fix issue #550 + add test (#552)

Signed-off-by: adisos <[email protected]>
IBM · Jul 10, 2023 · 1b0735c · 1b0735c
1 parent c4e1aef
commit 1b0735c
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 7 deletions.
diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py
@@ -2033,17 +2033,12 @@ def exec(self):
         self.output_config.fullExplanation = True  # assign true for this query - it is always ok to compare its results
         # get_all_peers_group() does not require getting dnsEntry peers, since they are not ClusterEP (pods)
         existing_pods = self.config.peer_container.get_all_peers_group()
-        if not self.config:
+        if not self.config or self.config.policies_container.layers.does_contain_single_layer(NetworkLayerName.Ingress):
             return QueryAnswer(bool_result=False,
                                output_result=f'There are no network policies in {self.config.name}. '
                                              f'All workload resources are non captured',
                                numerical_result=len(existing_pods))
 
-        if self.config.policies_container.layers.does_contain_single_layer(NetworkLayerName.Ingress):
-            return QueryAnswer(bool_result=False,
-                               output_result='AllCapturedQuery cannot be applied using Ingress resources only',
-                               query_not_executed=True)
-
         k8s_calico_pods_list_explanation, k8s_calico_res = self._compute_uncaptured_pods_by_layer(NetworkLayerName.K8s_Calico)
         istio_pods_list_explanation, istio_res = self._compute_uncaptured_pods_by_layer(NetworkLayerName.Istio, True)
 

diff --git a/tests/expected_runtime/k8s_tests_expected_runtime.csv b/tests/expected_runtime/k8s_tests_expected_runtime.csv
@@ -139,4 +139,5 @@ k8s_testcases/example_policies/withIpBlock2/withIpBlock2-scheme.yaml,5.51
 k8s_testcases/example_policies/workload-resources-test/file-system-resource-test-scheme.yaml,0.07
 k8s_testcases/example_policies/workload-resources-test/git-resource-test-scheme.yaml,7.66
 k8s_testcases/network-policy-checks-bad-path/network-policy-check-bad-path-scheme.yaml,0.80
-k8s_testcases/ingress-bad-path-test/test-ingress-bad-port-scheme.yaml,0.06
+k8s_testcases/ingress-bad-path-test/test-ingress-bad-port-scheme.yaml,0.06
+k8s_testcases/example_policies/sample-app/sample-all-captured-scheme.yaml,0.08
diff --git a/tests/k8s_testcases/example_policies/sample-app/sample-all-captured-scheme.yaml b/tests/k8s_testcases/example_policies/sample-app/sample-all-captured-scheme.yaml
@@ -0,0 +1,10 @@
+resourceList: []
+networkConfigList:
+  - name: sample
+    resourceList:
+      - ./**
+queries:
+  - name: sample-all-captured
+    allCaptured:
+      - sample
+    expected: 2
diff --git a/tests/k8s_testcases/example_policies/sample-app/sample.yaml b/tests/k8s_testcases/example_policies/sample-app/sample.yaml
@@ -0,0 +1,56 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: my-service-ingress
+  namespace: sample
+spec:
+  rules:
+  - host: my-app.domain
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: my-service
+            port:
+              number: 8080
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-service
+  namespace: sample
+  labels:
+    app: my-app
+spec:
+  type: ClusterIP
+  ports:
+    - port: 8080
+      targetPort: 8080
+  selector:
+    app: my-app
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: my-app
+  namespace: sample
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: my-app
+  template:
+    metadata:
+      labels:
+        app: my-app
+    spec:
+      serviceAccountName: sample
+      containers:
+      - name: my-app
+        image: webapp:1
+        ports:
+        - containerPort: 8080