Temporarily disable traffic check in SP

This patch is to temporarily disable traffic check and named ports
check in Security Policy e2e test.

In VPC mode, currently, it's unable to create a subnetport in k8s env,
so, we can not check pod running and pod traffic.

Also, creating named port related security policy will fail as well
because there are no running pods created for the named port security policy.

test/e2e/framework.go

@@ -8,20 +8,16 @@ import (
 	"net"
 	"os/exec"
 	"regexp"
-	"strconv"
 	"strings"
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/kubernetes/scheme"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
-	"k8s.io/client-go/tools/remotecommand"
 
 	"github.com/vmware-tanzu/nsx-operator/pkg/client/clientset/versioned"
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/common"
@@ -82,11 +78,14 @@ type TestData struct {
 
 var testData *TestData
 
+//Temporarily disable traffic check
+/*
 type PodIPs struct {
 	ipv4      *net.IP
 	ipv6      *net.IP
 	ipStrings []string
 }
+*/
 
 func initProvider() error {
 	providerFactory := map[string]func(string) (providers.ProviderInterface, error){
@@ -282,7 +281,7 @@ func (data *TestData) createNamespace(namespace string) error {
 // deleteNamespace deletes the provided namespace and waits for deletion to actually complete.
 func (data *TestData) deleteNamespace(namespace string, timeout time.Duration) error {
 	var gracePeriodSeconds int64
-	var propagationPolicy = metav1.DeletePropagationForeground
+	propagationPolicy := metav1.DeletePropagationForeground
 	deleteOptions := metav1.DeleteOptions{
 		GracePeriodSeconds: &gracePeriodSeconds,
 		PropagationPolicy:  &propagationPolicy,
@@ -405,6 +404,8 @@ func (data *TestData) getCRResource(timeout time.Duration, cr string, namespace
 	return crs, nil
 }
 
+//Temporarily disable traffic check
+/*
 // podWaitFor polls the K8s apiServer until the specified Pod is found (in the test Namespace) and
 // the condition predicate is met (or until the provided timeout expires).
 func (data *TestData) podWaitFor(timeout time.Duration, name, namespace string, condition PodCondition) (*corev1.Pod, error) {
@@ -594,6 +595,7 @@ func (data *TestData) runNetcatCommandFromPod(namespace string, podName string,
 	}
 	return nil
 }
+*/
 
 func applyYAML(filename string, ns string) error {
 	cmd := fmt.Sprintf("kubectl apply -f %s -n %s", filename, ns)
@@ -615,6 +617,8 @@ func applyYAML(filename string, ns string) error {
 	return nil
 }
 
+//Temporarily disable traffic check
+/*
 func runCommand(cmd string) (string, error) {
 	err := wait.PollUntilContextTimeout(context.TODO(), 1*time.Second, defaultTimeout, false, func(ctx context.Context) (bool, error) {
 		var stdout, stderr bytes.Buffer
@@ -636,6 +640,7 @@ func runCommand(cmd string) (string, error) {
 	})
 	return "", err
 }
+*/
 
 func deleteYAML(filename string, ns string) error {
 	cmd := fmt.Sprintf("kubectl delete -f %s -n %s", filename, ns)

test/e2e/nsx_security_policy_test.go

@@ -15,12 +15,9 @@
 package e2e
 
 import (
-	"fmt"
 	"path/filepath"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
-
 	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/common"
 )
 
@@ -32,9 +29,8 @@ const (
 // This is the very basic, blocking all in and out traffic between pods should take effect.
 func TestSecurityPolicyBasicTraffic(t *testing.T) {
 	ns := "test-security-policy-1"
-	busybox := "busybox"
-	ncPod := "nc-pod"
 	securityPolicyName := "isolate-policy-1"
+	var err error
 	setupTest(t, ns)
 	defer teardownTest(t, ns, defaultTimeout)
 
@@ -44,18 +40,22 @@ func TestSecurityPolicyBasicTraffic(t *testing.T) {
 	netcatPath, _ := filepath.Abs("./manifest/testSecurityPolicy/netcat-pod.yaml")
 	_ = applyYAML(netcatPath, ns)
 
-	// Wait for pods
-	ps, err := testData.podWaitForIPs(defaultTimeout, busybox, ns)
-	t.Logf("Pods are %v", ps)
-	assertNil(t, err, "Error when waiting for IP for Pod %s", busybox)
-	iPs, err := testData.podWaitForIPs(defaultTimeout, ncPod, ns)
-	t.Logf("Pods are %v", iPs)
-	assertNil(t, err, "Error when waiting for IP for Pod %s", ncPod)
-
-	// Ping from pod
-	err = testData.runPingCommandFromPod(ns, busybox, iPs, 4)
-	assertNil(t, err, "Error when running ping command from test Pod %s", busybox)
-
+	//Temporarily disable traffic check
+	/*
+		busybox := "busybox"
+		ncPod := "nc-pod
+		// Wait for pods
+		ps, err := testData.podWaitForIPs(defaultTimeout, busybox, ns)
+		t.Logf("Pods are %v", ps)
+		assertNil(t, err, "Error when waiting for IP for Pod %s", busybox)
+		iPs, err := testData.podWaitForIPs(defaultTimeout, ncPod, ns)
+		t.Logf("Pods are %v", iPs)
+		assertNil(t, err, "Error when waiting for IP for Pod %s", ncPod)
+
+		// Ping from pod
+		err = testData.runPingCommandFromPod(ns, busybox, iPs, 4)
+		assertNil(t, err, "Error when running ping command from test Pod %s", busybox)
+	*/
 	// Create security policy
 	nsIsolationPath, _ := filepath.Abs("./manifest/testSecurityPolicy/ns-isolation-policy.yaml")
 	_ = applyYAML(nsIsolationPath, ns)
@@ -69,9 +69,12 @@ func TestSecurityPolicyBasicTraffic(t *testing.T) {
 	err = testData.waitForResourceExistOrNot(ns, common.ResourceTypeRule, securityPolicyName, true)
 	assertNil(t, err)
 
-	// Ping from pod
-	err = testData.runPingCommandFromPod(ns, busybox, iPs, 4)
-	assertNotNil(t, err, "Error when running ping command from test Pod %s", busybox)
+	//Temporarily disable traffic check
+	/*
+		// Ping from pod
+		err = testData.runPingCommandFromPod(ns, busybox, iPs, 4)
+		assertNotNil(t, err, "Error when running ping command from test Pod %s", busybox)
+	*/
 
 	// Delete security policy
 	_ = deleteYAML(nsIsolationPath, ns)
@@ -84,9 +87,12 @@ func TestSecurityPolicyBasicTraffic(t *testing.T) {
 	err = testData.waitForResourceExistOrNot(ns, common.ResourceTypeRule, securityPolicyName, false)
 	assertNil(t, err)
 
-	// Ping from pod
-	err = testData.runPingCommandFromPod(ns, busybox, iPs, 4)
-	assertNil(t, err, "Error when running ping command from test Pod %s", busybox)
+	//Temporarily disable traffic check
+	/*
+		// Ping from pod
+		err = testData.runPingCommandFromPod(ns, busybox, iPs, 4)
+		assertNil(t, err, "Error when running ping command from test Pod %s", busybox)
+	*/
 }
 
 // TestSecurityPolicyAddDeleteRule verifies that when adding or deleting rule, the security policy will be updated.
@@ -144,9 +150,7 @@ func TestSecurityPolicyAddDeleteRule(t *testing.T) {
 func TestSecurityPolicyMatchExpression(t *testing.T) {
 	ns := "test-security-policy-match-expression"
 	securityPolicyName := "expression-policy-1"
-	clientA := "client-a"
-	clientB := "client-b"
-	podA := "pod-a"
+	var err error
 	setupTest(t, ns)
 	defer teardownTest(t, ns, defaultTimeout)
 
@@ -155,22 +159,28 @@ func TestSecurityPolicyMatchExpression(t *testing.T) {
 	_ = applyYAML(podPath, ns)
 	defer deleteYAML(podPath, "")
 
-	// Wait for pods
-	ps, err := testData.podWaitForIPs(defaultTimeout, clientA, ns)
-	t.Logf("Pods are %v", ps)
-	assertNil(t, err, "Error when waiting for IP for Pod %s", clientA)
-	psb, err := testData.podWaitForIPs(defaultTimeout, clientB, ns)
-	t.Logf("Pods are %v", psb)
-	assertNil(t, err, "Error when waiting for IP for Pod %s", clientB)
-	iPs, err := testData.podWaitForIPs(defaultTimeout, podA, ns)
-	t.Logf("Pods are %v", iPs)
-	assertNil(t, err, "Error when waiting for IP for Pod %s", podA)
-
-	// Ping from pod
-	err = testData.runPingCommandFromPod(ns, clientA, iPs, 4)
-	assertNil(t, err, "Error when running ping command from Pod %s", clientA)
-	err = testData.runPingCommandFromPod(ns, clientB, iPs, 4)
-	assertNil(t, err, "Error when running ping command from Pod %s", clientB)
+	// Temporarily disable traffic check
+	//clientA := "client-a"
+	//clientB := "client-b"
+	//podA := "pod-a"
+	/*
+		// Wait for pods
+		ps, err := testData.podWaitForIPs(defaultTimeout, clientA, ns)
+		t.Logf("Pods are %v", ps)
+		assertNil(t, err, "Error when waiting for IP for Pod %s", clientA)
+		psb, err := testData.podWaitForIPs(defaultTimeout, clientB, ns)
+		t.Logf("Pods are %v", psb)
+		assertNil(t, err, "Error when waiting for IP for Pod %s", clientB)
+		iPs, err := testData.podWaitForIPs(defaultTimeout, podA, ns)
+		t.Logf("Pods are %v", iPs)
+		assertNil(t, err, "Error when waiting for IP for Pod %s", podA)
+
+		// Ping from pod
+		err = testData.runPingCommandFromPod(ns, clientA, iPs, 4)
+		assertNil(t, err, "Error when running ping command from Pod %s", clientA)
+		err = testData.runPingCommandFromPod(ns, clientB, iPs, 4)
+		assertNil(t, err, "Error when running ping command from Pod %s", clientB)
+	*/
 
 	// Create security policy
 	nsIsolationPath, _ := filepath.Abs("./manifest/testSecurityPolicy/match-expression.yaml")
@@ -185,11 +195,14 @@ func TestSecurityPolicyMatchExpression(t *testing.T) {
 	err = testData.waitForResourceExistOrNot(ns, common.ResourceTypeRule, securityPolicyName, true)
 	assertNil(t, err)
 
-	// Ping from pod
-	err = testData.runPingCommandFromPod(ns, clientA, iPs, 4)
-	assertNil(t, err, "Error when running ping command from Pod %s", clientA)
-	err = testData.runPingCommandFromPod(ns, clientB, iPs, 4)
-	assert.NotNilf(t, err, "Error when running ping command from Pod %s", clientB)
+	// Temporarily disable traffic check
+	/*
+		// Ping from pod
+		err = testData.runPingCommandFromPod(ns, clientA, iPs, 4)
+		assertNil(t, err, "Error when running ping command from Pod %s", clientA)
+		err = testData.runPingCommandFromPod(ns, clientB, iPs, 4)
+		assert.NotNilf(t, err, "Error when running ping command from Pod %s", clientB)
+	*/
 
 	// Delete security policy
 	_ = deleteYAML(nsIsolationPath, ns)
@@ -202,13 +215,17 @@ func TestSecurityPolicyMatchExpression(t *testing.T) {
 	err = testData.waitForResourceExistOrNot(ns, common.ResourceTypeRule, securityPolicyName, false)
 	assertNil(t, err)
 
-	// Ping from pod
-	err = testData.runPingCommandFromPod(ns, clientA, iPs, 4)
-	assertNil(t, err, "Error when running ping command from Pod %s", clientA)
-	err = testData.runPingCommandFromPod(ns, clientB, iPs, 4)
-	assertNil(t, err, "Error when running ping command from Pod %s", clientB)
+	// Temporarily disable traffic check
+	/*
+		// Ping from pod
+		err = testData.runPingCommandFromPod(ns, clientA, iPs, 4)
+		assertNil(t, err, "Error when running ping command from Pod %s", clientA)
+		err = testData.runPingCommandFromPod(ns, clientB, iPs, 4)
+		assertNil(t, err, "Error when running ping command from Pod %s", clientB)
+	*/
 }
 
+/*
 // TestSecurityPolicyNamedPort0 verifies that the traffic of security policy when named port applied.
 // This test is to verify the named port feature of security policy.
 // When appliedTo is in policy level.
@@ -763,3 +780,4 @@ func TestSecurityPolicyNamedPort7(t *testing.T) {
 	err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, false)
 	assertNil(t, err)
 }
+*/

test/e2e/util.go

@@ -30,13 +30,16 @@ func assertNil(t *testing.T, object interface{}, msgAndArgs ...interface{}) bool
 	panic("assertion failed")
 }
 
+//Temporarily disable traffic check
+/*
 func assertNotNil(t *testing.T, object interface{}, msgAndArgs ...interface{}) bool {
 	if assert.NotNil(t, object, msgAndArgs...) {
 		t.Logf("assertNotNil: %v", object)
 		return true
 	}
 	panic("assertion failed")
 }
+*/
 
 func assertTrue(t *testing.T, value bool, msgAndArgs ...interface{}) bool {
 	if assert.True(t, value, msgAndArgs...) {