How to check if network policy have been applied to pod?

GKE uses calico for implementing network policy. You need to enable network network policy for master and nodes before applying network policy. You can verify whether calico is enabled by looking for calico pods in kube-system namespace.

kubectl get pods --namespace=kube-system

For verifying the network policies you can see the following commands.

kubectl get networkpolicy
kubectl describe networkpolicy <networkpolicy-name>

When you run you can check the label used for a POD selector:

k describe netpol <networkpolicy-name>
Name:         <networkpolicy-name>
Namespace:    default
Created on:   2020-06-08 15:19:12 -0500 CDT
Labels:       <none>
Annotations:  Spec:
  PodSelector:     app=nginx

Pod selector will show you which labels this netpol applied too. Then you can present all the pods with this label by:

k get pods -l app=nginx
NAME                              READY   STATUS    RESTARTS   AGE
nginx-deployment-f7b9c7bb-5lt8j   1/1     Running   0          19h
nginx-deployment-f7b9c7bb-cf69l   1/1     Running   0          19h
nginx-deployment-f7b9c7bb-cxghn   1/1     Running   0          19h
nginx-deployment-f7b9c7bb-ppw4t   1/1     Running   0          19h
nginx-deployment-f7b9c7bb-v76vr   1/1     Running   0          19h

Debug with the netcat(nc):

$ kubectl exec <openvpnpod> -- nc -zv -w 5 <domain> <port>

P.S: To deny all egress traffic, do not need to declare the spec.egress key as an empty array, however it affects same:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: policy-openvpn
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: openvpn
  policyTypes:
  - Egress

ref: https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/network-policy-v1/

• egress ([]NetworkPolicyEgressRule) ... If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). ...