From 0bf62c952bd693cbca1b3adc431faec9db87234c Mon Sep 17 00:00:00 2001 From: Hongliang Liu Date: Fri, 22 Mar 2024 23:59:51 +0800 Subject: [PATCH] Fix L7 NetworkPolicy e2e test failure Fix #6129 In the failure tests, the following function is called to verify whether a connection should be allowed or denied. To verify a connection should be denied, it requires 5 seconds. ``` func probeClientIPFromPod(data *TestData, pod, container string, baseUrl string) (string, error) { url := fmt.Sprintf("%s/%s", baseUrl, "clientip") hostPort, _, err := data.runWgetCommandFromTestPodWithRetry(pod, data.testNamespace, container, url, 5) if err != nil { return "", err } host, _, err := net.SplitHostPort(hostPort) return host, err } ``` Before #5843, these e2e tests utilized the function PollImmediate from k8s.io/apimachinery/pkg/util/wait, which immediately calls an anonymous function including the above function. Since the timeout is 5 seconds, and the ticker time is 1 second, and the anonymous function runs immediately, the 5-second timeout is sufficient to verify the denied state of a connection as mentioned above. However, after #5843, the function `Eventually` from github.com/stretchr/testify/assert is used with the same parameters, which implies that the anonymous function runs after the first ticker time, leaving 4 seconds. 4 seconds are insufficient to verify the denied state of a connection. To resolve the issue, the timeout should be adjusted to be more than 5 seconds. Signed-off-by: Hongliang Liu --- test/e2e/l7networkpolicy_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/e2e/l7networkpolicy_test.go b/test/e2e/l7networkpolicy_test.go index 730a968070f..0f138607a6a 100644 --- a/test/e2e/l7networkpolicy_test.go +++ b/test/e2e/l7networkpolicy_test.go @@ -134,7 +134,7 @@ func probeL7NetworkPolicyHTTP(t *testing.T, data *TestData, serverPodName, clien return false } return true - }, 5*time.Second, time.Second) + }, 10*time.Second, time.Second) // Verify that access to path /hostname is as expected. assert.Eventually(t, func() bool { @@ -146,7 +146,7 @@ func probeL7NetworkPolicyHTTP(t *testing.T, data *TestData, serverPodName, clien return false } return true - }, 5*time.Second, time.Second) + }, 10*time.Second, time.Second) // For IPv4, non-HTTP connections should be rejected by Suricata. For IPv6, there is an issue that reject // packet cannot be generated by Suricata and sent back to client.