Skip to content

feat(test): Add static policy analysis tool for network policy validation #4411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
electricjesus wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

feat(test): Add static policy analysis tool for network policy validation #4411

electricjesus wants to merge 1 commit into from
+971 −0

Conversation

@electricjesus
Copy link
Member

@electricjesus electricjesus commented Feb 9, 2026

Description

This PR adds a static analysis tool that validates network policy selectors match actual pod labels. This helps catch bugs like the PrometheusSelector issue (PR #4410) where policy selectors didn't match actual pod labels.

Type: New feature (test infrastructure)

Why this should be merged:

  • Catches selector/label mismatches that could block traffic in production
  • Runs automatically in CI as part of render tests
  • Provides clear diagnostic output showing which selectors don't match

Testing:

  • Ran go test -v -run TestPolicyAnalysis ./pkg/render/...
  • Test successfully detects existing label inconsistencies in the codebase

Components affected:

  • pkg/render/testutils/policy_analysis.go - Extraction and validation utilities
  • pkg/render/policy_analysis_test.go - Main test file

The tool validates:

  • Policy selectors match at least one pod in the same namespace
  • Egress destination selectors match pods in target namespaces
  • Ingress source selectors match pods in source namespaces

Release Note

NONE

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

@electricjesus
feat(test): Add static policy analysis tool for network policy valida…
fe62df9 
…tion

This adds a static analysis tool that:
- Extracts pod labels from rendered Deployments/DaemonSets/StatefulSets
- Extracts policy selectors from v3.NetworkPolicy objects
- Validates that policy selectors match actual pod labels
- Reports mismatches that could cause traffic blocking issues

The tool runs as part of render tests and validates:
- Policy selectors match at least one pod in the same namespace
- Egress destination selectors match pods in target namespaces
- Ingress source selectors match pods in source namespaces

Files:
- pkg/render/testutils/policy_analysis.go: Extraction and validation utilities
- pkg/render/policy_analysis_test.go: Main test that renders components and analyzes
@electricjesus electricjesus requested a review from a team as a code owner February 9, 2026 15:56
@marvin-tigera marvin-tigera added this to the v1.42.0 milestone Feb 9, 2026
@electricjesus electricjesus marked this pull request as draft February 9, 2026 16:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

docs-pr-required release-note-required

Projects

None yet

Milestone

v1.42.0

Development

Successfully merging this pull request may close these issues.

2 participants

@electricjesus @marvin-tigera