Merge pull request kubernetes#55186 from bcreane/named-port-egress

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. NetworkPolicy e2e: named port egress test **What this PR does / why we need it**: Add an e2e NetworkPolicy test that ensures that an egress rule that specifies a named port properly applies to egress traffic. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes kubernetes#52040 **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
ashokn · Nov 20, 2017 · dcdb423 · dcdb423
2 parents 6b97376 + 1e7f01e
commit dcdb423
Showing 1 changed file with 42 additions and 0 deletions.
diff --git a/test/e2e/network/network_policy.go b/test/e2e/network/network_policy.go
@@ -310,6 +310,48 @@ var _ = SIGDescribe("NetworkPolicy", func() {
 				testCannotConnect(f, f.Namespace, "client-b", service, 81)
 			})
 		})
+
+		It("should allow egress access on one named port [Feature:NetworkPolicy]", func() {
+			clientPodName := "client-a"
+			protocolUDP := v1.ProtocolUDP
+			policy := &networkingv1.NetworkPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "allow-client-a-via-named-port-egress-rule",
+				},
+				Spec: networkingv1.NetworkPolicySpec{
+					// Apply this policy to client-a
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{
+							"pod-name": clientPodName,
+						},
+					},
+					// Allow traffic to only one named port: "serve-80".
+					Egress: []networkingv1.NetworkPolicyEgressRule{{
+						Ports: []networkingv1.NetworkPolicyPort{
+							{
+								Port: &intstr.IntOrString{Type: intstr.String, StrVal: "serve-80"},
+							},
+							// Allow DNS look-ups
+							{
+								Protocol: &protocolUDP,
+								Port:     &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
+							},
+						},
+					}},
+				},
+			}
+
+			policy, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(policy)
+			Expect(err).NotTo(HaveOccurred())
+			defer cleanupNetworkPolicy(f, policy)
+
+			By("Creating client-a which should be able to contact the server.", func() {
+				testCanConnect(f, f.Namespace, clientPodName, service, 80)
+			})
+			By("Creating client-a which should not be able to contact the server on port 81.", func() {
+				testCannotConnect(f, f.Namespace, clientPodName, service, 81)
+			})
+		})
 	})
 })