test anp with named-port-with-ips

pkg/netpol/connlist/connlist_test.go

@@ -601,6 +601,11 @@ func TestLoggerWarnings(t *testing.T) {
 			dirName:                     "anp_test_with_empty_port_range",
 			expectedWarningsStrContains: []string{alerts.WarnEmptyPortRange},
 		},
+		{
+			name:                        "input_admin_policy_contains_named_port_with_networks_should_get_warning",
+			dirName:                     "anp_test_named_ports_multiple_peers",
+			expectedWarningsStrContains: []string{alerts.WarnNamedPortIgnoredForIP},
+		},
 	}
 	for _, tt := range cases {
 		tt := tt
@@ -1587,6 +1592,10 @@ var goodPathTests = []struct {
 		testDirName:   "np_test_with_empty_port_range",
 		outputFormats: []string{output.DefaultFormat},
 	},
+	{
+		testDirName:   "anp_test_named_ports_multiple_peers",
+		outputFormats: []string{output.DefaultFormat},
+	},
 }
 
 func runParsedResourcesConnlistTests(t *testing.T, testList []examples.ParsedResourcesTest) {

pkg/netpol/eval/internal/k8s/adminnetpol.go

@@ -408,8 +408,8 @@ func ruleConnections(ports *[]apisv1a.AdminNetworkPolicyPort, dst Peer) (*common
 			portSet.AddPort(intstr.FromInt32(anpPort.PortNumber.Port))
 		case anpPort.NamedPort != nil:
 			if dst.PeerType() == IPBlockType {
-				// IPblock does not have named-ports defined
-				// @tbd should return error? (a rule that combines networks and pods may have such port?)
+				// IPblock does not have named-ports defined, warn and continue
+				warnings = append(warnings, alerts.WarnNamedPortIgnoredForIP)
 				continue // next port
 			}
 			podProtocol, podPort := dst.GetPeerPod().ConvertPodNamedPort(*anpPort.NamedPort)

pkg/netpol/internal/alerts/warnings.go

@@ -18,7 +18,11 @@ func WarnUnmatchedNamedPort(namedPort, peerStr string) string {
 const (
 	WarnPrefixPortName = "port name: "
 	ignoreMsg          = "it will be ignored, and will not appear in the connectivity results."
-	WarnEmptyPortRange = "port range is empty, skipped." // example raising this warning: tests/anp_test_with_empty_port_range
+	WarnEmptyPortRange = "port range is empty, skipped."
+	// example raising this warning: tests/anp_test_with_empty_port_range
+
+	WarnNamedPortIgnoredForIP = "named port is not defined for IP addresses; skipped"
+	// example raising this warning: tests/anp_test_named_ports_multiple_peers
 )
 
 var (

test_outputs/connlist/anp_test_named_ports_multiple_peers_connlist_output.txt

@@ -0,0 +1,14 @@
+0.0.0.0-104.154.164.169 => ns1/pod1[Deployment] : All Connections
+0.0.0.0-104.154.164.169 => ns3/pod1[Deployment] : All Connections
+104.154.164.170-104.154.164.170 => ns1/pod1[Deployment] : All Connections
+104.154.164.170-104.154.164.170 => ns3/pod1[Deployment] : All Connections
+104.154.164.171-255.255.255.255 => ns1/pod1[Deployment] : All Connections
+104.154.164.171-255.255.255.255 => ns3/pod1[Deployment] : All Connections
+ns1/pod1[Deployment] => 0.0.0.0-104.154.164.169 : All Connections
+ns1/pod1[Deployment] => 104.154.164.170-104.154.164.170 : TCP 8080,UDP 5000-6000
+ns1/pod1[Deployment] => 104.154.164.171-255.255.255.255 : All Connections
+ns1/pod1[Deployment] => ns3/pod1[Deployment] : TCP 8080,UDP 80,5000-6000
+ns3/pod1[Deployment] => 0.0.0.0-104.154.164.169 : All Connections
+ns3/pod1[Deployment] => 104.154.164.170-104.154.164.170 : All Connections
+ns3/pod1[Deployment] => 104.154.164.171-255.255.255.255 : All Connections
+ns3/pod1[Deployment] => ns1/pod1[Deployment] : All Connections

tests/anp_test_named_ports_multiple_peers/pods.yaml

@@ -0,0 +1,72 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ns1
+  labels:
+    apps: all-apps
+spec: {}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ns3
+  labels:
+    apps: external-apps
+spec: {}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pod1
+  namespace: ns1
+  labels:
+    app: a-app
+spec:
+  selector:
+    matchLabels:
+      app: a-app
+  template:
+    metadata:
+      labels:
+        app: a-app
+    spec:
+      containers:
+      - name: ns1
+        image: quay.io/shfa/ns1:latest
+        ports:
+        - containerPort: 80
+        - containerPort: 81  
+        - containerPort: 80
+          protocol: UDP
+        - containerPort: 81
+          protocol: UDP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pod1
+  namespace: ns3
+  labels:
+    app: web
+spec:
+  selector:
+    matchLabels:
+      app: web
+  template:
+    metadata:
+      labels:
+        app: web
+    spec:
+      containers:
+      - name: ns2
+        image: quay.io/shfa/ns2:latest
+        ports:
+        - containerPort: 80
+        - containerPort: 81  
+        - containerPort: 80
+          protocol: UDP
+          name: dns
+        - containerPort: 81
+          protocol: UDP  
+---

tests/anp_test_named_ports_multiple_peers/policies.yaml

@@ -0,0 +1,47 @@
+# a file copied from :
+# https://docs.openshift.com/container-platform/4.17/networking/network_security/AdminNetworkPolicy/ovn-k-egress-nodes-networks-peer.html#egress-traffic-control-networks-peer-external-destinations_ovn-k-egress-nodes-networks-peer
+# with some changes
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: AdminNetworkPolicy
+metadata:
+  name: egress-peer-1 
+spec:
+  egress: 
+  - action: "Allow"
+    name: "allow-egress"
+    to:
+    - networks:
+      - 104.154.164.170/32
+    - pods:
+        namespaceSelector:
+          matchLabels:
+            apps: external-apps
+        podSelector:
+          matchLabels:
+            app: web
+    ports:
+    - portRange:
+        protocol: UDP
+        start: 5000
+        end: 6000
+    - portNumber:
+        protocol: TCP
+        port: 8080
+    - namedPort: dns
+  - action: "Deny" # deny all other ports
+    name: "deny-egress"
+    to:
+    - networks:
+      - 104.154.164.170/32
+    - pods:
+        namespaceSelector:
+          matchLabels:
+            apps: external-apps
+        podSelector:
+          matchLabels:
+            app: web
+  priority: 30 
+  subject: 
+    namespaces:
+      matchLabels:
+        apps: all-apps