diff --git a/docs/antrea-network-policy.md b/docs/antrea-network-policy.md index 3cc59b6c19a..8751363ab48 100644 --- a/docs/antrea-network-policy.md +++ b/docs/antrea-network-policy.md @@ -1626,11 +1626,11 @@ restrictions. Antrea NetworkPolicy is Namespace scoped. For example, the `test-grp-with-namespace` Group in the [sample](#group-crd) cannot be used by Antrea NetworkPolicy `appliedTo`. -- Antrea will not validate the referenced Group resources; if the convention is - violated in the Antrea NetworkPolicy's `appliedTo` section or for any of the rules' - `appliedTo`, then Antrea will report a condition of type `Realizable` in the - NetworkPolicy status with `False` status, `NetworkPolicyAppliedToUnsupportedGroup` - reason and a detailed message. +- Antrea will not validate the referenced Group resources for the `appliedTo` convention; + if the convention is violated in the Antrea NetworkPolicy's `appliedTo` section + or for any of the rules' `appliedTo`, then Antrea will report a condition + `Realizable=False` in the NetworkPolicy status, the condition includes + `NetworkPolicyAppliedToUnsupportedGroup` reason and a detailed message. - `childGroups` only accepts strings, and they will be considered as names of the Groups and will be looked up in the policy's own Namespace. For example, if child Group `child-0` exists in `ns-2`, it should not be added as a child Group for diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy.go b/pkg/controller/networkpolicy/antreanetworkpolicy.go index e71ca077f1b..e8b80597a25 100644 --- a/pkg/controller/networkpolicy/antreanetworkpolicy.go +++ b/pkg/controller/networkpolicy/antreanetworkpolicy.go @@ -15,7 +15,7 @@ package networkpolicy import ( - "errors" + "fmt" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/client-go/tools/cache" @@ -26,9 +26,6 @@ import ( antreatypes "antrea.io/antrea/pkg/controller/types" ) -// ErrNetworkPolicyAppliedToUnsupportedGroup is one of the unrealizable conditions of an internal Network Policy. -var ErrNetworkPolicyAppliedToUnsupportedGroup = errors.New("group with IPBlocks or NamespaceSelector can not be used as AppliedTo") - // addANP receives AntreaNetworkPolicy ADD events and creates resources // which can be consumed by agents to configure corresponding rules on the Nodes. func (n *NetworkPolicyController) addANP(obj interface{}) { @@ -143,10 +140,10 @@ func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *crdv1alpha1.Net Name: np.Name, UID: np.UID, }, - Name: internalNetworkPolicyKeyFunc(np), - UID: np.UID, - Generation: np.Generation, - RealizableMessage: err.Error(), + Name: internalNetworkPolicyKeyFunc(np), + UID: np.UID, + Generation: np.Generation, + RealizationError: err, } } // Create AppliedToGroup for each AppliedTo present in AntreaNetworkPolicy spec. @@ -241,6 +238,17 @@ func (n *NetworkPolicyController) processAppliedTo(namespace string, appliedTo [ return appliedToGroupNames, nil } +// ErrNetworkPolicyAppliedToUnsupportedGroup is an error response when +// a Group with IPBlocks or NamespaceSelector is used as AppliedTo. +type ErrNetworkPolicyAppliedToUnsupportedGroup struct { + namespace string + groupName string +} + +func (e ErrNetworkPolicyAppliedToUnsupportedGroup) Error() string { + return fmt.Sprintf("group %s/%s with IPBlocks or NamespaceSelector can not be used as AppliedTo", e.namespace, e.groupName) +} + func (n *NetworkPolicyController) processAppliedToGroupForNamespacedGroup(namespace, groupName string) (string, error) { // Retrieve Group for corresponding entry in the AppliedToGroup. g, err := n.grpLister.Groups(namespace).Get(groupName) @@ -260,7 +268,7 @@ func (n *NetworkPolicyController) processAppliedToGroupForNamespacedGroup(namesp intGrp := ig.(*antreatypes.Group) if len(intGrp.IPBlocks) > 0 || (intGrp.Selector != nil && intGrp.Selector.NamespaceSelector != nil) { klog.V(2).InfoS("Group with IPBlocks or NamespaceSelector can not be used as AppliedTo", "Group", g) - return "", ErrNetworkPolicyAppliedToUnsupportedGroup + return "", ErrNetworkPolicyAppliedToUnsupportedGroup{namespace: namespace, groupName: groupName} } return n.createAppliedToGroupForInternalGroup(intGrp), nil } diff --git a/pkg/controller/networkpolicy/clustergroup.go b/pkg/controller/networkpolicy/clustergroup.go index 128657e9296..e8b05849384 100644 --- a/pkg/controller/networkpolicy/clustergroup.go +++ b/pkg/controller/networkpolicy/clustergroup.go @@ -295,7 +295,7 @@ func (c *NetworkPolicyController) updateClusterGroupStatus(cg *crdv1alpha3.Clust Status: cStatus, Type: crdv1alpha3.GroupMembersComputed, } - if compareGroupMembersComputedConditionEqual(cg.Status.Conditions, condStatus) { + if groupMembersComputedConditionEqual(cg.Status.Conditions, condStatus) { // There is no change in conditions. return nil } diff --git a/pkg/controller/networkpolicy/clustergroup_test.go b/pkg/controller/networkpolicy/clustergroup_test.go index e10e757ccde..804fe41551c 100644 --- a/pkg/controller/networkpolicy/clustergroup_test.go +++ b/pkg/controller/networkpolicy/clustergroup_test.go @@ -487,7 +487,7 @@ func TestClusterClusterGroupMembersComputedConditionEqual(t *testing.T) { Type: crdv1alpha3.GroupMembersComputed, Status: tt.checkStatus, } - actualValue := compareGroupMembersComputedConditionEqual(tt.existingConds, inCond) + actualValue := groupMembersComputedConditionEqual(tt.existingConds, inCond) assert.Equal(t, tt.expValue, actualValue) }) } diff --git a/pkg/controller/networkpolicy/crd_utils.go b/pkg/controller/networkpolicy/crd_utils.go index 1d06005b734..caec84da569 100644 --- a/pkg/controller/networkpolicy/crd_utils.go +++ b/pkg/controller/networkpolicy/crd_utils.go @@ -52,15 +52,15 @@ var semanticIgnoreLastTransitionTime = conversion.EqualitiesOrDie( }, ) -// CompareNetworkPolicyStatus compares two NetworkPolicyStatus objects, ignoring -// LastTransitionTime equality in the status Conditions. -func CompareNetworkPolicyStatus(oldStatus, newStatus v1alpha1.NetworkPolicyStatus) bool { +// NetworkPolicyStatusEqual compares two NetworkPolicyStatus objects. It disregards +// the LastTransitionTime field in the status Conditions. +func NetworkPolicyStatusEqual(oldStatus, newStatus v1alpha1.NetworkPolicyStatus) bool { return semanticIgnoreLastTransitionTime.DeepEqual(oldStatus, newStatus) } -// compareGroupMembersComputedConditionEqual checks whether the condition status for GroupMembersComputed condition +// groupMembersComputedConditionEqual checks whether the condition status for GroupMembersComputed condition // is same. Returns true if equal, otherwise returns false. It disregards the lastTransitionTime field. -func compareGroupMembersComputedConditionEqual(conds []crdv1alpha3.GroupCondition, condition crdv1alpha3.GroupCondition) bool { +func groupMembersComputedConditionEqual(conds []crdv1alpha3.GroupCondition, condition crdv1alpha3.GroupCondition) bool { for _, c := range conds { if c.Type == crdv1alpha3.GroupMembersComputed { if c.Status == condition.Status { diff --git a/pkg/controller/networkpolicy/group.go b/pkg/controller/networkpolicy/group.go index e022ec79f46..6f328ca92f4 100644 --- a/pkg/controller/networkpolicy/group.go +++ b/pkg/controller/networkpolicy/group.go @@ -266,7 +266,7 @@ func (n *NetworkPolicyController) updateGroupStatus(g *crdv1alpha3.Group, cStatu Status: cStatus, Type: crdv1alpha3.GroupMembersComputed, } - if compareGroupMembersComputedConditionEqual(g.Status.Conditions, condStatus) { + if groupMembersComputedConditionEqual(g.Status.Conditions, condStatus) { // There is no change in conditions. return nil } diff --git a/pkg/controller/networkpolicy/group_test.go b/pkg/controller/networkpolicy/group_test.go index 1a45e01a4e6..b77245e45fe 100644 --- a/pkg/controller/networkpolicy/group_test.go +++ b/pkg/controller/networkpolicy/group_test.go @@ -499,7 +499,7 @@ func TestGroupMembersComputedConditionEqual(t *testing.T) { Type: crdv1alpha3.GroupMembersComputed, Status: tt.checkStatus, } - actualValue := compareGroupMembersComputedConditionEqual(tt.existingConds, inCond) + actualValue := groupMembersComputedConditionEqual(tt.existingConds, inCond) assert.Equal(t, tt.expValue, actualValue) }) } diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go index 53d73cb2a24..ae0f3aaded6 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller.go @@ -1492,7 +1492,7 @@ func (n *NetworkPolicyController) syncInternalNetworkPolicy(key string) error { PerNamespaceSelectors: internalNP.PerNamespaceSelectors, SpanMeta: antreatypes.SpanMeta{NodeNames: nodeNames}, Generation: internalNP.Generation, - RealizableMessage: internalNP.RealizableMessage, + RealizationError: internalNP.RealizationError, } klog.V(4).Infof("Updating internal NetworkPolicy %s with %d Nodes", key, nodeNames.Len()) n.internalNetworkPolicyStore.Update(updatedNetworkPolicy) diff --git a/pkg/controller/networkpolicy/status_controller.go b/pkg/controller/networkpolicy/status_controller.go index 8faa7d85743..265489e6858 100644 --- a/pkg/controller/networkpolicy/status_controller.go +++ b/pkg/controller/networkpolicy/status_controller.go @@ -111,7 +111,7 @@ func NewStatusController(antreaClient antreaclientset.Interface, internalNetwork func (c *StatusController) updateCNP(old, cur interface{}) { curCNP := cur.(*crdv1alpha1.ClusterNetworkPolicy) oldCNP := old.(*crdv1alpha1.ClusterNetworkPolicy) - if CompareNetworkPolicyStatus(oldCNP.Status, curCNP.Status) { + if NetworkPolicyStatusEqual(oldCNP.Status, curCNP.Status) { return } key := internalNetworkPolicyKeyFunc(oldCNP) @@ -121,7 +121,7 @@ func (c *StatusController) updateCNP(old, cur interface{}) { func (c *StatusController) updateANP(old, cur interface{}) { curANP := cur.(*crdv1alpha1.NetworkPolicy) oldANP := old.(*crdv1alpha1.NetworkPolicy) - if CompareNetworkPolicyStatus(oldANP.Status, curANP.Status) { + if NetworkPolicyStatusEqual(oldANP.Status, curANP.Status) { return } key := internalNetworkPolicyKeyFunc(oldANP) @@ -274,7 +274,7 @@ func (c *StatusController) syncHandler(key string) error { status := &crdv1alpha1.NetworkPolicyStatus{ Phase: crdv1alpha1.NetworkPolicyPending, ObservedGeneration: internalNP.Generation, - Conditions: GenerateNetworkPolicyCondition(""), + Conditions: GenerateNetworkPolicyCondition(nil), } if internalNP.SourceRef.Type == controlplane.AntreaNetworkPolicy { return c.npControlInterface.UpdateAntreaNetworkPolicyStatus(internalNP.SourceRef.Namespace, internalNP.SourceRef.Name, status) @@ -284,13 +284,12 @@ func (c *StatusController) syncHandler(key string) error { // It means the NetworkPolicy has been processed, and marked as unrealizable. It will enter unrealizable phase // instead of being further realized. Antrea-agents will not process further. - if internalNP.RealizableMessage != "" { + if internalNP.RealizationError != nil { status := &crdv1alpha1.NetworkPolicyStatus{ Phase: crdv1alpha1.NetworkPolicyPending, ObservedGeneration: internalNP.Generation, - Conditions: GenerateNetworkPolicyCondition(internalNP.RealizableMessage), + Conditions: GenerateNetworkPolicyCondition(internalNP.RealizationError), } - internalNP.SpanMeta.NodeNames = nil if internalNP.SourceRef.Type == controlplane.AntreaNetworkPolicy { return c.npControlInterface.UpdateAntreaNetworkPolicyStatus(internalNP.SourceRef.Namespace, internalNP.SourceRef.Name, status) } @@ -321,7 +320,7 @@ func (c *StatusController) syncHandler(key string) error { ObservedGeneration: internalNP.Generation, CurrentNodesRealized: int32(currentNodes), DesiredNodesRealized: int32(desiredNodes), - Conditions: GenerateNetworkPolicyCondition(""), + Conditions: GenerateNetworkPolicyCondition(nil), } klog.V(2).Infof("Updating NetworkPolicy %s status: %v", internalNP.SourceRef.ToString(), status) if internalNP.SourceRef.Type == controlplane.AntreaNetworkPolicy { @@ -349,7 +348,7 @@ func (c *networkPolicyControl) UpdateAntreaNetworkPolicyStatus(namespace, name s klog.Infof("Didn't find the original Antrea NetworkPolicy %s/%s, skip updating status", namespace, name) return nil } - if CompareNetworkPolicyStatus(anp.Status, *status) { + if NetworkPolicyStatusEqual(anp.Status, *status) { return nil } @@ -382,7 +381,7 @@ func (c *networkPolicyControl) UpdateAntreaClusterNetworkPolicyStatus(name strin return nil } // If the current status equals to the desired status, no need to update. - if CompareNetworkPolicyStatus(cnp.Status, *status) { + if NetworkPolicyStatusEqual(cnp.Status, *status) { return nil } @@ -408,25 +407,25 @@ func (c *networkPolicyControl) UpdateAntreaClusterNetworkPolicyStatus(name strin return updateErr } -// GenerateNetworkPolicyCondition generates conditions based on the given error message. -// Empty error message generates stale NetworkPolicyCondition of True status. +// GenerateNetworkPolicyCondition generates conditions based on the given error type. +// Error of nil type means the NetworkPolicyCondition status is True. // Supports ErrNetworkPolicyAppliedToUnsupportedGroup error. -func GenerateNetworkPolicyCondition(message string) []crdv1alpha1.NetworkPolicyCondition { +func GenerateNetworkPolicyCondition(err error) []crdv1alpha1.NetworkPolicyCondition { var conditions []crdv1alpha1.NetworkPolicyCondition - switch message { - case "": + switch err.(type) { + case nil: conditions = append(conditions, crdv1alpha1.NetworkPolicyCondition{ Type: crdv1alpha1.NetworkPolicyConditionRealizable, Status: v1.ConditionTrue, LastTransitionTime: v1.Now(), }) - case ErrNetworkPolicyAppliedToUnsupportedGroup.Error(): + case ErrNetworkPolicyAppliedToUnsupportedGroup: conditions = append(conditions, crdv1alpha1.NetworkPolicyCondition{ Type: crdv1alpha1.NetworkPolicyConditionRealizable, Status: v1.ConditionFalse, LastTransitionTime: v1.Now(), Reason: "NetworkPolicyAppliedToUnsupportedGroup", - Message: message, + Message: err.Error(), }) } return conditions diff --git a/pkg/controller/networkpolicy/status_controller_test.go b/pkg/controller/networkpolicy/status_controller_test.go index 401e22657f9..913fc6b9527 100644 --- a/pkg/controller/networkpolicy/status_controller_test.go +++ b/pkg/controller/networkpolicy/status_controller_test.go @@ -163,14 +163,14 @@ func TestCreateAntreaNetworkPolicy(t *testing.T) { ObservedGeneration: 1, CurrentNodesRealized: 0, DesiredNodesRealized: 2, - Conditions: GenerateNetworkPolicyCondition(""), + Conditions: GenerateNetworkPolicyCondition(nil), }, expectedCNPStatus: &crdv1alpha1.NetworkPolicyStatus{ Phase: crdv1alpha1.NetworkPolicyRealizing, ObservedGeneration: 1, CurrentNodesRealized: 0, DesiredNodesRealized: 2, - Conditions: GenerateNetworkPolicyCondition(""), + Conditions: GenerateNetworkPolicyCondition(nil), }, }, { @@ -190,14 +190,14 @@ func TestCreateAntreaNetworkPolicy(t *testing.T) { ObservedGeneration: 2, CurrentNodesRealized: 1, DesiredNodesRealized: 2, - Conditions: GenerateNetworkPolicyCondition(""), + Conditions: GenerateNetworkPolicyCondition(nil), }, expectedCNPStatus: &crdv1alpha1.NetworkPolicyStatus{ Phase: crdv1alpha1.NetworkPolicyRealizing, ObservedGeneration: 3, CurrentNodesRealized: 1, DesiredNodesRealized: 2, - Conditions: GenerateNetworkPolicyCondition(""), + Conditions: GenerateNetworkPolicyCondition(nil), }, }, { @@ -217,14 +217,14 @@ func TestCreateAntreaNetworkPolicy(t *testing.T) { ObservedGeneration: 3, CurrentNodesRealized: 2, DesiredNodesRealized: 2, - Conditions: GenerateNetworkPolicyCondition(""), + Conditions: GenerateNetworkPolicyCondition(nil), }, expectedCNPStatus: &crdv1alpha1.NetworkPolicyStatus{ Phase: crdv1alpha1.NetworkPolicyRealized, ObservedGeneration: 4, CurrentNodesRealized: 2, DesiredNodesRealized: 2, - Conditions: GenerateNetworkPolicyCondition(""), + Conditions: GenerateNetworkPolicyCondition(nil), }, }, } @@ -249,8 +249,8 @@ func TestCreateAntreaNetworkPolicy(t *testing.T) { // TODO: Use a determinate mechanism. time.Sleep(500 * time.Millisecond) - assert.True(t, CompareNetworkPolicyStatus(*tt.expectedANPStatus, *networkPolicyControl.getAntreaNetworkPolicyStatus())) - assert.True(t, CompareNetworkPolicyStatus(*tt.expectedCNPStatus, *networkPolicyControl.getAntreaClusterNetworkPolicyStatus())) + assert.True(t, NetworkPolicyStatusEqual(*tt.expectedANPStatus, *networkPolicyControl.getAntreaNetworkPolicyStatus())) + assert.True(t, NetworkPolicyStatusEqual(*tt.expectedCNPStatus, *networkPolicyControl.getAntreaClusterNetworkPolicyStatus())) }) } } @@ -273,19 +273,19 @@ func TestUpdateAntreaNetworkPolicy(t *testing.T) { statusController.UpdateStatus(newNetworkPolicyStatus("cnp1", "node5", 2)) // TODO: Use a determinate mechanism. time.Sleep(500 * time.Millisecond) - assert.True(t, CompareNetworkPolicyStatus(crdv1alpha1.NetworkPolicyStatus{ + assert.True(t, NetworkPolicyStatusEqual(crdv1alpha1.NetworkPolicyStatus{ Phase: crdv1alpha1.NetworkPolicyRealized, ObservedGeneration: 1, CurrentNodesRealized: 2, DesiredNodesRealized: 2, - Conditions: GenerateNetworkPolicyCondition(""), + Conditions: GenerateNetworkPolicyCondition(nil), }, *networkPolicyControl.getAntreaNetworkPolicyStatus())) - assert.True(t, CompareNetworkPolicyStatus(crdv1alpha1.NetworkPolicyStatus{ + assert.True(t, NetworkPolicyStatusEqual(crdv1alpha1.NetworkPolicyStatus{ Phase: crdv1alpha1.NetworkPolicyRealized, ObservedGeneration: 2, CurrentNodesRealized: 3, DesiredNodesRealized: 3, - Conditions: GenerateNetworkPolicyCondition(""), + Conditions: GenerateNetworkPolicyCondition(nil), }, *networkPolicyControl.getAntreaClusterNetworkPolicyStatus())) anp1Updated := newInternalNetworkPolicy("anp1", 2, []string{"node1", "node2", "node3"}, newAntreaNetworkPolicyReference("ns1", "anp1")) @@ -294,19 +294,19 @@ func TestUpdateAntreaNetworkPolicy(t *testing.T) { networkPolicyStore.Update(cnp1Updated) // TODO: Use a determinate mechanism. time.Sleep(500 * time.Millisecond) - assert.True(t, CompareNetworkPolicyStatus(crdv1alpha1.NetworkPolicyStatus{ + assert.True(t, NetworkPolicyStatusEqual(crdv1alpha1.NetworkPolicyStatus{ Phase: crdv1alpha1.NetworkPolicyRealizing, ObservedGeneration: 2, CurrentNodesRealized: 0, DesiredNodesRealized: 3, - Conditions: GenerateNetworkPolicyCondition(""), + Conditions: GenerateNetworkPolicyCondition(nil), }, *networkPolicyControl.getAntreaNetworkPolicyStatus())) - assert.True(t, CompareNetworkPolicyStatus(crdv1alpha1.NetworkPolicyStatus{ + assert.True(t, NetworkPolicyStatusEqual(crdv1alpha1.NetworkPolicyStatus{ Phase: crdv1alpha1.NetworkPolicyRealizing, ObservedGeneration: 3, CurrentNodesRealized: 0, DesiredNodesRealized: 2, - Conditions: GenerateNetworkPolicyCondition(""), + Conditions: GenerateNetworkPolicyCondition(nil), }, *networkPolicyControl.getAntreaClusterNetworkPolicyStatus())) } diff --git a/pkg/controller/types/networkpolicy.go b/pkg/controller/types/networkpolicy.go index 592c2ec66dd..be8c5ddc208 100644 --- a/pkg/controller/types/networkpolicy.go +++ b/pkg/controller/types/networkpolicy.go @@ -108,7 +108,7 @@ type NetworkPolicy struct { // to re-calculate affected Namespaces. // It is set only for AntreaClusterNetworkPolicies with per-namespace rules. PerNamespaceSelectors []labels.Selector - // RealizableMessage stores realizable information of the internal Network Policy. + // RealizationError stores realization error of the internal Network Policy. // It is set when processing the original Network Policy. - RealizableMessage string + RealizationError error } diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go index 31b233c675a..1c8876afd9f 100644 --- a/test/e2e/antreapolicy_test.go +++ b/test/e2e/antreapolicy_test.go @@ -4340,7 +4340,7 @@ func TestAntreaPolicyStatus(t *testing.T) { ObservedGeneration: 1, CurrentNodesRealized: 2, DesiredNodesRealized: 2, - Conditions: networkpolicy.GenerateNetworkPolicyCondition(""), + Conditions: networkpolicy.GenerateNetworkPolicyCondition(nil), } checkANPStatus(t, data, anp, expectedStatus) checkACNPStatus(t, data, acnp, expectedStatus) @@ -4379,7 +4379,7 @@ func TestAntreaPolicyStatusWithAppliedToPerRule(t *testing.T) { ObservedGeneration: 1, CurrentNodesRealized: 2, DesiredNodesRealized: 2, - Conditions: networkpolicy.GenerateNetworkPolicyCondition(""), + Conditions: networkpolicy.GenerateNetworkPolicyCondition(nil), }) // Remove the second ingress rule. @@ -4391,7 +4391,7 @@ func TestAntreaPolicyStatusWithAppliedToPerRule(t *testing.T) { ObservedGeneration: 2, CurrentNodesRealized: 1, DesiredNodesRealized: 1, - Conditions: networkpolicy.GenerateNetworkPolicyCondition(""), + Conditions: networkpolicy.GenerateNetworkPolicyCondition(nil), }) } @@ -4402,7 +4402,7 @@ func checkANPStatus(t *testing.T, data *TestData, anp *crdv1alpha1.NetworkPolicy if err != nil { return false, err } - return networkpolicy.CompareNetworkPolicyStatus(anp.Status, expectedStatus), nil + return networkpolicy.NetworkPolicyStatusEqual(anp.Status, expectedStatus), nil }) assert.NoError(t, err, "Antrea NetworkPolicy failed to reach expected status") return anp @@ -4415,7 +4415,7 @@ func checkACNPStatus(t *testing.T, data *TestData, acnp *crdv1alpha1.ClusterNetw if err != nil { return false, err } - return networkpolicy.CompareNetworkPolicyStatus(acnp.Status, expectedStatus), nil + return networkpolicy.NetworkPolicyStatusEqual(acnp.Status, expectedStatus), nil }) assert.NoError(t, err, "Antrea ClusterNetworkPolicy failed to reach expected status") return acnp