STOR-2340: Add e2e tests for storage network policy

[duanwei33]

This commit adds comprehensive e2e tests to verify that storage-related operators and controllers have the required network policy labels and that NetworkPolicy resources exist with correct pod selectors.

Changes:

• Add namespace constants to helpers.go for reuse across storage tests
• Add storage_networkpolicy.go with tests for CSO and CSI operators
• Verify required network policy labels on deployments
• Validate NetworkPolicy resources in storage namespaces

Something on-tracking:

• The network policy in the hypershift management cluster control-plane namespace should be taken into an overall consideration, see discussion in slack

Test records:

$ ./openshift-tests run all --dry-run | grep -E "OCPFeature:StorageNetworkPolicy" | ./openshift-tests run -f -
passed: (15.5s) 2025-10-09T09:32:06 "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSO related Operators"
passed: (16.7s) 2025-10-09T09:32:07 "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSI related Operators"
passed: (17.7s) 2025-10-09T09:32:08 "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should ensure required NetworkPolicies exist with correct labels"

[duanwei33]

@mpatlasov @dobsonj Could you help take a look?
(cc @Phaow @chao007)

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: 92d160d

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-microshift	High - "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should ensure required NetworkPolicies exist with correct labels [Suite:openshift/conformance/parallel]" is a new test that failed 1 time(s) against the current commit

New tests seen in this PR at sha: 92d160d

• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should ensure required NetworkPolicies exist with correct labels [Suite:openshift/conformance/parallel]" [Total: 6, Pass: 5, Fail: 1, Flake: 0]
• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSI related Operators [Suite:openshift/conformance/parallel]" [Total: 6, Pass: 6, Fail: 0, Flake: 0]
• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSO related Operators [Suite:openshift/conformance/parallel]" [Total: 6, Pass: 6, Fail: 0, Flake: 0]

[duanwei33]

/test verify

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: 81e1f58

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-microshift	High - "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should ensure required NetworkPolicies exist with correct labels [Suite:openshift/conformance/parallel]" is a new test that failed 1 time(s) against the current commit

New tests seen in this PR at sha: 81e1f58

• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should ensure required NetworkPolicies exist with correct labels [Suite:openshift/conformance/parallel]" [Total: 7, Pass: 6, Fail: 1, Flake: 0]
• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSI related Operators [Suite:openshift/conformance/parallel]" [Total: 7, Pass: 7, Fail: 0, Flake: 0]
• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSO related Operators [Suite:openshift/conformance/parallel]" [Total: 7, Pass: 7, Fail: 0, Flake: 0]

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New tests seen in this PR at sha: c1d5777

• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should ensure required NetworkPolicies exist with correct labels [Suite:openshift/conformance/parallel]" [Total: 6, Pass: 6, Fail: 0, Flake: 0]
• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSI related Operators [Suite:openshift/conformance/parallel]" [Total: 6, Pass: 6, Fail: 0, Flake: 0]
• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSO related Operators [Suite:openshift/conformance/parallel]" [Total: 6, Pass: 6, Fail: 0, Flake: 0]

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New tests seen in this PR at sha: 4580205

• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should ensure required NetworkPolicies exist with correct labels [Suite:openshift/conformance/parallel]" [Total: 6, Pass: 6, Fail: 0, Flake: 0]
• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSI related Operators [Suite:openshift/conformance/parallel]" [Total: 6, Pass: 6, Fail: 0, Flake: 0]
• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSO related Operators [Suite:openshift/conformance/parallel]" [Total: 6, Pass: 6, Fail: 0, Flake: 0]

[duanwei33]

/retest

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: c514831

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-fips	High - "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should ensure required NetworkPolicies exist with correct labels [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-aws-ovn-fips	High - "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSI related Operators [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-aws-ovn-fips	High - "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSO related Operators [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.

New tests seen in this PR at sha: c514831

• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should ensure required NetworkPolicies exist with correct labels [Suite:openshift/conformance/parallel]" [Total: 8, Pass: 8, Fail: 0, Flake: 0]
• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSI related Operators [Suite:openshift/conformance/parallel]" [Total: 8, Pass: 8, Fail: 0, Flake: 0]
• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSO related Operators [Suite:openshift/conformance/parallel]" [Total: 8, Pass: 8, Fail: 0, Flake: 0]

[openshift-ci-robot]

@duanwei33: This pull request references STOR-2340 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target either version "4.21." or "openshift-4.21.", but it targets "openshift-4.20" instead.

In response to this:

This commit adds comprehensive e2e tests to verify that storage-related operators and controllers have the required network policy labels and that NetworkPolicy resources exist with correct pod selectors.

Changes:

• Add namespace constants to helpers.go for reuse across storage tests
• Add storage_networkpolicy.go with tests for CSO and CSI operators
• Verify required network policy labels on deployments
• Validate NetworkPolicy resources in storage namespaces

Something on-tracking:

• The network policy in the hypershift management cluster control-plane namespace should be taken into an overall consideration, see discussion in slack

Test records:

$ ./openshift-tests run all --dry-run | grep -E "OCPFeature:StorageNetworkPolicy" | ./openshift-tests run -f -
passed: (15.5s) 2025-10-09T09:32:06 "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSO related Operators"
passed: (16.7s) 2025-10-09T09:32:07 "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSI related Operators"
passed: (17.7s) 2025-10-09T09:32:08 "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should ensure required NetworkPolicies exist with correct labels"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New tests seen in this PR at sha: 16c7f2c

• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should ensure required NetworkPolicies exist with correct labels [Suite:openshift/conformance/parallel]" [Total: 6, Pass: 6, Fail: 0, Flake: 0]
• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSI related Operators [Suite:openshift/conformance/parallel]" [Total: 6, Pass: 6, Fail: 0, Flake: 0]
• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSO related Operators [Suite:openshift/conformance/parallel]" [Total: 6, Pass: 6, Fail: 0, Flake: 0]

[mpatlasov]

FYI, go-verify-deps started failing because PR#70376 was merged recently.

[mpatlasov]

Hi @duanwei33 , thank you for reworking test case "should ensure required NetworkPolicies exist with correct labels", it looks great! I have only a couple of nits remaining (see my inline comments). They are minor, I'm ok to lgtm anyway. Let me know if you're going to address them. Otherwise we can go ahead with current code as-is.

Btw, how did you verify that e2e.TestContext.Provider gives reasonable string (not just empty "")? Setting env vars TEST_PROVIDER and TEST_CSI_DRIVER_FILES doesn't help for manual runs, and g.By() adds message to the logs only if test fails, so when it succeeds it's not clear whether it ran with empty currentPlatform or not.

[duanwei33]

/retest-required

[mpatlasov]

/lgtm
/approve

[duanwei33]

/retest

[duanwei33]

The [Driver: nfs3] failures in the e2e-aws-ovn-microshift job are unrelated to this PR.

The new tests added here are skipped on Microshift anyway, so this is just a pre-existing flake. This failure can be safely ignored.

@dobsonj Could you help approve it?

[dobsonj]

/approve
/verified by CI

[openshift-ci-robot]

@dobsonj: This PR has been marked as verified by CI.

In response to this:

/approve
/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dobsonj, duanwei33, mpatlasov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• test/extended/storage/OWNERS [dobsonj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD f06eec0 and 2 for PR HEAD da3860c in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 8a4ef2a and 1 for PR HEAD da3860c in total

[Phaow]

/test e2e-aws-ovn-microshift

[duanwei33]

/test e2e-aws-ovn-microshift

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD f886e4e and 0 for PR HEAD da3860c in total

[openshift-ci-robot]

/hold

Revision da3860c was retested 3 times: holding

[openshift-ci]

@duanwei33: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	da3860c	link	false	/test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[mpatlasov]

/test e2e-aws-ovn-microshift

[mpatlasov]

/unhold

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New tests seen in this PR at sha: da3860c

• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should ensure required NetworkPolicies exist with correct labels [Suite:openshift/conformance/parallel]" [Total: 17, Pass: 17, Fail: 0, Flake: 0]
• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSI related Operators [Suite:openshift/conformance/parallel]" [Total: 17, Pass: 17, Fail: 0, Flake: 0]
• "[sig-storage][OCPFeature:StorageNetworkPolicy] Storage Network Policy should verify required labels for CSO related Operators [Suite:openshift/conformance/parallel]" [Total: 17, Pass: 17, Fail: 0, Flake: 0]

[duanwei33]

/cherry-pick release-4.20

[openshift-cherrypick-robot]

@duanwei33: new pull request created: #30441

In response to this:

/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.