CNTRLPLANE-2751:Adding e2e network policy cases for config-operator

[gangwgr]

Adding e2e network policy cases for config-operator.
cluster-config-operator PR #463 (API-1646) adds NetworkPolicies to the namespaces managed by the cluster-config-operator (openshift-config-operator, openshift-config, openshift-config-managed). This PR adds E2E tests to verify those policies are correctly applied and reconciled.

Summary by CodeRabbit

• Tests
  • Added an end-to-end test suite validating Config Operator-managed NetworkPolicy enforcement: default-deny behavior, selective ingress/egress rules, pod connectivity probes, DNS connectivity checks when applicable, automatic policy restoration after deletion/mutation, and multi-namespace policy verification.
• Chores
  • Registered the new test package and added governance rules for reviewers/approvers.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a new extended E2E test suite that validates OpenShift Config Operator NetworkPolicy creation, enforcement, DNS egress behavior, and reconciliation; an OWNERS file for the new tests; and registers the suite via a blank import in the extended tests package.

Changes

Cohort / File(s)	Summary
Config Operator NetworkPolicy tests & metadata test/extended/config_operator/config_operator_networkpolicy.go, test/extended/config_operator/OWNERS	New Ginkgo E2E test file (~810 lines) exercising NetworkPolicy enforcement, DNS egress checks, cross-namespace policy presence, and operator-driven policy restoration; plus an OWNERS file listing three reviewers/approvers.
Test suite registration test/extended/include.go	Added blank import of github.com/openshift/origin/test/extended/config_operator to register the new tests with the extended test framework.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 7 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Test file has 22 assertions without meaningful failure messages, violating messaging requirements; enforcement test combines unrelated behaviors; network policies lack cleanup; restoreNetworkPolicy function has critical deletion verification bug.	Add failure messages to all 22 assertions; split multi-behavior enforcement test into separate focused tests; implement deletion verification fix with apierrors import and UID tracking; add cleanup using g.DeferCleanup().
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	The probeConnectivity function uses fmt.Sprintf("%s:%d", ip, port) which produces invalid IPv6 socket addresses like "2001:db8::1:8080" instead of "[2001:db8::1]:8080", causing netcat to fail on IPv6-only clusters.	Use net.JoinHostPort(ip, fmt.Sprintf("%d", port)) to correctly format both IPv4 and IPv6 addresses with ports in the probeConnectivity function.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding end-to-end network policy test cases for the config-operator, which aligns with the substantial NetworkPolicy test file and integration changes in the changeset.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test titles in config_operator_networkpolicy.go are stable and deterministic with no dynamic values in titles.
Microshift Test Compatibility	✅ Passed	Test file is protected from MicroShift with [Skipped:MicroShift] label in Describe block at line 37.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Tests create multiple pods for NetworkPolicy enforcement verification, all capable of running on a single node without multi-node topology requirements or scheduling constraints.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR adds an E2E test file that validates NetworkPolicy enforcement without scheduling constraints that assume standard HA topology.
Ote Binary Stdout Contract	✅ Passed	All output operations use g.GinkgoWriter.Printf(), which is framework-intercepted and allowed. No init() functions, direct stdout writes, or logging framework calls detected. OTE Binary Stdout Contract compliance verified.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/extended/networking/config_operator_networkpolicy.go`:
- Around line 153-191: The test currently only logs NetworkPolicies for
namespaces in namespacesToTest and allows empty results, so it can pass without
verifying reconciliation; update the loop (referencing namespacesToTest and the
call cs.NetworkingV1().NetworkPolicies(ns).List and logNetworkPolicyDetails) to
assert that the target namespaces "openshift-config" and
"openshift-config-managed" contain at least one NetworkPolicy (use
o.Expect(len(policies.Items)).To(o.BeNumerically(">", 0)) or equivalent) and
fail the test if empty; keep the existing logging for debugging but replace the
permissive if/else with a strict assertion for those two namespaces while
leaving observational logging for other namespaces.
- Around line 138-147: The loop over DNS ports unconditionally breaks on the
first iteration so only port 53 is tested and dnsReachable is set true
regardless; update the loop that iterates []int32{53, 5353} to attempt both
ports (remove the unconditional break) and set dnsReachable only when a
successful probe occurs (i.e., call logConnectivityBestEffort for each port and
use its success result or modify/use a helper that returns a bool), e.g., call
logConnectivityBestEffort(configOperatorNamespace, operatorLabels, dnsIPs, port)
for each port and set dnsReachable = true only if that call indicates
reachability, leaving the loop to continue trying remaining ports until one
succeeds or all fail.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c052d7ae-5c11-42df-9b95-f211197f537a

📥 Commits

Reviewing files that changed from the base of the PR and between 7da3e1c and 1622182.

📒 Files selected for processing (1)

• test/extended/networking/config_operator_networkpolicy.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

DNS probe loop only tests the first port due to unconditional break.

Line 143 exits on the first iteration, so port 5353 is never checked, and dnsReachable is always true once the loop runs.

Suggested fix

-            dnsReachable := false
-            for _, port := range []int32{53, 5353} {
+            for _, port := range []int32{53, 5353} {
                 g.GinkgoWriter.Printf("checking DNS connectivity on port %d\n", port)
                 logConnectivityBestEffort(ctx, cs, configOperatorNamespace, operatorLabels, dnsIPs, port, true)
-                dnsReachable = true
-                break
-            }
-            if !dnsReachable {
-                g.GinkgoWriter.Printf("DNS connectivity check skipped (no ports tested)\n")
             }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	dnsReachable := false
	for _, port := range []int32{53, 5353} {
	g.GinkgoWriter.Printf("checking DNS connectivity on port %d\n", port)
	logConnectivityBestEffort(ctx, cs, configOperatorNamespace, operatorLabels, dnsIPs, port, true)
	dnsReachable = true
	break
	}
	if !dnsReachable {
	g.GinkgoWriter.Printf("DNS connectivity check skipped (no ports tested)\n")
	}
	for _, port := range []int32{53, 5353} {
	g.GinkgoWriter.Printf("checking DNS connectivity on port %d\n", port)
	logConnectivityBestEffort(ctx, cs, configOperatorNamespace, operatorLabels, dnsIPs, port, true)
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/networking/config_operator_networkpolicy.go` around lines 138 -
147, The loop over DNS ports unconditionally breaks on the first iteration so
only port 53 is tested and dnsReachable is set true regardless; update the loop
that iterates []int32{53, 5353} to attempt both ports (remove the unconditional
break) and set dnsReachable only when a successful probe occurs (i.e., call
logConnectivityBestEffort for each port and use its success result or modify/use
a helper that returns a bool), e.g., call
logConnectivityBestEffort(configOperatorNamespace, operatorLabels, dnsIPs, port)
for each port and set dnsReachable = true only if that call indicates
reachability, leaving the loop to continue trying remaining ports until one
succeeds or all fail.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

These specs are mostly observational and can pass even when target policies are missing.

Line 168 and Line 210 allow empty policy sets (or only log them), so the tests can pass without proving reconciliation in openshift-config and openshift-config-managed, which is the core PR objective.

Suggested assertion-focused update

@@
-            if len(policies.Items) > 0 {
+            if len(policies.Items) > 0 {
                 g.GinkgoWriter.Printf("Found %d NetworkPolicy(ies) in %s\n", len(policies.Items), ns)
                 for _, policy := range policies.Items {
                     g.GinkgoWriter.Printf("  - %s\n", policy.Name)
                     logNetworkPolicyDetails(fmt.Sprintf("%s/%s", ns, policy.Name), &policy)
                 }
             } else {
                 g.GinkgoWriter.Printf("No NetworkPolicies found in %s\n", ns)
             }
+            // Assert policy reconciliation for namespaces covered by API-1646.
+            if ns == configNamespace || ns == configManagedNamespace {
+                o.Expect(policies.Items).NotTo(o.BeEmpty(), "expected reconciled NetworkPolicies in %s", ns)
+            }
@@
-            if len(policies.Items) == 0 {
-                g.GinkgoWriter.Printf("No NetworkPolicies found in %s, skipping enforcement tests\n", ns.namespace)
-                continue
-            }
+            o.Expect(policies.Items).NotTo(o.BeEmpty(), "expected NetworkPolicies in %s before enforcement checks", ns.namespace)

Also applies to: 193-251

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/networking/config_operator_networkpolicy.go` around lines 153 -
191, The test currently only logs NetworkPolicies for namespaces in
namespacesToTest and allows empty results, so it can pass without verifying
reconciliation; update the loop (referencing namespacesToTest and the call
cs.NetworkingV1().NetworkPolicies(ns).List and logNetworkPolicyDetails) to
assert that the target namespaces "openshift-config" and
"openshift-config-managed" contain at least one NetworkPolicy (use
o.Expect(len(policies.Items)).To(o.BeNumerically(">", 0)) or equivalent) and
fail the test if empty; keep the existing logging for debugging but replace the
permissive if/else with a strict assertion for those two namespaces while
leaving observational logging for other namespaces.

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-ci-robot]

@gangwgr: This pull request references CNTRLPLANE-2751 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Adding e2e network policy cases for config-operator.
cluster-config-operator PR #463 (API-1646) adds NetworkPolicies to the namespaces managed by the cluster-config-operator (openshift-config-operator, openshift-config, openshift-config-managed). This PR adds E2E tests to verify those policies are correctly applied and reconciled.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[gangwgr]

/retest-required

[gangwgr]

/test e2e-aws-ovn-fips

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[gangwgr]

/pipeline required

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: ca0fdce

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should restore config operator NetworkPolicies after delete or mutation [Serial][apigroup:config.openshift.io][Timeout:30m] [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [Serial][apigroup:config.openshift.io] [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.

New tests seen in this PR at sha: ca0fdce

• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should restore config operator NetworkPolicies after delete or mutation [Serial][apigroup:config.openshift.io][Timeout:30m] [Suite:openshift/conformance/serial]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [Serial][apigroup:config.openshift.io] [Suite:openshift/conformance/serial]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]

[gangwgr]

/test e2e-gcp-ovn

[gangwgr]

/payload 4.22 nightly blocking
/payload 4.22 nightly informing

[openshift-ci]

@gangwgr: trigger 13 job(s) of type blocking for the nightly release of OCP 4.22

• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-upgrade-ovn-single-node
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-upgrade-fips
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn-upgrade
• periodic-ci-openshift-release-main-ci-4.22-upgrade-from-stable-4.21-e2e-gcp-ovn-rt-upgrade
• periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-ovn-conformance
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-serial-1of2
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-serial-2of2
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview-serial-1of3
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview-serial-2of3
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview-serial-3of3
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-ipv4
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-ipv6

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/8ee1bb20-36fd-11f1-80d9-14c53d83a1f4-0

trigger 66 job(s) of type informing for the nightly release of OCP 4.22

• periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-azure-aks-ovn-conformance
• periodic-ci-openshift-release-main-nightly-4.22-console-aws
• periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-4.22-periodics-e2e-aws
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-csi
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-cgroupsv2
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-fips
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-single-node
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-single-node-csi
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-single-node-serial
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-single-node-techpreview
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-single-node-techpreview-serial
• periodic-ci-openshift-release-main-nightly-4.22-upgrade-from-stable-4.21-e2e-aws-upgrade-ovn-single-node
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-upgrade-fips-no-nat-instance
• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-upgrade-out-of-change
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-upi
• periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-4.22-periodics-e2e-azure
• periodic-ci-openshift-release-main-nightly-4.22-e2e-azure-csi
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn-serial
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn-techpreview
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn-techpreview-serial
• periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn-upgrade-out-of-change
• periodic-ci-openshift-release-main-cnv-nightly-4.22-deploy-azure-kubevirt-ovn
• periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-4.22-periodics-e2e-gcp
• periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn
• periodic-ci-openshift-release-main-nightly-4.22-e2e-gcp-ovn-csi
• periodic-ci-openshift-release-main-nightly-4.22-e2e-gcp-ovn-rt
• periodic-ci-openshift-release-main-nightly-4.22-e2e-gcp-ovn-serial
• periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-techpreview
• periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-techpreview-serial
• periodic-ci-openshift-release-main-ci-4.22-upgrade-from-stable-4.21-e2e-gcp-ovn-upgrade
• periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-upgrade
• periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-azure-kubevirt-ovn
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-dualstack
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-dualstack-techpreview
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-ipv6-techpreview
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-serial-ipv4
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-serial-virtualmedia-1of2
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-serial-virtualmedia-2of2
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-techpreview
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-ovn-upgrade
• periodic-ci-openshift-release-main-nightly-4.22-upgrade-from-stable-4.21-e2e-metal-ipi-ovn-upgrade
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-serial-ovn-ipv6
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-serial-ovn-dualstack
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-upgrade-ovn-ipv6
• periodic-ci-openshift-release-main-nightly-4.22-upgrade-from-stable-4.21-e2e-metal-ipi-upgrade-ovn-ipv6
• periodic-ci-openshift-release-main-nightly-4.22-metal-ovn-single-node-recert-cluster-rename
• periodic-ci-openshift-osde2e-main-nightly-4.22-osd-aws
• periodic-ci-openshift-release-main-nightly-4.22-e2e-osd-ccs-gcp
• periodic-ci-openshift-osde2e-main-nightly-4.22-osd-gcp
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-proxy
• periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ovn-single-node-live-iso
• periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.22-nightly-x86-payload-control-plane-6nodes
• periodic-ci-openshift-release-main-nightly-4.22-e2e-telco5g
• periodic-ci-openshift-release-main-ci-4.22-upgrade-from-stable-4.21-e2e-aws-ovn-upgrade
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-csi
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-serial
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-techpreview
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-techpreview-serial
• periodic-ci-openshift-release-main-ci-4.22-e2e-vsphere-ovn-upgrade
• periodic-ci-openshift-release-main-ci-4.22-upgrade-from-stable-4.21-e2e-vsphere-ovn-upgrade
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-upi
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-upi-serial
• periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-static-ovn

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/8ee1bb20-36fd-11f1-80d9-14c53d83a1f4-1

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[andreacv98]

/lgtm

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: 7b4b29a

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-1of2	Medium - "[sig-network][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should restore config operator NetworkPolicies after delete or mutation [Serial][apigroup:config.openshift.io][Timeout:30m] [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-network][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [Serial][apigroup:config.openshift.io] [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.

New tests seen in this PR at sha: 7b4b29a

• "[sig-network][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should restore config operator NetworkPolicies after delete or mutation [Serial][apigroup:config.openshift.io][Timeout:30m] [Suite:openshift/conformance/serial]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]
• "[sig-network][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [Serial][apigroup:config.openshift.io] [Suite:openshift/conformance/serial]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]

[gangwgr]

/verified by ci runs

[openshift-ci-robot]

@gangwgr: This PR has been marked as verified by ci runs.

Details

In response to this:

/verified by ci runs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[gangwgr]

/assign @tssurya

[openshift-ci-robot]

@gangwgr: This pull request references CNTRLPLANE-2751 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Adding e2e network policy cases for config-operator.
cluster-config-operator PR #463 (API-1646) adds NetworkPolicies to the namespaces managed by the cluster-config-operator (openshift-config-operator, openshift-config, openshift-config-managed). This PR adds E2E tests to verify those policies are correctly applied and reconciled.

Summary by CodeRabbit

• Tests
• Added an end-to-end test suite validating Config Operator-managed NetworkPolicy enforcement: default-deny behavior, selective ingress/egress rules, pod connectivity probes, DNS connectivity checks when applicable, automatic policy restoration after deletion/mutation, and multi-namespace policy verification.
• Chores
• Registered the new test package and added governance rules for reviewers/approvers.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

test/extended/config_operator/config_operator_networkpolicy.go (1)

178-186: ⚠️ Potential issue | 🟠 Major

Don't treat the target namespace policies as optional.

For openshift-config and openshift-config-managed, these branches only log or continue when the policy set is empty or default-deny-all is missing. That lets the existence, enforcement, and reconciliation specs go green without proving API-1646 actually rolled out there. Assert the policy is present before continuing.

Also applies to: 218-221, 235-237, 261-264

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/config_operator/config_operator_networkpolicy.go` around lines
178 - 186, The test currently treats missing NetworkPolicies in target
namespaces as optional by only logging or continuing when policies.Items is
empty or when "default-deny-all" is missing; update the test to assert presence
instead: in the blocks that iterate policies (using variables policies, ns and
policy.Name and calling logNetworkPolicyDetails) change the logic to fail the
test (use Gomega/Expect or g.Fail) if policies.Items is empty for the target
namespaces (e.g., "openshift-config" and "openshift-config-managed") and also
assert that a policy named "default-deny-all" exists in policies.Items before
proceeding, removing the current continue/log-only behavior so absence causes
test failure. Ensure you apply the same assertion change to the other similar
blocks that handle policies (the other occurrences referenced).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/extended/config_operator/config_operator_networkpolicy.go`:
- Around line 781-789: The poll currently only compares expected.Spec to
current.Spec and can pass against the pre-delete object; modify the flow around
the Delete + wait.PollUntilContextTimeout call to capture the original object's
UID (from the first Get before Delete), import
k8s.io/apimachinery/pkg/api/errors as apierrors, and in the
PollUntilContextTimeout callback first attempt to Get the object and accept the
loop iteration only when either apierrors.IsNotFound(err) (object observed
deleted) or the returned object's UID != originalUID (object was recreated);
only after observing a NotFound or UID change proceed to compare
equality.Semantic.DeepEqual(expected.Spec, current.Spec) before returning true.

---

Duplicate comments:
In `@test/extended/config_operator/config_operator_networkpolicy.go`:
- Around line 178-186: The test currently treats missing NetworkPolicies in
target namespaces as optional by only logging or continuing when policies.Items
is empty or when "default-deny-all" is missing; update the test to assert
presence instead: in the blocks that iterate policies (using variables policies,
ns and policy.Name and calling logNetworkPolicyDetails) change the logic to fail
the test (use Gomega/Expect or g.Fail) if policies.Items is empty for the target
namespaces (e.g., "openshift-config" and "openshift-config-managed") and also
assert that a policy named "default-deny-all" exists in policies.Items before
proceeding, removing the current continue/log-only behavior so absence causes
test failure. Ensure you apply the same assertion change to the other similar
blocks that handle policies (the other occurrences referenced).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 1a0cdc01-dc10-42a1-9b0c-8581f8004745

📥 Commits

Reviewing files that changed from the base of the PR and between ef2f3f7 and 67fc19f.

📒 Files selected for processing (3)

• test/extended/config_operator/OWNERS
• test/extended/config_operator/config_operator_networkpolicy.go
• test/extended/include.go

✅ Files skipped from review due to trivial changes (2)

• test/extended/include.go
• test/extended/config_operator/OWNERS

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[andreacv98]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: andreacv98, gangwgr
Once this PR has been reviewed and has the lgtm label, please assign bertinatto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gangwgr]

/retest-required

[gangwgr]

/test e2e-vsphere-ovn-upi

[gangwgr]

/retest-required

[gangwgr]

/retest-required

[openshift-ci]

New changes are detected. LGTM label has been removed.

[gangwgr]

/retest-required

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: cffef51

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-vsphere-ovn-upi	Medium - "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-vsphere-ovn-upi	Medium - "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-vsphere-ovn-upi	Medium - "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test, and was only seen in one job.

New tests seen in this PR at sha: cffef51

• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]
• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]
• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: cffef51

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should restore config operator NetworkPolicies after delete or mutation [Serial][apigroup:config.openshift.io][Timeout:30m] [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [Serial][apigroup:config.openshift.io] [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.

New tests seen in this PR at sha: cffef51

• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]
• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should restore config operator NetworkPolicies after delete or mutation [Serial][apigroup:config.openshift.io][Timeout:30m] [Suite:openshift/conformance/serial]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]
• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]
• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]
• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [Serial][apigroup:config.openshift.io] [Suite:openshift/conformance/serial]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]

[gangwgr]

/retest-required

[gangwgr]

/retest-required

[gangwgr]

/test e2e-metal-ipi-ovn-ipv6

[gangwgr]

/retest-required

[gangwgr]

/test e2e-gcp-ovn

[gangwgr]

/retest-required

[gangwgr]

/test e2e-metal-ipi-ovn-ipv6

[openshift-ci]

@gangwgr: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-fips	cffef51	link	true	/test e2e-aws-ovn-fips
ci/prow/e2e-vsphere-ovn	cffef51	link	true	/test e2e-vsphere-ovn
ci/prow/e2e-gcp-ovn	cffef51	link	true	/test e2e-gcp-ovn
ci/prow/e2e-vsphere-ovn-upi	cffef51	link	true	/test e2e-vsphere-ovn-upi
ci/prow/e2e-metal-ipi-ovn-ipv6	cffef51	link	true	/test e2e-metal-ipi-ovn-ipv6

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: cffef51

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should restore config operator NetworkPolicies after delete or mutation [Serial][apigroup:config.openshift.io][Timeout:30m] [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [Serial][apigroup:config.openshift.io] [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	High - "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	High - "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	High - "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.

New tests seen in this PR at sha: cffef51

• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" [Total: 20, Pass: 20, Fail: 0, Flake: 0]
• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should restore config operator NetworkPolicies after delete or mutation [Serial][apigroup:config.openshift.io][Timeout:30m] [Suite:openshift/conformance/serial]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]
• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 20, Pass: 20, Fail: 0, Flake: 0]
• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 20, Pass: 20, Fail: 0, Flake: 0]
• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [Serial][apigroup:config.openshift.io] [Suite:openshift/conformance/serial]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: cffef51

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should restore config operator NetworkPolicies after delete or mutation [Serial][apigroup:config.openshift.io][Timeout:30m] [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [Serial][apigroup:config.openshift.io] [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.

New tests seen in this PR at sha: cffef51

• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should enforce basic NetworkPolicy rules [apigroup:networking.k8s.io] [Suite:openshift/conformance/parallel]" [Total: 20, Pass: 20, Fail: 0, Flake: 0]
• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should restore config operator NetworkPolicies after delete or mutation [Serial][apigroup:config.openshift.io][Timeout:30m] [Suite:openshift/conformance/serial]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]
• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config namespace NetworkPolicies exist [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 20, Pass: 20, Fail: 0, Flake: 0]
• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config namespace NetworkPolicy enforcement [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 20, Pass: 20, Fail: 0, Flake: 0]
• "[sig-api-machinery][Feature:NetworkPolicy][Skipped:HyperShift][Skipped:MicroShift] Config Operator NetworkPolicy should verify config operator NetworkPolicy enforcement [Serial][apigroup:config.openshift.io] [Suite:openshift/conformance/serial]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]