[Followup] Fix action field in NetworkPolicyEvaluation for KNP

pkg/antctl/transform/networkpolicy/response.go

@@ -187,14 +187,18 @@ func (r EvaluationResponse) GetTableHeader() []string {
 
 func (r EvaluationResponse) GetTableRow(_ int) []string {
 	if r.NetworkPolicyEvaluation != nil && r.Response != nil {
-		// Handle K8s NPs empty action field. "Allow" corresponds to a K8s NP
-		// allow action, and "Isolate" corresponds to a drop action because of the
-		// default isolation model. Otherwise, display the action field content.
-		action := "Allow"
+		action := ""
 		if r.Response.Rule.Action != nil {
 			action = string(*r.Response.Rule.Action)
 		} else if r.Response.RuleIndex == math.MaxInt32 {
+			// Responses from endpoint query with original rules will always have
+			// valid action fields, except for the synthetic isolation rules,
+			// identified by a MaxInt32 rule index. "Isolate" corresponds to
+			// a drop action because of the default isolation model of K8s NPs.
 			action = "Isolate"
+		} else {
+			// Should not be possible.
+			action = "Unknown"
 		}
 		return []string{
 			r.Response.NetworkPolicy.Name,

pkg/antctl/transform/networkpolicy/response_test.go

@@ -182,7 +182,7 @@ func TestEvaluationResponseTransform(t *testing.T) {
 	assert.Equal(t, []string{"NAME", "NAMESPACE", "POLICY-TYPE", "RULE-INDEX", "DIRECTION", "ACTION"}, test.GetTableHeader())
 	assert.False(t, test.SortRows())
 	assert.Equal(t, []string{"", "", "", "", "", ""}, test.GetTableRow(32))
-	testDropAction := crdv1beta1.RuleActionDrop
+	testDropAction, testAllowAction := crdv1beta1.RuleActionDrop, crdv1beta1.RuleActionAllow
 
 	tests := []struct {
 		name           string
@@ -198,7 +198,7 @@ func TestEvaluationResponseTransform(t *testing.T) {
 					Name:      "testK8s",
 				},
 				RuleIndex: 10,
-				Rule:      cpv1beta.RuleRef{Direction: cpv1beta.DirectionIn},
+				Rule:      cpv1beta.RuleRef{Direction: cpv1beta.DirectionIn, Action: &testAllowAction},
 			},
 			expectedOutput: []string{"testK8s", "ns", "K8sNetworkPolicy", "10", "In", "Allow"},
 		},
@@ -228,6 +228,19 @@ func TestEvaluationResponseTransform(t *testing.T) {
 			},
 			expectedOutput: []string{"testK8s", "ns", "K8sNetworkPolicy", fmt.Sprint(math.MaxInt32), "In", "Isolate"},
 		},
+		{
+			name: "Unknown action in response",
+			testResponse: &cpv1beta.NetworkPolicyEvaluationResponse{
+				NetworkPolicy: cpv1beta.NetworkPolicyReference{
+					Type:      cpv1beta.AntreaNetworkPolicy,
+					Namespace: "ns",
+					Name:      "testError",
+				},
+				RuleIndex: 10,
+				Rule:      cpv1beta.RuleRef{Direction: cpv1beta.DirectionIn},
+			},
+			expectedOutput: []string{"testError", "ns", "AntreaNetworkPolicy", "10", "In", "Unknown"},
+		},
 	}
 
 	for _, tt := range tests {

pkg/controller/networkpolicy/endpoint_querier.go

@@ -115,7 +115,7 @@ func (eq *EndpointQuerierImpl) QueryNetworkPolicyRules(namespace, podName string
 	appliedToGroupKeys := groups[appliedToGroupType]
 	// We iterate over all AppliedToGroups (same for AddressGroups below). This is acceptable
 	// since this implementation only supports user queries (in particular through antctl) and
-	// should resturn within a reasonable amount of time. We experimented with adding Pod
+	// should return within a reasonable amount of time. We experimented with adding Pod
 	// Indexers to the AppliedToGroup and AddressGroup stores, but we felt that this use case
 	// did not justify the memory overhead. If we can find another use for the Indexers as part
 	// of the NetworkPolicy Controller implementation, we may consider adding them back.
@@ -192,10 +192,10 @@ func processEndpointAppliedRules(appliedPolicies []*antreatypes.NetworkPolicy, i
 			for _, rule := range internalPolicy.Rules {
 				if rule.Direction == controlplane.DirectionIn && !isSourceEndpoint {
 					isolationRules = append(isolationRules, &antreatypes.RuleInfo{Policy: internalPolicy, Index: math.MaxInt32,
-						Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name, Action: rule.Action}})
+						Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name}})
 				} else if rule.Direction == controlplane.DirectionOut && isSourceEndpoint {
 					isolationRules = append(isolationRules, &antreatypes.RuleInfo{Policy: internalPolicy, Index: math.MaxInt32,
-						Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name, Action: rule.Action}})
+						Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name}})
 				}
 			}
 		}

pkg/controller/networkpolicy/endpoint_querier_test.go

@@ -264,10 +264,10 @@ func TestQueryNetworkPolicyRules(t *testing.T) {
 					{SourceRef: &policyRef},
 				},
 				EndpointAsIngressSrcRules: []*antreatypes.RuleInfo{
-					{Policy: &antreatypes.NetworkPolicy{SourceRef: &policyRef}, Rule: &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionIn}},
+					{Policy: &antreatypes.NetworkPolicy{SourceRef: &policyRef}, Rule: &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionIn, Action: &allowAction}},
 				},
 				EndpointAsEgressDstRules: []*antreatypes.RuleInfo{
-					{Policy: &antreatypes.NetworkPolicy{SourceRef: &policyRef}, Rule: &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionOut}},
+					{Policy: &antreatypes.NetworkPolicy{SourceRef: &policyRef}, Rule: &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionOut, Action: &allowAction}},
 				},
 			},
 		},
@@ -284,10 +284,10 @@ func TestQueryNetworkPolicyRules(t *testing.T) {
 					{SourceRef: &policyRef1},
 				},
 				EndpointAsIngressSrcRules: []*antreatypes.RuleInfo{
-					{Policy: &antreatypes.NetworkPolicy{SourceRef: &policyRef}, Rule: &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionIn}},
+					{Policy: &antreatypes.NetworkPolicy{SourceRef: &policyRef}, Rule: &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionIn, Action: &allowAction}},
 				},
 				EndpointAsEgressDstRules: []*antreatypes.RuleInfo{
-					{Policy: &antreatypes.NetworkPolicy{SourceRef: &policyRef}, Rule: &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionOut}},
+					{Policy: &antreatypes.NetworkPolicy{SourceRef: &policyRef}, Rule: &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionOut, Action: &allowAction}},
 				},
 			},
 		},
@@ -303,7 +303,7 @@ func TestQueryNetworkPolicyRules(t *testing.T) {
 					{SourceRef: &policyRef2},
 				},
 				EndpointAsIngressSrcRules: []*antreatypes.RuleInfo{
-					{Policy: &antreatypes.NetworkPolicy{SourceRef: &policyRef2}, Index: 1, Rule: &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionIn}},
+					{Policy: &antreatypes.NetworkPolicy{SourceRef: &policyRef2}, Index: 1, Rule: &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionIn, Action: &allowAction}},
 				},
 			},
 		},
@@ -313,6 +313,7 @@ func TestQueryNetworkPolicyRules(t *testing.T) {
 		assert.Equal(t, len(expectedRules), len(responseRules))
 		for idx := range expectedRules {
 			assert.EqualValues(t, expectedRules[idx].Rule.Direction, responseRules[idx].Rule.Direction)
+			assert.EqualValues(t, expectedRules[idx].Rule.Action, responseRules[idx].Rule.Action)
 			assert.Equal(t, expectedRules[idx].Index, responseRules[idx].Index)
 			assert.Equal(t, expectedRules[idx].Policy.SourceRef, responseRules[idx].Policy.SourceRef)
 		}
@@ -377,9 +378,7 @@ func TestQueryNetworkPolicyEvaluation(t *testing.T) {
 				Direction: direction,
 				Name:      fmt.Sprintf("Policy%sRule%d", policyUID, i),
 				Priority:  int32(i),
-			}
-			if action != nil {
-				rules[i].Action = action
+				Action:    action,
 			}
 		}
 		return []*antreatypes.NetworkPolicy{{
@@ -497,35 +496,35 @@ func TestQueryNetworkPolicyEvaluation(t *testing.T) {
 			request: accessRequest,
 			mockQueryResponse: []mockResponse{
 				{response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, ptr.To(crdv1beta1.BaselineTierPriority), nil, 1, &allowAction),
-					generateRuleInfo(generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, nil)[0]))},
-				{response: generateResponse(2, generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, nil),
+					generateRuleInfo(generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, &allowAction)[0]))},
+				{response: generateResponse(2, generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, &allowAction),
 					generateRuleInfo(generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, ptr.To(crdv1beta1.BaselineTierPriority), nil, 1, &allowAction)[0]))},
 			},
 			expectedResult: &controlplane.NetworkPolicyEvaluationResponse{
 				NetworkPolicy: controlplane.NetworkPolicyReference{Type: controlplane.K8sNetworkPolicy, Namespace: namespace, Name: "Policy222", UID: uid2},
 				RuleIndex:     0,
-				Rule:          controlplane.RuleRef{Direction: controlplane.DirectionIn, Name: "Policy222Rule0"},
+				Rule:          controlplane.RuleRef{Direction: controlplane.DirectionIn, Name: "Policy222Rule0", Action: &allowAction},
 			},
 		},
 		{
 			name:    "KNP and default isolation",
 			request: accessRequest,
 			mockQueryResponse: []mockResponse{
-				{response: generateResponse(1, generatePolicies(uid1, controlplane.K8sNetworkPolicy, controlplane.DirectionOut, nil, &defaultPriority, 1, nil), nil)},
-				{response: generateResponse(2, generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, nil),
-					generateRuleInfo(generatePolicies(uid1, controlplane.K8sNetworkPolicy, controlplane.DirectionOut, nil, &defaultPriority, 1, nil)[0]))},
+				{response: generateResponse(1, generatePolicies(uid1, controlplane.K8sNetworkPolicy, controlplane.DirectionOut, nil, &defaultPriority, 1, &allowAction), nil)},
+				{response: generateResponse(2, generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, &allowAction),
+					generateRuleInfo(generatePolicies(uid1, controlplane.K8sNetworkPolicy, controlplane.DirectionOut, nil, &defaultPriority, 1, &allowAction)[0]))},
 			},
 			expectedResult: &controlplane.NetworkPolicyEvaluationResponse{
 				NetworkPolicy: controlplane.NetworkPolicyReference{Type: controlplane.K8sNetworkPolicy, Namespace: namespace, Name: "Policy111", UID: uid1},
 				RuleIndex:     0,
-				Rule:          controlplane.RuleRef{Direction: controlplane.DirectionOut, Name: "Policy111Rule0"},
+				Rule:          controlplane.RuleRef{Direction: controlplane.DirectionOut, Name: "Policy111Rule0", Action: &allowAction},
 			},
 		},
 		{
 			name:    "KNP egress default isolation",
 			request: accessRequest,
 			mockQueryResponse: []mockResponse{
-				{response: generateResponse(1, generatePolicies(uid1, controlplane.K8sNetworkPolicy, controlplane.DirectionOut, nil, &defaultPriority, 1, nil), nil)},
+				{response: generateResponse(1, generatePolicies(uid1, controlplane.K8sNetworkPolicy, controlplane.DirectionOut, nil, &defaultPriority, 1, &allowAction), nil)},
 				{response: generateResponse(2, nil, nil)},
 			},
 			expectedResult: &controlplane.NetworkPolicyEvaluationResponse{
@@ -539,7 +538,7 @@ func TestQueryNetworkPolicyEvaluation(t *testing.T) {
 			request: accessRequest,
 			mockQueryResponse: []mockResponse{
 				{response: generateResponse(1, nil, nil)},
-				{response: generateResponse(2, generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, nil), nil)},
+				{response: generateResponse(2, generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, &allowAction), nil)},
 			},
 			expectedResult: &controlplane.NetworkPolicyEvaluationResponse{
 				NetworkPolicy: controlplane.NetworkPolicyReference{Type: controlplane.K8sNetworkPolicy, Namespace: namespace, Name: "Policy222", UID: uid2},