From d378fca35a5e815675b40866a26e08588bf552fe Mon Sep 17 00:00:00 2001
From: Amim Knabben <amim.knabben@gmail.com>
Date: Thu, 31 Dec 2020 08:10:36 -0500
Subject: [PATCH] Moving egress deny with DNS to policy function

---
 test/e2e/network/netpol/network_policy.go | 35 ++---------------------
 test/e2e/network/netpol/policies.go       | 25 ++++++++++++++++
 2 files changed, 27 insertions(+), 33 deletions(-)

diff --git a/test/e2e/network/netpol/network_policy.go b/test/e2e/network/netpol/network_policy.go
index 1d813a943ef..e17008888cb 100644
--- a/test/e2e/network/netpol/network_policy.go
+++ b/test/e2e/network/netpol/network_policy.go
@@ -18,7 +18,6 @@ package netpol
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"time"
 
@@ -159,39 +158,9 @@ var _ = SIGDescribeCopy("Netpol [LinuxOnly]", func() {
 		})
 
 		ginkgo.It("should support a 'default-deny-all' policy [Feature:NetworkPolicy]", func() {
-			np := &networkingv1.NetworkPolicy{}
-			policy := `
-			{
-				"kind": "NetworkPolicy",
-				"apiVersion": "networking.k8s.io/v1",
-				"metadata": {
-				   "name": "deny-all-tcp-allow-dns"
-				},
-				"spec": {
-				   "podSelector": {
-					  "matchLabels": {}
-				   },
-				   "ingress": [],
-				   "egress": [{
-						"ports": [
-							{
-								"protocol": "UDP",
-								"port": 53
-							}
-						]
-					}],
-				   "policyTypes": [
-					"Ingress",
-					"Egress"
-				   ]
-				}
-			 }
-			 `
-			err := json.Unmarshal([]byte(policy), np)
-			framework.ExpectNoError(err, "unmarshal network policy")
-
+			policy := GetDenyAllWithEgressDNS()
 			nsX, _, _, model, k8s := getK8SModel(f)
-			CreatePolicy(k8s, np, nsX)
+			CreatePolicy(k8s, policy, nsX)
 
 			reachability := NewReachability(model.AllPods(), true)
 			reachability.ExpectPeer(&Peer{}, &Peer{Namespace: nsX}, false)
diff --git a/test/e2e/network/netpol/policies.go b/test/e2e/network/netpol/policies.go
index 425f3e7a474..3813fd21f5b 100644
--- a/test/e2e/network/netpol/policies.go
+++ b/test/e2e/network/netpol/policies.go
@@ -142,6 +142,31 @@ func GetDenyAll(name string) *networkingv1.NetworkPolicy {
 	return policy
 }
 
+// GetDenyAllWithEgressDNS deny all egress traffic, besides DNS/UDP port
+func GetDenyAllWithEgressDNS() *networkingv1.NetworkPolicy {
+	protocolUDP := v1.ProtocolUDP
+	return &networkingv1.NetworkPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "deny-all-tcp-allow-dns",
+		},
+		Spec: networkingv1.NetworkPolicySpec{
+			PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress},
+			PodSelector: metav1.LabelSelector{},
+			Ingress:     []networkingv1.NetworkPolicyIngressRule{},
+			Egress: []networkingv1.NetworkPolicyEgressRule{
+				{
+					Ports: []networkingv1.NetworkPolicyPort{
+						{
+							Protocol: &protocolUDP,
+							Port:     &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
 // GetAllowIngressByPod allows ingress by pod labels
 func GetAllowIngressByPod(name string, targetLabels map[string]string, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy {
 	policy := &networkingv1.NetworkPolicy{