From a06efa54e29ee0899c7e5441e708942d409e9764 Mon Sep 17 00:00:00 2001
From: Tam Mach <tam.mach@cilium.io>
Date: Mon, 13 Nov 2023 23:51:28 +1100
Subject: [PATCH] connectivity: Add more tests for Ingress Controller

This commit is to add two more tests related to Ingress Controller:

- Deny policy on reserve:ingress identity
- Deny policy on backend service of ingress (e.g. echo-same-node)

Relates: #2015
Signed-off-by: Tam Mach <tam.mach@cilium.io>
---
 .../manifests/deny-ingress-backend.yaml       | 10 +++++++
 .../manifests/deny-ingress-entity.yaml        |  9 +++++++
 connectivity/suite.go                         | 26 +++++++++++++++++++
 3 files changed, 45 insertions(+)
 create mode 100644 connectivity/manifests/deny-ingress-backend.yaml
 create mode 100644 connectivity/manifests/deny-ingress-entity.yaml

diff --git a/connectivity/manifests/deny-ingress-backend.yaml b/connectivity/manifests/deny-ingress-backend.yaml
new file mode 100644
index 0000000000..50dfe7ce73
--- /dev/null
+++ b/connectivity/manifests/deny-ingress-backend.yaml
@@ -0,0 +1,10 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: "ingress-backend-deny"
+spec:
+  endpointSelector: {}
+  egressDeny:
+    - toEndpoints:
+        - matchLabels:
+            kind: echo
diff --git a/connectivity/manifests/deny-ingress-entity.yaml b/connectivity/manifests/deny-ingress-entity.yaml
new file mode 100644
index 0000000000..51b4c4cd2f
--- /dev/null
+++ b/connectivity/manifests/deny-ingress-entity.yaml
@@ -0,0 +1,9 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: "ingress-entity-deny"
+spec:
+  endpointSelector: {}
+  egressDeny:
+    - toEntities:
+        - ingress
diff --git a/connectivity/suite.go b/connectivity/suite.go
index 092dda7f55..37bbcacf2f 100644
--- a/connectivity/suite.go
+++ b/connectivity/suite.go
@@ -41,6 +41,12 @@ var (
 	//go:embed manifests/deny-all-entities.yaml
 	denyAllEntitiesPolicyYAML string
 
+	//go:embed manifests/deny-ingress-entity.yaml
+	denyIngressIdentityPolicyYAML string
+
+	//go:embed manifests/deny-ingress-backend.yaml
+	denyIngressBackendPolicyYAML string
+
 	//go:embed manifests/allow-cluster-entity.yaml
 	allowClusterEntityPolicyYAML string
 
@@ -1043,6 +1049,26 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch
 			return check.ResultDefaultDenyEgressDrop, check.ResultNone
 		})
 
+	ct.NewTest("pod-to-ingress-service-deny-ingress-identity").
+		WithFeatureRequirements(features.RequireEnabled(features.IngressController)).
+		WithCiliumPolicy(denyIngressIdentityPolicyYAML).
+		WithScenarios(
+			tests.PodToIngress(),
+		).
+		WithExpectations(func(a *check.Action) (egress check.Result, ingress check.Result) {
+			return check.ResultDefaultDenyEgressDrop, check.ResultNone
+		})
+
+	ct.NewTest("pod-to-ingress-service-deny-backend-service").
+		WithFeatureRequirements(features.RequireEnabled(features.IngressController)).
+		WithCiliumPolicy(denyIngressBackendPolicyYAML).
+		WithScenarios(
+			tests.PodToIngress(),
+		).
+		WithExpectations(func(a *check.Action) (egress check.Result, ingress check.Result) {
+			return check.ResultDefaultDenyEgressDrop, check.ResultNone
+		})
+
 	ct.NewTest("pod-to-ingress-service-allow-ingress-identity").
 		WithFeatureRequirements(features.RequireEnabled(features.IngressController)).
 		WithCiliumPolicy(denyAllIngressPolicyYAML).