add e2e test for networkpolicy of openshift-config-operator

[zhouying7780]

No description provided.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: zhouying7780
Once this PR has been reviewed and has the lgtm label, please assign jcaamano for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• test/extended/networking/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

A new Ginkgo test suite validates Kubernetes NetworkPolicy enforcement, testing basic connectivity rules and OpenShift config-operator policies. Tests verify pod-to-pod connectivity with and without policies, check ingress/egress rules, and validate DNS connectivity. Helpers manage pod creation, IP formatting, policy construction, and connectivity polling.

Changes

Cohort / File(s)	Summary
NetworkPolicy Test Suite test/extended/networking/config_operator_networkpolicy.go	New test file (+636 lines) with Ginkgo test suite for NetworkPolicy enforcement. Includes tests for basic connectivity, policy-based ingress/egress rules, config-operator namespace policies, and DNS connectivity. Provides helper functions for pod creation, dual-stack IP handling, policy construction, and connectivity verification with polling.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.3)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

test/extended/networking/config_operator_networkpolicy.go (2)

38-43: Remove misplaced defer ginkgo.GinkgoRecover().

GinkgoRecover() is intended for use inside goroutines spawned within test specs to catch panics. At the Describe block level, it has no effect since the function returns immediately after registering callbacks.

Suggested fix

 var _ = ginkgo.Describe("[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy", func() {
-	defer ginkgo.GinkgoRecover()
-
 	oc := exutil.NewCLI("config-operator-networkpolicy-e2e")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/networking/config_operator_networkpolicy.go` around lines 38 -
43, Remove the misplaced defer ginkgo.GinkgoRecover() call from the top-level
ginkgo.Describe block (the Describe closure where oc := exutil.NewCLI... and f
:= oc.KubeFramework() are defined); GinkgoRecover() should only be used inside
goroutines spawned in specs, so simply delete the line "defer
ginkgo.GinkgoRecover()" from that Describe function (no other changes required
unless you add goroutines, in which case call ginkgo.GinkgoRecover() inside
those goroutines).

---

423-435: wait.PollImmediate is deprecated—migrate to wait.PollUntilContextTimeout.

The deprecation is documented in k8s.io/apimachinery and explicitly recommends PollUntilContextTimeout as the replacement. This applies to all four usages in this file (lines 425, 457, 534, 552).

Example migration for expectConnectivityForIP

-	err := wait.PollImmediate(5*time.Second, 2*time.Minute, func() (bool, error) {
+	err := wait.PollUntilContextTimeout(context.Background(), 5*time.Second, 2*time.Minute, true, func(ctx context.Context) (bool, error) {
 		succeeded, err := runConnectivityCheck(kubeClient, namespace, clientLabels, serverIP, port)
 		if err != nil {
 			return false, err
 		}
 		return succeeded == shouldSucceed, nil
 	})

The true parameter sets immediate mode, matching PollImmediate behavior. No need for nested context timeouts.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/networking/config_operator_networkpolicy.go` around lines 423 -
435, Replace wait.PollImmediate calls with wait.PollUntilContextTimeout using a
background context and immediate=true to preserve behavior: for example in
expectConnectivityForIP (and the three other occurrences in this file) create a
ctx (e.g., context.Background()) and call wait.PollUntilContextTimeout(ctx,
5*time.Second, 2*time.Minute, true, func(ctx context.Context) (bool, error) { /*
move existing body here, change closure signature to accept ctx and return
(bool,error) */ }), leaving the existing connectivity check logic and
gomega.Expect unchanged; ensure any inner closure returns the same success
boolean and error as before.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/extended/networking/config_operator_networkpolicy.go`:
- Around line 525-530: The code dereferences
ContainerStatuses[0].State.Terminated without guarding for nil, which can panic;
in the function waiting for pod completion (e.g., waitForPodCompletion) check
that completed.Status.ContainerStatuses is non-empty and that
ContainerStatuses[0].State is non-nil and ContainerStatuses[0].State.Terminated
is non-nil before reading ExitCode, and if Terminated is nil return a
descriptive error (including namespace/name) instead of proceeding; update the
logic around exitCode/return to only compute exitCode when Terminated exists and
otherwise surface the error so framework.Logf and the boolean result aren't
based on a nil dereference.

---

Nitpick comments:
In `@test/extended/networking/config_operator_networkpolicy.go`:
- Around line 38-43: Remove the misplaced defer ginkgo.GinkgoRecover() call from
the top-level ginkgo.Describe block (the Describe closure where oc :=
exutil.NewCLI... and f := oc.KubeFramework() are defined); GinkgoRecover()
should only be used inside goroutines spawned in specs, so simply delete the
line "defer ginkgo.GinkgoRecover()" from that Describe function (no other
changes required unless you add goroutines, in which case call
ginkgo.GinkgoRecover() inside those goroutines).
- Around line 423-435: Replace wait.PollImmediate calls with
wait.PollUntilContextTimeout using a background context and immediate=true to
preserve behavior: for example in expectConnectivityForIP (and the three other
occurrences in this file) create a ctx (e.g., context.Background()) and call
wait.PollUntilContextTimeout(ctx, 5*time.Second, 2*time.Minute, true, func(ctx
context.Context) (bool, error) { /* move existing body here, change closure
signature to accept ctx and return (bool,error) */ }), leaving the existing
connectivity check logic and gomega.Expect unchanged; ensure any inner closure
returns the same success boolean and error as before.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7640fa04-74a9-4944-a68b-e94f16a687b9

📥 Commits

Reviewing files that changed from the base of the PR and between 3318a72 and 8cf1f04.

📒 Files selected for processing (1)

• test/extended/networking/config_operator_networkpolicy.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Potential nil pointer dereference on Terminated state.

When waitForPodCompletion returns, the pod phase is Succeeded or Failed, but ContainerStatuses[0].State.Terminated may still be nil in edge cases (e.g., container never started, or eviction). Accessing Terminated.ExitCode directly will panic.

Proposed fix

 	if len(completed.Status.ContainerStatuses) == 0 {
 		return false, fmt.Errorf("no container status recorded for pod %s", name)
 	}
+	terminated := completed.Status.ContainerStatuses[0].State.Terminated
+	if terminated == nil {
+		return false, fmt.Errorf("container did not terminate properly for pod %s", name)
+	}
-	exitCode := completed.Status.ContainerStatuses[0].State.Terminated.ExitCode
+	exitCode := terminated.ExitCode
 	framework.Logf("client pod %s/%s exitCode=%d", namespace, name, exitCode)
 	return exitCode == 0, nil

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if len(completed.Status.ContainerStatuses) == 0 {
	return false, fmt.Errorf("no container status recorded for pod %s", name)
	}
	exitCode := completed.Status.ContainerStatuses[0].State.Terminated.ExitCode
	framework.Logf("client pod %s/%s exitCode=%d", namespace, name, exitCode)
	return exitCode == 0, nil
	if len(completed.Status.ContainerStatuses) == 0 {
	return false, fmt.Errorf("no container status recorded for pod %s", name)
	}
	terminated := completed.Status.ContainerStatuses[0].State.Terminated
	if terminated == nil {
	return false, fmt.Errorf("container did not terminate properly for pod %s", name)
	}
	exitCode := terminated.ExitCode
	framework.Logf("client pod %s/%s exitCode=%d", namespace, name, exitCode)
	return exitCode == 0, nil

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/networking/config_operator_networkpolicy.go` around lines 525 -
530, The code dereferences ContainerStatuses[0].State.Terminated without
guarding for nil, which can panic; in the function waiting for pod completion
(e.g., waitForPodCompletion) check that completed.Status.ContainerStatuses is
non-empty and that ContainerStatuses[0].State is non-nil and
ContainerStatuses[0].State.Terminated is non-nil before reading ExitCode, and if
Terminated is nil return a descriptive error (including namespace/name) instead
of proceeding; update the logic around exitCode/return to only compute exitCode
when Terminated exists and otherwise surface the error so framework.Logf and the
boolean result aren't based on a nil dereference.

[openshift-ci-robot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[zhouying7780]

/retest-required

[openshift-ci]

@zhouying7780: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-vsphere-ovn-upi	8cf1f04	link	true	/test e2e-vsphere-ovn-upi
ci/prow/e2e-aws-ovn-fips	8cf1f04	link	true	/test e2e-aws-ovn-fips
ci/prow/e2e-gcp-ovn	8cf1f04	link	true	/test e2e-gcp-ovn
ci/prow/e2e-vsphere-ovn	8cf1f04	link	true	/test e2e-vsphere-ovn
ci/prow/e2e-metal-ipi-ovn-ipv6	8cf1f04	link	true	/test e2e-metal-ipi-ovn-ipv6

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-trt]

Job Failure Risk Analysis for sha: 8cf1f04

Job Name	Failure Risk
pull-ci-openshift-origin-main-e2e-vsphere-ovn	High [Monitor:known-image-checker][sig-arch] Only known images used by tests This test has passed 99.95% of 6230 runs on release 4.22 [Overall] in the last week.
pull-ci-openshift-origin-main-e2e-vsphere-ovn-upi	High [Monitor:known-image-checker][sig-arch] Only known images used by tests This test has passed 99.95% of 6230 runs on release 4.22 [Overall] in the last week.

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: 8cf1f04

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-fips	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that failed 2 time(s) against the current commit
pull-ci-openshift-origin-main-e2e-gcp-ovn	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-gcp-ovn	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-gcp-ovn	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-gcp-ovn	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit, and also failed 1 time(s).
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit, and also failed 1 time(s).
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit, and also failed 1 time(s).
pull-ci-openshift-origin-main-e2e-vsphere-ovn	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that failed 2 time(s) against the current commit
pull-ci-openshift-origin-main-e2e-vsphere-ovn-upi	High - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that failed 2 time(s) against the current commit

New tests seen in this PR at sha: 8cf1f04

• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" [Total: 10, Pass: 9, Fail: 1, Flake: 0]
• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 10, Pass: 10, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 10, Pass: 10, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 10, Pass: 2, Fail: 8, Flake: 0]