fix issue #549 + add test

Signed-off-by: adisos <[email protected]>
IBM · Jul 10, 2023 · 72f8ceb · 72f8ceb
1 parent 7335253
commit 72f8ceb
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 1 deletion.
diff --git a/nca/Parsers/IngressPolicyYamlParser.py b/nca/Parsers/IngressPolicyYamlParser.py
@@ -94,7 +94,11 @@ def parse_backend(self, backend, is_default=False):
 
         service_port = srv.get_port_by_name(port_name) if port_name else srv.get_port_by_number(port_number)
         if not service_port:
-            self.syntax_error(f'Missing port {port_name if port_name else port_number} in the service', service)
+            port_str = f'{port_name if port_name else port_number}'
+            warning_msg = f'Ingress rule redirects traffic to {service_name}:{port_str}, '
+            warning_msg += f' but port {port_str} is not exposed by Service {service_name}'
+            self.warning(warning_msg, service)
+            return None, None, False
 
         rule_ports = PortSet()
         rule_ports.add_port(service_port.target_port)  # may be either a number or a named port

diff --git a/tests/expected_runtime/k8s_tests_expected_runtime.csv b/tests/expected_runtime/k8s_tests_expected_runtime.csv
@@ -139,3 +139,4 @@ k8s_testcases/example_policies/withIpBlock2/withIpBlock2-scheme.yaml,5.51
 k8s_testcases/example_policies/workload-resources-test/file-system-resource-test-scheme.yaml,0.07
 k8s_testcases/example_policies/workload-resources-test/git-resource-test-scheme.yaml,7.66
 k8s_testcases/network-policy-checks-bad-path/network-policy-check-bad-path-scheme.yaml,0.80
+k8s_testcases/ingress-bad-path-test/test-ingress-bad-port-scheme.yaml,0.06
diff --git a/tests/k8s_testcases/ingress-bad-path-test/sample-app/sample.yaml b/tests/k8s_testcases/ingress-bad-path-test/sample-app/sample.yaml
@@ -0,0 +1,56 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: my-service-ingress
+  namespace: sample
+spec:
+  rules:
+  - host: my-app.domain
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: my-service
+            port:
+              number: 8080
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-service
+  namespace: sample
+  labels:
+    app: my-app
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 8080
+  selector:
+    app: my-app
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: my-app
+  namespace: sample
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: my-app
+  template:
+    metadata:
+      labels:
+        app: my-app
+    spec:
+      serviceAccountName: sample
+      containers:
+      - name: my-app
+        image: webapp:1
+        ports:
+        - containerPort: 8080
diff --git a/tests/k8s_testcases/ingress-bad-path-test/test-ingress-bad-port-scheme.yaml b/tests/k8s_testcases/ingress-bad-path-test/test-ingress-bad-port-scheme.yaml
@@ -0,0 +1,10 @@
+resourceList: []
+networkConfigList:
+  - name: sample
+    resourceList:
+      - ./sample-app/**
+    expectedWarnings: 1  #  Warning: Ingress rule redirects traffic to my-service:8080,  but port 8080 is not exposed by Service my-service
+queries:
+  - name: connectivity_map
+    connectivityMap:
+      - sample