CNTRLPLANE-2751:Adding e2e network policy cases for config-operator

[gangwgr]

Adding e2e network policy cases for config-operator.
cluster-config-operator PR #463 (API-1646) adds NetworkPolicies to the namespaces managed by the cluster-config-operator (openshift-config-operator, openshift-config, openshift-config-managed). This PR adds E2E tests to verify those policies are correctly applied and reconciled.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 52deb337-1e6b-4c2e-865f-55b4653b45f9

📥 Commits

Reviewing files that changed from the base of the PR and between 1622182 and ca0fdce.

📒 Files selected for processing (1)

• test/extended/networking/config_operator_networkpolicy.go

🚧 Files skipped from review as they are similar to previous changes (1)

• test/extended/networking/config_operator_networkpolicy.go

---

Walkthrough

Adds a new Ginkgo E2E test suite that validates NetworkPolicy enforcement and reconciliation for OpenShift Config Operator namespaces, including connectivity probes across policy states, DNS egress checks, namespace policy enumeration, and operator-driven policy restoration. (50 words)

Changes

Cohort / File(s)

Summary

NetworkPolicy E2E Test Suite test/extended/networking/config_operator_networkpolicy.go

New comprehensive test file. Adds probes that create labeled server/client pods with hardened security contexts, assert TCP connectivity across policy states (no policy, default-deny, ingress-only, egress-allowed), inspect and test Config Operator-managed NetworkPolicies (including DNS port checks against openshift-dns service IPs), enumerate policies/pods across openshift-config-operator, openshift-config, and openshift-config-managed, and verify operator reconciliation by deleting/patching NetworkPolicies and waiting for restoration. Includes helpers for pod lifecycle, IP extraction (IPv4/IPv6 aware), long-running connectivity client logs (CONN_OK/CONN_FAIL), and best-effort DNS tests.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gangwgr
Once this PR has been reviewed and has the lgtm label, please assign danwinship for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• test/extended/networking/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/extended/networking/config_operator_networkpolicy.go`:
- Around line 153-191: The test currently only logs NetworkPolicies for
namespaces in namespacesToTest and allows empty results, so it can pass without
verifying reconciliation; update the loop (referencing namespacesToTest and the
call cs.NetworkingV1().NetworkPolicies(ns).List and logNetworkPolicyDetails) to
assert that the target namespaces "openshift-config" and
"openshift-config-managed" contain at least one NetworkPolicy (use
o.Expect(len(policies.Items)).To(o.BeNumerically(">", 0)) or equivalent) and
fail the test if empty; keep the existing logging for debugging but replace the
permissive if/else with a strict assertion for those two namespaces while
leaving observational logging for other namespaces.
- Around line 138-147: The loop over DNS ports unconditionally breaks on the
first iteration so only port 53 is tested and dnsReachable is set true
regardless; update the loop that iterates []int32{53, 5353} to attempt both
ports (remove the unconditional break) and set dnsReachable only when a
successful probe occurs (i.e., call logConnectivityBestEffort for each port and
use its success result or modify/use a helper that returns a bool), e.g., call
logConnectivityBestEffort(configOperatorNamespace, operatorLabels, dnsIPs, port)
for each port and set dnsReachable = true only if that call indicates
reachability, leaving the loop to continue trying remaining ports until one
succeeds or all fail.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c052d7ae-5c11-42df-9b95-f211197f537a

📥 Commits

Reviewing files that changed from the base of the PR and between 7da3e1c and 1622182.

📒 Files selected for processing (1)

• test/extended/networking/config_operator_networkpolicy.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

DNS probe loop only tests the first port due to unconditional break.

Line 143 exits on the first iteration, so port 5353 is never checked, and dnsReachable is always true once the loop runs.

Suggested fix

-            dnsReachable := false
-            for _, port := range []int32{53, 5353} {
+            for _, port := range []int32{53, 5353} {
                 g.GinkgoWriter.Printf("checking DNS connectivity on port %d\n", port)
                 logConnectivityBestEffort(ctx, cs, configOperatorNamespace, operatorLabels, dnsIPs, port, true)
-                dnsReachable = true
-                break
-            }
-            if !dnsReachable {
-                g.GinkgoWriter.Printf("DNS connectivity check skipped (no ports tested)\n")
             }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	dnsReachable := false
	for _, port := range []int32{53, 5353} {
	g.GinkgoWriter.Printf("checking DNS connectivity on port %d\n", port)
	logConnectivityBestEffort(ctx, cs, configOperatorNamespace, operatorLabels, dnsIPs, port, true)
	dnsReachable = true
	break
	}
	if !dnsReachable {
	g.GinkgoWriter.Printf("DNS connectivity check skipped (no ports tested)\n")
	}
	for _, port := range []int32{53, 5353} {
	g.GinkgoWriter.Printf("checking DNS connectivity on port %d\n", port)
	logConnectivityBestEffort(ctx, cs, configOperatorNamespace, operatorLabels, dnsIPs, port, true)
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/networking/config_operator_networkpolicy.go` around lines 138 -
147, The loop over DNS ports unconditionally breaks on the first iteration so
only port 53 is tested and dnsReachable is set true regardless; update the loop
that iterates []int32{53, 5353} to attempt both ports (remove the unconditional
break) and set dnsReachable only when a successful probe occurs (i.e., call
logConnectivityBestEffort for each port and use its success result or modify/use
a helper that returns a bool), e.g., call
logConnectivityBestEffort(configOperatorNamespace, operatorLabels, dnsIPs, port)
for each port and set dnsReachable = true only if that call indicates
reachability, leaving the loop to continue trying remaining ports until one
succeeds or all fail.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

These specs are mostly observational and can pass even when target policies are missing.

Line 168 and Line 210 allow empty policy sets (or only log them), so the tests can pass without proving reconciliation in openshift-config and openshift-config-managed, which is the core PR objective.

Suggested assertion-focused update

@@
-            if len(policies.Items) > 0 {
+            if len(policies.Items) > 0 {
                 g.GinkgoWriter.Printf("Found %d NetworkPolicy(ies) in %s\n", len(policies.Items), ns)
                 for _, policy := range policies.Items {
                     g.GinkgoWriter.Printf("  - %s\n", policy.Name)
                     logNetworkPolicyDetails(fmt.Sprintf("%s/%s", ns, policy.Name), &policy)
                 }
             } else {
                 g.GinkgoWriter.Printf("No NetworkPolicies found in %s\n", ns)
             }
+            // Assert policy reconciliation for namespaces covered by API-1646.
+            if ns == configNamespace || ns == configManagedNamespace {
+                o.Expect(policies.Items).NotTo(o.BeEmpty(), "expected reconciled NetworkPolicies in %s", ns)
+            }
@@
-            if len(policies.Items) == 0 {
-                g.GinkgoWriter.Printf("No NetworkPolicies found in %s, skipping enforcement tests\n", ns.namespace)
-                continue
-            }
+            o.Expect(policies.Items).NotTo(o.BeEmpty(), "expected NetworkPolicies in %s before enforcement checks", ns.namespace)

Also applies to: 193-251

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/networking/config_operator_networkpolicy.go` around lines 153 -
191, The test currently only logs NetworkPolicies for namespaces in
namespacesToTest and allows empty results, so it can pass without verifying
reconciliation; update the loop (referencing namespacesToTest and the call
cs.NetworkingV1().NetworkPolicies(ns).List and logNetworkPolicyDetails) to
assert that the target namespaces "openshift-config" and
"openshift-config-managed" contain at least one NetworkPolicy (use
o.Expect(len(policies.Items)).To(o.BeNumerically(">", 0)) or equivalent) and
fail the test if empty; keep the existing logging for debugging but replace the
permissive if/else with a strict assertion for those two namespaces while
leaving observational logging for other namespaces.

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-ci-robot]

@gangwgr: This pull request references CNTRLPLANE-2751 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Adding e2e network policy cases for config-operator.
cluster-config-operator PR #463 (API-1646) adds NetworkPolicies to the namespaces managed by the cluster-config-operator (openshift-config-operator, openshift-config, openshift-config-managed). This PR adds E2E tests to verify those policies are correctly applied and reconciled.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[gangwgr]

/retest-required

[gangwgr]

/test e2e-aws-ovn-fips

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[gangwgr]

/pipeline required

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-ci]

@gangwgr: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-ovn	ca0fdce	link	true	/test e2e-gcp-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: ca0fdce

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should restore config operator NetworkPolicies after delete or mutation [Serial][apigroup:config.openshift.io][Timeout:30m] [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [Serial][apigroup:config.openshift.io] [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.

New tests seen in this PR at sha: ca0fdce

• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should restore config operator NetworkPolicies after delete or mutation [Serial][apigroup:config.openshift.io][Timeout:30m] [Suite:openshift/conformance/serial]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [Serial][apigroup:config.openshift.io] [Suite:openshift/conformance/serial]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]