automation:Simulate network restriction for network-policy test coverage (#2348)

Verify CNAO pods can operate under network restrictions affecting the
project namespace by simulating network restriction using
network-policies.

The affected CI jobs are the following check patch jobs:
- workflow
- monitoring
- ipam-ext
- kubemacpool
- kube-secondary-dns

Signed-off-by: Or Mergi <[email protected]>

Author: ormergi

automation/check-patch.e2e-kube-secondary-dns-functests.sh

@@ -29,6 +29,9 @@ main() {
 
     trap teardown EXIT
 
+    echo "Simulate network restrictions on CNAO namespace"
+    ./hack/install-network-policy.sh
+
     ./hack/deploy-kubevirt.sh
     cd ${TMP_COMPONENT_PATH}
     make create-nodeport

automation/check-patch.e2e-kubemacpool-functests.sh

@@ -44,6 +44,9 @@ main() {
 
     trap teardown EXIT
 
+    echo "Simulate network restrictions on CNAO namespace"
+    ./hack/install-network-policy.sh
+
     echo "Deploy KubeVirt latest stable release"
     ./hack/deploy-kubevirt.sh
 

automation/check-patch.e2e-kubevirt-ipam-controller-functests.sh

@@ -68,6 +68,8 @@ main() {
     ./cluster/cert-manager-install.sh
     deploy_cnao
     deploy_cnao_cr
+    echo "Simulate network restrictions on CNAO namespace"
+    ./hack/install-network-policy.sh
     ./hack/deploy-kubevirt.sh
     ./cluster/kubectl.sh -n kubevirt patch kubevirt kubevirt --type=json --patch '[{"op":"add","path":"/spec/configuration/developerConfiguration","value":{"featureGates":[]}},{"op":"add","path":"/spec/configuration/developerConfiguration/featureGates/-","value":"NetworkBindingPlugins"},{"op":"add","path":"/spec/configuration/developerConfiguration/featureGates/-","value":"DynamicPodInterfaceNaming"}]'
     ./cluster/kubectl.sh -n kubevirt patch kubevirt kubevirt --type=json --patch '[{"op":"add","path":"/spec/configuration/network","value":{"binding":{"l2bridge":{"domainAttachmentType":"managedTap","migration":{}}}}}]'

automation/check-patch.e2e-monitoring-k8s.sh

@@ -28,6 +28,9 @@ main() {
     make cluster-operator-push
     make cluster-operator-install
 
+     echo "Simulate network restriction on CNAO namespace"
+     ./hack/install-network-policy.sh
+
     make E2E_TEST_EXTRA_ARGS="-ginkgo.noColor --ginkgo.junit-report=$ARTIFACTS/junit.functest.xml" test/e2e/monitoring
 }
 

automation/check-patch.e2e-workflow-k8s.sh

@@ -24,6 +24,10 @@ main() {
     ./hack/deploy-kubevirt.sh
     make cluster-operator-push
     make cluster-operator-install
+
+    echo "Simulate network restriction on CNAO namespace"
+    ./hack/install-network-policy.sh
+
     make E2E_TEST_EXTRA_ARGS="-ginkgo.noColor --ginkgo.junit-report=$ARTIFACTS/junit.functest.xml" test/e2e/workflow
 }
 

hack/install-network-policy.sh

@@ -0,0 +1,97 @@
+#!/bin/bash -ex
+#
+# Copyright 2025 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# This script install NetworkPolicy that affects CNAO namespace.
+# The network-policy blocks egress/ingress traffic in CNAO namespace with the following exceptions:
+# 1. Allow egress to cluster API and DNS for pods who labeled with
+#    "hco.kubevirt.io/allow-access-cluster-services"
+# 2. Allow ingress to metrics endpoint to pods who labeled with
+#    "hco.kubevirt.io/allow-prometheus-access"
+
+readonly ns="$(./cluster/kubectl.sh get pod -l name=cluster-network-addons-operator -A -o=custom-columns=NS:.metadata.namespace --no-headers | head -1)"
+[[ -z "${ns}" ]] && echo "FATAL: CNAO pods not found. Make sure its installed" && exit 1
+
+cat <<EOF | ./cluster/kubectl.sh -n "${ns}" apply -f -
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress: []
+  egress: []
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-to-cluster-dns
+spec:
+  podSelector:
+    matchExpressions:
+    - key: hco.kubevirt.io/allow-access-cluster-services
+      operator: Exists
+  policyTypes:
+  - Egress
+  egress:
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: kube-system
+        podSelector:
+          matchLabels:
+            k8s-app: kube-dns
+      ports:
+        - protocol: TCP
+          port: dns-tcp
+        - protocol: UDP
+          port: dns
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-to-cluster-api
+spec:
+  podSelector:
+    matchExpressions:
+    - key: hco.kubevirt.io/allow-access-cluster-services
+      operator: Exists
+  policyTypes:
+  - Egress
+  egress:
+  - ports:
+    - protocol: TCP
+      port: 6443
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-to-metrics-endpoint
+spec:
+  podSelector:
+    matchExpressions:
+    - key: hco.kubevirt.io/allow-prometheus-access
+      operator: Exists
+  policyTypes:
+  - Ingress
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: metrics
+EOF