Skip to content

Add e2e test to detect named ports in NetworkPolicies#31375

Open
machine424 wants to merge 1 commit into
openshift:mainfrom
machine424:nettpol
Open

Add e2e test to detect named ports in NetworkPolicies#31375
machine424 wants to merge 1 commit into
openshift:mainfrom
machine424:nettpol

Conversation

@machine424

@machine424 machine424 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Some network plugins (e.g. OVN-Kubernetes) do not support named ports in NetworkPolicies and may silently convert them into allow-all rules. Add a test that lists all cluster NetworkPolicies and fails if any use named ports instead of numeric ones, with a skip list for now.

Summary by CodeRabbit

  • Tests
    • Added validation coverage for cluster NetworkPolicies to ensure ports are defined numerically.
    • The new check scans ingress and egress rules across namespaces and flags policies that still use named ports, with a small set of known exceptions excluded.

Some network plugins (e.g. OVN-Kubernetes) do not support named ports in
NetworkPolicies and may silently convert them into allow-all rules. Add
a test that lists all cluster NetworkPolicies and fails if
any use named ports instead of numeric ones, with a skip list for now.
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

@machine424

Copy link
Copy Markdown
Contributor Author

/pipeline required

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Walkthrough

Adds a new Ginkgo test suite validating that all cluster NetworkPolicy resources use numeric ports instead of named ports, scanning ingress and egress port specs while skipping a hard-coded set of known exceptions and failing on any violations found.

Changes

NetworkPolicy Port Validation Test

Layer / File(s) Summary
Test setup and validation logic
test/extended/networking/networkpolicy_validation.go
Adds a Ginkgo test that lists all NetworkPolicies, skips known exceptions, scans ingress/egress ports for named (non-intstr.Int) ports, and asserts no violations are found.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Test Structure And Quality ⚠️ Warning The test has a bare Expect(err).NotTo(HaveOccurred()) with no diagnostic message, violating the assertion-message requirement. Add a descriptive failure message for the list call (and keep checks narrowly scoped) so failures identify which operation broke.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: an e2e test that flags named ports in NetworkPolicies.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The added Ginkgo Describe/It titles are static strings; no dynamic names, timestamps, UUIDs, or generated values appear in test names.
Microshift Test Compatibility ✅ Passed The new test only uses Kubernetes NetworkPolicy APIs and already has an [apigroup:networking.k8s.io] tag; it references no MicroShift-unsupported OpenShift APIs or assumptions.
Single Node Openshift (Sno) Test Compatibility ✅ Passed The new test only lists cluster NetworkPolicies and checks their ports; it has no node, replica, scheduling, failover, or topology assumptions.
Topology-Aware Scheduling Compatibility ✅ Passed Only an e2e NetworkPolicy validation test was added; no manifests, controllers, or scheduling constraints were introduced.
Ote Binary Stdout Contract ✅ Passed No stdout writes were added in process-level code; the new file only logs inside It and uses harmless init-time setup.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed The new Ginkgo test only lists cluster NetworkPolicies via the API; it contains no IPv4 literals, IP parsing, or external connectivity.
No-Weak-Crypto ✅ Passed The only changed file adds a NetworkPolicy validation test and contains no weak-crypto algorithms, custom crypto, or secret/token comparisons.
Container-Privileges ✅ Passed The PR only adds a Go e2e test; no manifests or container security fields like privileged, hostNetwork, hostPID, or allowPrivilegeEscalation are present.
No-Sensitive-Data-In-Logs ✅ Passed The new test only logs skipped NetworkPolicy keys and failure messages with namespace/name and port names; no passwords, tokens, PII, or hostnames are logged.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
test/extended/networking/networkpolicy_validation.go (2)

39-39: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Typo: "Sone CNI" → "Some CNI".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/networking/networkpolicy_validation.go` at line 39, Fix the
typo in the comment inside the NetworkPolicy validation test by changing the
wording in the nearby comment under the networking validation logic from “Sone
CNI” to “Some CNI”; this is only a text correction and should be applied where
the comment mentions named ports in NetworkPolicies.

43-46: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Use a bounded context instead of context.Background().

The List call has no deadline, so it can hang indefinitely if the API server is slow or unresponsive.

⏱️ Suggested fix
-		ctx := context.Background()
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+		defer cancel()

(remember to add "time" to imports)

As per path instructions, Go code should use context.Context for cancellation and timeouts.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/networking/networkpolicy_validation.go` around lines 43 - 46,
The NetworkPolicies list call is using an unbounded context, so it can hang
indefinitely if the API server is slow. Update the NetworkPolicy validation test
to use a bounded context with timeout instead of `context.Background()` near the
`List` call in the validation flow, and add the needed `time` import when
creating that timeout-based context.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/extended/networking/networkpolicy_validation.go`:
- Line 39: Fix the typo in the comment inside the NetworkPolicy validation test
by changing the wording in the nearby comment under the networking validation
logic from “Sone CNI” to “Some CNI”; this is only a text correction and should
be applied where the comment mentions named ports in NetworkPolicies.
- Around line 43-46: The NetworkPolicies list call is using an unbounded
context, so it can hang indefinitely if the API server is slow. Update the
NetworkPolicy validation test to use a bounded context with timeout instead of
`context.Background()` near the `List` call in the validation flow, and add the
needed `time` import when creating that timeout-based context.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 28d1c930-b729-45ed-80e8-b0124854a545

📥 Commits

Reviewing files that changed from the base of the PR and between a40276a and f3bcd07.

📒 Files selected for processing (1)
  • test/extended/networking/networkpolicy_validation.go

@openshift-ci openshift-ci Bot added the ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review label Jul 9, 2026
@openshift-ci openshift-ci Bot requested review from jluhrsen and martinkennelly July 9, 2026 16:29
@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: machine424
Once this PR has been reviewed and has the lgtm label, please assign kyrtapz for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

@machine424: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-fips f3bcd07 link true /test e2e-aws-ovn-fips

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-trt

openshift-trt Bot commented Jul 9, 2026

Copy link
Copy Markdown

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New tests seen in this PR at sha: f3bcd07

  • "[sig-network] NetworkPolicy should use numeric ports in all platform NetworkPolicies [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant