From 96a7b2a102cfb4f14ad2542615c4ff9e78789db8 Mon Sep 17 00:00:00 2001
From: Amim Knabben <amim.knabben@gmail.com>
Date: Mon, 25 Jan 2021 20:17:20 -0500
Subject: [PATCH] Deny ingress on other namespaces

---
 test/e2e/network/netpol/network_policy.go | 13 +++++++++++++
 test/e2e/network/netpol/policies.go       | 21 +++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/test/e2e/network/netpol/network_policy.go b/test/e2e/network/netpol/network_policy.go
index 85d686b294e..bd22a532ab5 100644
--- a/test/e2e/network/netpol/network_policy.go
+++ b/test/e2e/network/netpol/network_policy.go
@@ -525,6 +525,19 @@ var _ = SIGDescribeCopy("Netpol [LinuxOnly]", func() {
 			ValidateOrFail(k8s, model, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachabilityWithLabel})
 		})
 
+		ginkgo.It("should deny ingress from pods on other namespaces [Feature:NetworkPolicy]", func() {
+			nsX, nsY, nsZ, model, k8s := getK8SModel(f)
+
+			policy := GetDenyIngressEmptyPeerSelector("deny-empty-policy")
+			CreatePolicy(k8s, policy, nsX)
+
+			reachability := NewReachability(model.AllPods(), true)
+			reachability.ExpectPeer(&Peer{Namespace: nsY}, &Peer{Namespace: nsX}, false)
+			reachability.ExpectPeer(&Peer{Namespace: nsZ}, &Peer{Namespace: nsX}, false)
+
+			ValidateOrFail(k8s, model, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachability})
+		})
+
 		ginkgo.It("should deny ingress access to updated pod [Feature:NetworkPolicy]", func() {
 			nsX, _, _, model, k8s := getK8SModel(f)
 			podXA, err := model.FindPod(nsX, "a")
diff --git a/test/e2e/network/netpol/policies.go b/test/e2e/network/netpol/policies.go
index 89eeeec7480..bc83cd746b0 100644
--- a/test/e2e/network/netpol/policies.go
+++ b/test/e2e/network/netpol/policies.go
@@ -40,6 +40,27 @@ func GetDenyIngress(name string) *networkingv1.NetworkPolicy {
 	}
 }
 
+// GetDenyIngressEmptyPeerSelector returns a default ingress deny policy using empty Peer selector.
+func GetDenyIngressEmptyPeerSelector(name string) *networkingv1.NetworkPolicy {
+	return &networkingv1.NetworkPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Spec: networkingv1.NetworkPolicySpec{
+			PodSelector: metav1.LabelSelector{},
+			Ingress: []networkingv1.NetworkPolicyIngressRule{
+				{
+					From: []networkingv1.NetworkPolicyPeer{
+						{
+							PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{}},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
 // GetDenyEgress returns a default deny egress policy.
 func GetDenyEgress(name string) *networkingv1.NetworkPolicy {
 	return &networkingv1.NetworkPolicy{