e2e/framework"
+)
+
+// ResourceType defines the type of Kubernetes workload resource
+type ResourceType string
+
+const (
+	ResourceTypeDeployment ResourceType = "Deployment"
+	ResourceTypeDaemonSet  ResourceType = "DaemonSet"
+)
+
+// resourceCheck defines a check for a workload resource (Deployment, DaemonSet, etc.)
+type resourceCheck struct {
+	ResourceType   ResourceType
+	Namespace      string
+	Name           string
+	Platform       string
+	RequiredLabels map[string]string
+}
+
+type npCheck struct {
+	Namespace string
+	Optional  bool
+	Policies  map[string]map[string]string
+}
+
+var (
+	npLabelAPI                  = map[string]string{"openshift.storage.network-policy.api-server": "allow"}
+	npLabelDNS                  = map[string]string{"openshift.storage.network-policy.dns": "allow"}
+	npLabelOperatorMetrics      = map[string]string{"openshift.storage.network-policy.operator-metrics": "allow"}
+	npLabelOperatorMetricsRange = map[string]string{"openshift.storage.network-policy.operator-metrics-range": "allow"}
+	npLabelMetricsRange         = map[string]string{"openshift.storage.network-policy.metrics-range": "allow"}
+)
+
+func mergeLabels(maps ...map[string]string) map[string]string {
+	out := map[string]string{}
+	for _, m := range maps {
+		for k, v := range m {
+			out[k] = v
+		}
+	}
+	return out
+}
+
+var (
+	csoOperatorRequiredLabels   = mergeLabels(npLabelAPI, npLabelDNS, npLabelOperatorMetrics)
+	csoControllerRequiredLabels = mergeLabels(npLabelAPI, npLabelDNS)
+	csiOperatorRequiredLabels   = mergeLabels(npLabelAPI, npLabelDNS, npLabelOperatorMetricsRange)
+	csiControllerRequiredLabels = mergeLabels(npLabelAPI, npLabelDNS, npLabelMetricsRange)
+)
+
+var (
+	npNameAPI                  = "allow-egress-to-api-server"
+	npNameDNS                  = "allow-to-dns"
+	npNameOperatorMetrics      = "allow-ingress-to-operator-metrics"
+	npNameMetricsRange         = "allow-ingress-to-metrics-range"
+	npNameOperatorMetricsRange = "allow-ingress-to-operator-metrics-range"
+)
+
+var networkPolicyChecks = []npCheck{
+	{
+		Namespace: CSONamespace,
+		Policies: map[string]map[string]string{
+			npNameAPI:             npLabelAPI,
+			npNameDNS:             npLabelDNS,
+			npNameOperatorMetrics: npLabelOperatorMetrics,
+		},
+	},
+	{
+		Namespace: CSINamespace,
+		Policies: map[string]map[string]string{
+			npNameAPI:                  npLabelAPI,
+			npNameDNS:                  npLabelDNS,
+			npNameMetricsRange:         npLabelMetricsRange,
+			npNameOperatorMetricsRange: npLabelOperatorMetricsRange,
+		},
+	},
+	{
+		Namespace: ManilaCSINamespace,
+		Optional:  true,
+		Policies: map[string]map[string]string{
+			npNameAPI:                  npLabelAPI,
+			npNameDNS:                  npLabelDNS,
+			npNameMetricsRange:         npLabelMetricsRange,
+			npNameOperatorMetricsRange: npLabelOperatorMetricsRange,
+		},
+	},
+}
+
+var _ = g.Describe("[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy", func() {
+	defer g.GinkgoRecover()
+	var (
+		oc              = exutil.NewCLI("storage-network-policy")
+		currentPlatform = e2e.TestContext.Provider
+	)
+
+	g.BeforeEach(func() {
+		isMicroShift, err := exutil.IsMicroShiftCluster(oc.AdminKubeClient())
+		o.Expect(err).NotTo(o.HaveOccurred())
+		if isMicroShift {
+			g.Skip("Storage Network Policy tests are not supported on MicroShift")
+		}
+	})
+
+	g.It("should verify required labels for CSO related Operators", func() {
+		CSOResourcesToCheck := []resourceCheck{
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSONamespace,
+				Name:           "cluster-storage-operator",
+				Platform:       "all",
+				RequiredLabels: csoOperatorRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSONamespace,
+				Name:           "vsphere-problem-detector-operator",
+				Platform:       "vsphere",
+				RequiredLabels: csoOperatorRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSONamespace,
+				Name:           "csi-snapshot-controller-operator",
+				Platform:       "all",
+				RequiredLabels: csoOperatorRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSONamespace,
+				Name:           "csi-snapshot-controller",
+				Platform:       "all",
+				RequiredLabels: csoControllerRequiredLabels,
+			},
+		}
+		runResourceChecks(oc, CSOResourcesToCheck, currentPlatform)
+	})
+
+	g.It("should verify required labels for CSI related Operators", func() {
+		CSIResourcesToCheck := []resourceCheck{
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "aws-ebs-csi-driver-operator",
+				Platform:       "aws",
+				RequiredLabels: csiOperatorRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "aws-ebs-csi-driver-controller",
+				Platform:       "aws",
+				RequiredLabels: csiControllerRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "aws-efs-csi-driver-operator",
+				Platform:       "aws",
+				RequiredLabels: csiOperatorRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "azure-disk-csi-driver-operator",
+				Platform:       "azure",
+				RequiredLabels: csiOperatorRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "azure-disk-csi-driver-controller",
+				Platform:       "azure",
+				RequiredLabels: csiControllerRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "azure-file-csi-driver-operator",
+				Platform:       "azure",
+				RequiredLabels: csiOperatorRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "azure-file-csi-driver-controller",
+				Platform:       "azure",
+				RequiredLabels: csiControllerRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "gcp-pd-csi-driver-operator",
+				Platform:       "gcp",
+				RequiredLabels: csiOperatorRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "gcp-filestore-csi-driver-operator",
+				Platform:       "gcp",
+				RequiredLabels: csiOperatorRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "vmware-vsphere-csi-driver-operator",
+				Platform:       "vsphere",
+				RequiredLabels: csiOperatorRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "vmware-vsphere-csi-driver-controller",
+				Platform:       "vsphere",
+				RequiredLabels: csiControllerRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "ibm-vpc-block-csi-driver-operator",
+				Platform:       "ibmcloud",
+				RequiredLabels: csiOperatorRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "ibm-vpc-block-csi-controller",
+				Platform:       "ibmcloud",
+				RequiredLabels: csiControllerRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "openstack-cinder-csi-driver-operator",
+				Platform:       "openstack",
+				RequiredLabels: csiOperatorRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "openstack-cinder-csi-driver-controller",
+				Platform:       "openstack",
+				RequiredLabels: csiControllerRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "manila-csi-driver-operator",
+				Platform:       "openstack",
+				RequiredLabels: csiOperatorRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      ManilaCSINamespace,
+				Name:           "openstack-manila-csi-controllerplugin",
+				Platform:       "openstack",
+				RequiredLabels: csiControllerRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "smb-csi-driver-operator",
+				Platform:       "all",
+				RequiredLabels: csiOperatorRequiredLabels,
+			},
+			{
+				ResourceType:   ResourceTypeDeployment,
+				Namespace:      CSINamespace,
+				Name:           "smb-csi-driver-controller",
+				Platform:       "all",
+				RequiredLabels: csiControllerRequiredLabels,
+			},
+		}
+		runResourceChecks(oc, CSIResourcesToCheck, currentPlatform)
+	})
+
+	g.It("should ensure required NetworkPolicies exist with correct labels", func() {
+		for _, c := range networkPolicyChecks {
+			_, err := oc.AdminKubeClient().CoreV1().Namespaces().Get(context.TODO(), c.Namespace, metav1.GetOptions{})
+			if err != nil {
+				if c.Optional {
+					g.By(fmt.Sprintf("Skipping optional namespace %s (not found)", c.Namespace))
+					continue
+				}
+				o.Expect(err).NotTo(o.HaveOccurred(), fmt.Sprintf("namespace %s should exist", c.Namespace))
+			}
+
+			for npName, labels := range c.Policies {
+				np, err := oc.AdminKubeClient().NetworkingV1().NetworkPolicies(c.Namespace).Get(context.TODO(), npName, metav1.GetOptions{})
+				o.Expect(err).NotTo(o.HaveOccurred(), fmt.Sprintf("NetworkPolicy %s/%s should exist", c.Namespace, npName))
+
+				for key, val := range labels {
+					gotVal, ok := np.Spec.PodSelector.MatchLabels[key]
+					o.Expect(ok).To(o.BeTrue(), fmt.Sprintf("NetworkPolicy %s/%s missing label %s", c.Namespace, npName, key))
+					o.Expect(gotVal).To(o.Equal(val), fmt.Sprintf("NetworkPolicy %s/%s label %s mismatch (got=%s, want=%s)", c.Namespace, npName, key, gotVal, val))
+				}
+			}
+		}
+	})
+})
+
+func runResourceChecks(oc *exutil.CLI, resources []resourceCheck, currentPlatform string) {
+	results := []string{}
+	hasFail := false
+	for _, res := range resources {
+		if res.Platform != "" && res.Platform != currentPlatform && res.Platform != "all" {
+			results = append(results, fmt.Sprintf("[SKIP] %s %s/%s (platform mismatch: %s)", res.ResourceType, res.Namespace, res.Name, res.Platform))
+			continue
+		}
+
+		var podTemplateLabels map[string]string
+		var err error
+		resourceName := fmt.Sprintf("%s %s/%s", res.ResourceType, res.Namespace, res.Name)
+
+		switch res.ResourceType {
+		case ResourceTypeDeployment:
+			deployment, err := oc.AdminKubeClient().AppsV1().Deployments(res.Namespace).Get(context.TODO(), res.Name, metav1.GetOptions{})
+			if err != nil {
+				if errors.IsNotFound(err) {
+					results = append(results, fmt.Sprintf("[SKIP] %s not found", resourceName))
+					continue
+				}
+				g.Fail(fmt.Sprintf("Error fetching %s: %v", resourceName, err))
+			}
+			podTemplateLabels = deployment.Spec.Template.Labels
+
+		case ResourceTypeDaemonSet:
+			daemonset, err := oc.AdminKubeClient().AppsV1().DaemonSets(res.Namespace).Get(context.TODO(), res.Name, metav1.GetOptions{})
+			if err != nil {
+				if errors.IsNotFound(err) {
+					results = append(results, fmt.Sprintf("[SKIP] %s not found", resourceName))
+					continue
+				}
+				g.Fail(fmt.Sprintf("Error fetching %s: %v", resourceName, err))
+			}
+			podTemplateLabels = daemonset.Spec.Template.Labels
+
+		default:
+			g.Fail(fmt.Sprintf("Unsupported resource type: %s", res.ResourceType))
+		}
+
+		if err != nil {
+			continue
+		}
+
+		missingLabels := []string{}
+		for key, val := range res.RequiredLabels {
+			if podTemplateLabels[key] != val {
+				missingLabels = append(missingLabels, fmt.Sprintf("%s=%s", key, val))
+			}
+		}
+
+		if len(missingLabels) > 0 {
+			results = append(results, fmt.Sprintf("[FAIL] %s missing labels: %s", resourceName, strings.Join(missingLabels, ", ")))
+			hasFail = true
+		} else {
+			results = append(results, fmt.Sprintf("[PASS] %s", resourceName))
+		}
+	}
+
+	if hasFail {
+		summary := strings.Join(results, "\n")
+		g.Fail(fmt.Sprintf("Some resources are missing required labels:\n\n%s\n", summary))
+	}
+}
