metadata-restriction-policy takes priority over user defined networking policies.
Raised in INC4116414.
Reproduced in a 1.30.2 cluster (commands below), root cause appears to be the calico globalnetworkpolicies.crd.projectcalico.org policy added as part of the last release (metadata-restriction-policy). This appears to be taking priority over the kubernetes native networkpolicies making them ineffectual.
$ cat <<EOF | k apply -f -
---
apiVersion: v1
kind: Namespace
metadata:
name: swan
---
apiVersion: v1
kind: Pod
metadata:
name: nginx
namespace: swan
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
name: http
command: ["/bin/sh", "-c"]
args:
- |
sed -i 's/listen 80;/listen 8080;/g' /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'
---
apiVersion: v1
kind: Pod
metadata:
name: ubuntu
namespace: swan
labels:
app: ubuntu
spec:
containers:
- name: ubuntu
image: ubuntu
command: ["/bin/sh", "-c", "sleep infinity"]
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
namespace: swan
spec:
podSelector: {}
policyTypes:
- Egress
EOF
$ kubectl expose --port=80 -n swan --name nginx pod nginx
$ kubectl exec --stdin --tty -n swan ubuntu -- /bin/bash
# apt-get update && apt-get install wget -y
# wget nginx.swan.svc.cluster.local:80/
-2024-09-25 14:12:32-- http://nginx.swan.svc.cluster.local/
Resolving nginx.swan.svc.cluster.local (nginx.swan.svc.cluster.local)... 10.254.51.174
Connecting to nginx.swan.svc.cluster.local (nginx.swan.svc.cluster.local)|10.254.51.174|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 615 [text/html]
Saving to: 'index.html'
index.html 100%[======================================================================================================================================================================================================>] 615 --.-KB/s in 0s
2024-09-25 14:12:32 (62.3 MB/s) - 'index.html' saved [615/615]Edited by Jack Charlie Munday