Network policy for Egress with matchExpressions not working

chan · September 10, 2024, 7:22am

I am trying to prevent shared namespace accessing to the ingress namespace and using the below networking policy which is not working as expected. The pods in the shared namespace still can connect to the ingress service. Am I using it wrongly?

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: disallow-ingress-egress-policy
  namespace: shared
spec:
  podSelector: {}
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
  - to:
    - namespaceSelector:
        matchExpressions:
        - key: namespace
          operator: NotIn
          values: ["ingress"]
  policyTypes:
  - Egress

Cluster information:

Kubernetes version: 1.29
Cloud being used: eks
CNI and version: vpc-cni

tengqm · September 10, 2024, 8:09am

Are you sure your namespace ‘ingress’ has a label named ‘namespace’?

chan · September 10, 2024, 8:16am

Yes, it has.

$ kubectl get ns -l namespace=ingress
NAME              STATUS   AGE
ingress  Active   501d

Topic		Replies	Views
Struggling with Network Policy General Discussions network	2	1609	March 15, 2024
Kubernetes network policy not getting applied General Discussions	1	678	September 28, 2018
Ingress Network Policy General Discussions	2	1571	August 22, 2023
NodePort Not Working in Conjunction with Network Policies General Discussions	2	1426	November 13, 2020
Network Policy Ingress syntax question microk8s	1	876	April 20, 2022

Network policy for Egress with matchExpressions not working

Cluster information:

Related topics