Deny all ingress traffic via route is not working as expected    

    4.16

    100% fully reproducible

[root@bastion temp]# cat zanpnetpol.yaml 
apiVersion: policy.networking.k8s.io/v1alpha1
kind: AdminNetworkPolicy
metadata:
  name: sample-anand-anp-deny-pass-rules 
spec:
  priority: 50 
  subject:
    namespaces:
      matchLabels:
          kubernetes.io/metadata.name: tenant2
  ingress: 
  - name: "deny-all-ingress-tenant-2" 
    action: "Deny"
    from:
    - pods:
        namespaceSelector:
          matchLabels:
            policy-group.network.openshift.io/ingress: ""
        podSelector: {}

[root@bastion temp]# oc apply -f zanpnetpol.yaml 
adminnetworkpolicy.policy.networking.k8s.io/sample-anand-anp-deny-pass-rules created

[root@bastion ~]# curl -skviI httpd-tenant2.apps.ocp4.anand.com
*   Trying 10.74.249.102:80...
* Connected to httpd-tenant2.apps.ocp4.anand.com (10.74.249.102) port 80 (#0)
> HEAD / HTTP/1.1
> Host: httpd-tenant2.apps.ocp4.anand.com
> User-Agent: curl/7.76.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< date: Thu, 18 Jul 2024 08:34:46 GMT
date: Thu, 18 Jul 2024 08:34:46 GMT
< server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
< last-modified: Mon, 12 Jul 2021 19:36:32 GMT
last-modified: Mon, 12 Jul 2021 19:36:32 GMT
< etag: "133f-5c6f23d09f000"
etag: "133f-5c6f23d09f000"
< accept-ranges: bytes
accept-ranges: bytes
< content-length: 4927
content-length: 4927
< content-type: text/html; charset=UTF-8
content-type: text/html; charset=UTF-8
< set-cookie: 6c940d49452052c4e26888700a466e34=1b8eef7c680e5a5f0921b8cf3bd7647a; path=/; HttpOnly
set-cookie: 6c940d49452052c4e26888700a466e34=1b8eef7c680e5a5f0921b8cf3bd7647a; path=/; HttpOnly
< 
* Connection #0 to host httpd-tenant2.apps.ocp4.anand.com left intact
[root@bastion ~]#


[root@bastion ~]# oc -n tenant1 exec deploy/httpd -- curl -skviI httpd-tenant2.apps.ocp4.anand.com
* Rebuilt URL to: httpd-tenant2.apps.ocp4.anand.com/
*   Trying 10.74.249.102...
* TCP_NODELAY set
* Connected to httpd-tenant2.apps.ocp4.anand.com (10.74.249.102) port 80 (#0)
> HEAD / HTTP/1.1
> Host: httpd-tenant2.apps.ocp4.anand.com
> User-Agent: curl/7.61.1
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< date: Thu, 18 Jul 2024 08:20:14 GMT
< server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
< last-modified: Mon, 12 Jul 2021 19:36:32 GMT
< etag: "133f-5c6f23d09f000"
< accept-ranges: bytes
< content-length: 4927
< content-type: text/html; charset=UTF-8
< set-cookie: 6c940d49452052c4e26888700a466e34=1b8eef7c680e5a5f0921b8cf3bd7647a; path=/; HttpOnly
< 
* Connection #0 to host httpd-tenant2.apps.ocp4.anand.com left intact    

The connection should be blocked while accessing the app through route.     

1. Created an network policy deny-by-default 

[root@bastion temp]# cat denybydefault.yaml 
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: deny-by-default
spec:
  podSelector: {}
  ingress: []

[root@bastion ~]#  curl -skviI httpd-tenant2.apps.ocp4.anand.com
*   Trying 10.74.249.102:80...
* Connected to httpd-tenant2.apps.ocp4.anand.com (10.74.249.102) port 80 (#0)
> HEAD / HTTP/1.1
> Host: httpd-tenant2.apps.ocp4.anand.com
> User-Agent: curl/7.76.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 503 Service Unavailable
HTTP/1.0 503 Service Unavailable
< pragma: no-cache
pragma: no-cache
< cache-control: private, max-age=0, no-cache, no-store
cache-control: private, max-age=0, no-cache, no-store
< content-type: text/html
content-type: text/html
< 
* Closing connection 0    

2. After creating an allow-by-ingress policy, the URL can be accessed. 

[root@bastion temp]# cat netpol.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: anand
  namespace: tenant2
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network.openshift.io/policy-group: ingress
  podSelector: {}
  policyTypes:
  - Ingress