e2e: Multiple namespaces

zeeke · zeeke · commit 530b42a72481 · 2025-10-08T17:13:15.000+02:00
A networkpolicy can refer to multiple NADs, which can be in different namespaces.
Create an end2end test case that involves pods from multiple namespaces.

Signed-off-by: Andrea Panattoni &lt;apanatto@redhat.com&gt;
diff --git a/e2e/tests/multi-namespace-multinet.bats b/e2e/tests/multi-namespace-multinet.bats
@@ -0,0 +1,91 @@
+#!/usr/bin/env bats
+
+# Note:
+# This test case creates two namespaces, each with a different NetworkAttachmentDefinition
+# and two pods per namespace. It tests that MultiNetworkPolicy works correctly across
+# different namespaces with different network configurations.
+
+setup() {
+	cd $BATS_TEST_DIRNAME
+	load "common"
+	pod_a1_net1=$(get_net1_ip "test-namespace-a" "pod-a-1")
+	pod_a2_net1=$(get_net1_ip "test-namespace-a" "pod-a-2")
+
+	pod_b1_net1=$(get_net1_ip "test-namespace-b" "pod-b-1")
+	pod_b2_net1=$(get_net1_ip "test-namespace-b" "pod-b-2")
+	
+}
+
+@test "setup multi-namespace test environments" {
+	# create test manifests
+	kubectl create -f multi-namespace-multinet.yml
+
+	# verify all pods in namespace A are available
+	run kubectl -n test-namespace-a wait --all --for=condition=ready pod --timeout=${kubewait_timeout}
+	[ "$status" -eq  "0" ]
+	
+	# verify all pods in namespace B are available
+	run kubectl -n test-namespace-b wait --all --for=condition=ready pod --timeout=${kubewait_timeout}
+	[ "$status" -eq  "0" ]
+
+	# wait for the iptables to be synced
+	sleep 3
+}
+
+@test "Allowed connectivity" {
+	run kubectl -n test-namespace-b exec pod-b-1 -- sh -c "echo x | nc -w 1 ${pod_a1_net1} 5555"
+	[ "$status" -eq  "0" ]
+
+	run kubectl -n test-namespace-a exec pod-a-1 -- sh -c "echo x | nc -w 1 ${pod_b2_net1} 5555"
+	[ "$status" -eq  "0" ]
+}
+
+@test "Denied connectivity" {
+	run kubectl -n test-namespace-a exec pod-a-1 -- sh -c "echo x | nc -w 1 ${pod_a2_net1} 5555"
+	[ "$status" -eq  "1" ]
+	
+	run kubectl -n test-namespace-a exec pod-a-1 -- sh -c "echo x | nc -w 1 ${pod_b1_net1} 5555"
+	[ "$status" -eq  "1" ]
+
+	run kubectl -n test-namespace-b exec pod-a-2 -- sh -c "echo x | nc -w 1 ${pod_a1_net1} 5555"
+	[ "$status" -eq  "1" ]
+
+	run kubectl -n test-namespace-b exec pod-b-2 -- sh -c "echo x | nc -w 1 ${pod_a1_net1} 5555"
+	[ "$status" -eq  "1" ]
+}
+
+@test "Allowed by policy absence" {
+	run kubectl -n test-namespace-a exec pod-a-2 -- sh -c "echo x | nc -w 1 ${pod_b1_net1} 5555"
+	[ "$status" -eq  "0" ]
+
+	run kubectl -n test-namespace-b exec pod-b-1 -- sh -c "echo x | nc -w 1 ${pod_a2_net1} 5555"
+	[ "$status" -eq  "0" ]
+
+	run kubectl -n test-namespace-a exec pod-a-2 -- sh -c "echo x | nc -w 1 ${pod_b2_net1} 5555"
+	[ "$status" -eq  "0" ]
+
+	run kubectl -n test-namespace-b exec pod-b-1 -- sh -c "echo x | nc -w 1 ${pod_b2_net1} 5555"
+	[ "$status" -eq  "0" ]
+
+	run kubectl -n test-namespace-b exec pod-b-1 -- sh -c "echo x | nc -w 1 ${pod_b2_net1} 5555"
+	[ "$status" -eq  "0" ]
+
+	run kubectl -n test-namespace-b exec pod-b-2 -- sh -c "echo x | nc -w 1 ${pod_b1_net1} 5555"
+	[ "$status" -eq  "0" ]
+}
+
+@test "cleanup environments" {
+	# remove test manifests
+	kubectl delete -f multi-namespace-multinet.yml
+	run kubectl -n test-namespace-a wait --all --for=delete pod --timeout=${kubewait_timeout}
+	[ "$status" -eq  "0" ]
+	run kubectl -n test-namespace-b wait --all --for=delete pod --timeout=${kubewait_timeout}
+	[ "$status" -eq  "0" ]
+
+	sleep 5
+	# check that no iptables files in pod-iptables
+	pod_name=$(kubectl -n kube-system get pod -o wide | grep 'kind-worker' | grep multi-net | cut -f 1 -d ' ')
+	run kubectl -n kube-system exec ${pod_name} -- \
+		sh -c "find /var/lib/multi-networkpolicy/iptables/ -name '*.iptables' | wc -l"
+        [ "$output" = "0" ]
+}
diff --git a/e2e/tests/multi-namespace-multinet.yml b/e2e/tests/multi-namespace-multinet.yml
@@ -0,0 +1,149 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+    name: test-namespace-a
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+    name: test-namespace-b
+---
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+  namespace: test-namespace-a
+  name: macvlan1-namespace-a
+spec: 
+  config: '{
+            "cniVersion": "0.3.1",
+            "name": "macvlan1-namespace-a",
+            "plugins": [
+                {
+                    "type": "macvlan",
+                    "mode": "bridge",
+                    "ipam":{
+                      "type":"host-local",
+                      "subnet":"2.2.10.0/24",
+                      "rangeStart":"2.2.10.10",
+                      "rangeEnd":"2.2.10.19"
+                    }
+                }]
+        }'
+---
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+  namespace: test-namespace-b
+  name: macvlan1-namespace-b
+spec: 
+  config: '{
+            "cniVersion": "0.3.1",
+            "name": "macvlan1-namespace-b",
+            "plugins": [
+                {
+                    "type": "macvlan",
+                    "mode": "bridge",
+                    "ipam":{
+                      "type":"host-local",
+                      "subnet":"2.2.10.0/24",
+                      "rangeStart":"2.2.10.20",
+                      "rangeEnd":"2.2.10.29"
+                    }
+                }]
+        }'
+---
+
+# Pods in namespace A
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-a-1
+  namespace: test-namespace-a
+  annotations:
+    k8s.v1.cni.cncf.io/networks: macvlan1-namespace-a
+  labels:
+    name: pod-a-1
+spec:
+  containers:
+  - name: macvlan-worker1
+    image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
+    command: ["nc", "-klp", "5555"]
+    securityContext:
+      privileged: true
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-a-2
+  namespace: test-namespace-a
+  annotations:
+    k8s.v1.cni.cncf.io/networks: macvlan1-namespace-a
+  labels:
+    name: pod-a-2
+spec:
+  containers:
+  - name: macvlan-worker1
+    image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
+    command: ["nc", "-klp", "5555"]
+    securityContext:
+      privileged: true
+---
+# Pods in namespace B
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-b-1
+  namespace: test-namespace-b
+  annotations:
+    k8s.v1.cni.cncf.io/networks: macvlan1-namespace-b
+  labels:
+    name: pod-b-1
+spec:
+  containers:
+  - name: macvlan-worker1
+    image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
+    command: ["nc", "-klp", "5555"]
+    securityContext:
+      privileged: true
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-b-2
+  namespace: test-namespace-b
+  annotations:
+    k8s.v1.cni.cncf.io/networks: macvlan1-namespace-b
+  labels:
+    name: pod-b-2
+spec:
+  containers:
+  - name: macvlan-worker1
+    image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
+    command: ["nc", "-klp", "5555"]
+    securityContext:
+      privileged: true
+---
+apiVersion: k8s.cni.cncf.io/v1beta1
+kind: MultiNetworkPolicy
+metadata:
+  name: test-multinetwork-policy-namespace-a
+  namespace: test-namespace-a
+  annotations:
+    k8s.v1.cni.cncf.io/policy-for: test-namespace-a/macvlan1-namespace-a,test-namespace-b/macvlan1-namespace-b
+spec:
+  podSelector:
+    matchLabels:
+      name: pod-a-1
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          name: pod-b-1
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          name: pod-b-2
+  policyTypes:
+  - Ingress
+  - Egress
