From 4297f27c407d9aff365c41d3563f8e6dad2d6293 Mon Sep 17 00:00:00 2001
From: Pablo Acevedo Montserrat <pacevedo@redhat.com>
Date: Fri, 24 Apr 2026 09:56:56 +0200
Subject: [PATCH 1/3] OCPBUGS-59566: Add OLM netpol for marketplace namespace

---
 .../0000_50_olm_01-marketplace-networkpolicy.yaml     | 11 +++++++++++
 .../operator-lifecycle-manager/kustomization.yaml     |  1 +
 scripts/auto-rebase/assets.yaml                       |  2 ++
 3 files changed, 14 insertions(+)
 create mode 100644 assets/optional/operator-lifecycle-manager/0000_50_olm_01-marketplace-networkpolicy.yaml

diff --git a/assets/optional/operator-lifecycle-manager/0000_50_olm_01-marketplace-networkpolicy.yaml b/assets/optional/operator-lifecycle-manager/0000_50_olm_01-marketplace-networkpolicy.yaml
new file mode 100644
index 0000000000..5f6299d63a
--- /dev/null
+++ b/assets/optional/operator-lifecycle-manager/0000_50_olm_01-marketplace-networkpolicy.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: openshift-marketplace
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
diff --git a/assets/optional/operator-lifecycle-manager/kustomization.yaml b/assets/optional/operator-lifecycle-manager/kustomization.yaml
index 6738615fc6..2f049b8da6 100644
--- a/assets/optional/operator-lifecycle-manager/kustomization.yaml
+++ b/assets/optional/operator-lifecycle-manager/kustomization.yaml
@@ -12,6 +12,7 @@ resources:
   - 0000_50_olm_00-packageserver.pdb.yaml
   - 0000_50_olm_00-subscriptions.crd.yaml
   - 0000_50_olm_01-networkpolicies.yaml
+  - 0000_50_olm_01-marketplace-networkpolicy.yaml
   - 0000_50_olm_02-olm-operator.serviceaccount.yaml
   - 0000_50_olm_03-olmconfig.yaml
   - 0000_50_olm_03-services.yaml
diff --git a/scripts/auto-rebase/assets.yaml b/scripts/auto-rebase/assets.yaml
index 99b9e56772..1a97c3568d 100644
--- a/scripts/auto-rebase/assets.yaml
+++ b/scripts/auto-rebase/assets.yaml
@@ -251,6 +251,8 @@ assets:
       - file: 0000_50_olm_00-packageserver.pdb.yaml
       - file: 0000_50_olm_00-subscriptions.crd.yaml
       - file: 0000_50_olm_01-networkpolicies.yaml
+      - file: 0000_50_olm_01-marketplace-networkpolicy.yaml
+        ignore: "MicroShift-specific NetworkPolicy for openshift-marketplace namespace"
       - file: 0000_50_olm_02-olm-operator.serviceaccount.yaml
       - file: 0000_50_olm_03-olmconfig.yaml
       - file: 0000_50_olm_03-services.yaml

From 803bc81ef6e0e49af3ea174f96ce9b11ec8e0591 Mon Sep 17 00:00:00 2001
From: Pablo Acevedo Montserrat <pacevedo@redhat.com>
Date: Fri, 24 Apr 2026 09:57:23 +0200
Subject: [PATCH 2/3] OCPBUGS-59566: Add test for OLM netpol in marketplace ns

---
 test/suites/optional/olm.robot | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/test/suites/optional/olm.robot b/test/suites/optional/olm.robot
index 034a230342..46f52b7d45 100644
--- a/test/suites/optional/olm.robot
+++ b/test/suites/optional/olm.robot
@@ -128,6 +128,12 @@ OLM Network Policies Are Correctly Configured
     Verify NetworkPolicy Spec Field    olm-operator    ${OLM_NAMESPACE}    ingress    metrics
     Verify NetworkPolicy Spec Field    olm-operator    ${OLM_NAMESPACE}    egress    53
 
+    # default-deny-all: no ingress/egress rules, applies to all pods in marketplace namespace
+    Verify NetworkPolicy Has Empty Pod Selector    default-deny-all    ${MARKETPLACE_NAMESPACE}
+    Verify NetworkPolicy Policy Types    default-deny-all    ${MARKETPLACE_NAMESPACE}
+    Verify NetworkPolicy Spec Field    default-deny-all    ${MARKETPLACE_NAMESPACE}    ingress    ${EMPTY}
+    Verify NetworkPolicy Spec Field    default-deny-all    ${MARKETPLACE_NAMESPACE}    egress    ${EMPTY}
+
     # default-allow-all: both Ingress and Egress defined with no port restrictions in openshift-operators
     Verify NetworkPolicy Has Empty Pod Selector    default-allow-all    ${OPERATORS_NAMESPACE}
     Verify NetworkPolicy Policy Types    default-allow-all    ${OPERATORS_NAMESPACE}

From 8889921b9ce6735adcb51da772ab3d602a383547 Mon Sep 17 00:00:00 2001
From: Pablo Acevedo Montserrat <pacevedo@redhat.com>
Date: Fri, 24 Apr 2026 14:09:51 +0200
Subject: [PATCH 3/3] OCPBUGS-59566: Adjust new asset policy for rebase

---
 scripts/auto-rebase/assets.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/auto-rebase/assets.yaml b/scripts/auto-rebase/assets.yaml
index 1a97c3568d..bc5a6ffb87 100644
--- a/scripts/auto-rebase/assets.yaml
+++ b/scripts/auto-rebase/assets.yaml
@@ -252,7 +252,7 @@ assets:
       - file: 0000_50_olm_00-subscriptions.crd.yaml
       - file: 0000_50_olm_01-networkpolicies.yaml
       - file: 0000_50_olm_01-marketplace-networkpolicy.yaml
-        ignore: "MicroShift-specific NetworkPolicy for openshift-marketplace namespace"
+        git_restore: True
       - file: 0000_50_olm_02-olm-operator.serviceaccount.yaml
       - file: 0000_50_olm_03-olmconfig.yaml
       - file: 0000_50_olm_03-services.yaml