Network policy for Egress with matchExpressions not working

chan · September 10, 2024, 7:22am

I am trying to prevent shared namespace accessing to the ingress namespace and using the below networking policy which is not working as expected. The pods in the shared namespace still can connect to the ingress service. Am I using it wrongly?

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: disallow-ingress-egress-policy
  namespace: shared
spec:
  podSelector: {}
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
  - to:
    - namespaceSelector:
        matchExpressions:
        - key: namespace
          operator: NotIn
          values: ["ingress"]
  policyTypes:
  - Egress

Cluster information:

Kubernetes version: 1.29
Cloud being used: eks
CNI and version: vpc-cni

tengqm · September 10, 2024, 8:09am

Are you sure your namespace ‘ingress’ has a label named ‘namespace’?

chan · September 10, 2024, 8:16am

Yes, it has.

$ kubectl get ns -l namespace=ingress
NAME              STATUS   AGE
ingress  Active   501d

Topic		Replies	Views
Struggling with Network Policy General Discussions network	2	1748	March 15, 2024
Network policies based on namespaces General Discussions security	1	39	November 26, 2025
Kubernetes network policy not getting applied General Discussions	1	713	September 28, 2018
Kubernetes NetworkPolicy General Discussions network	2	392	July 10, 2025
How can I isolate pods in namespace using NetworkPolicy without disabling external traffic to Kubernetes pods General Discussions network	6	4142	December 8, 2023

Network policy for Egress with matchExpressions not working

Cluster information:

Related topics