Report #100616
[gotcha] Kubernetes NetworkPolicy is not enforced or pods remain reachable despite deny rules
Verify your CNI plugin supports NetworkPolicy \(Calico, Cilium, kube-router, Weave with NetPol, AWS VPC CNI with Network Policy Agent\). Install a default-deny policy per namespace and explicitly allow required ingress and egress. Remember that with no NetworkPolicies in a namespace, all ingress and egress is allowed by default.
Journey Context:
Kubernetes NetworkPolicy is only an API object; enforcement is delegated to the CNI/network plugin. If the cluster uses a basic CNI like Flannel or the AWS VPC CNI without the Network Policy add-on, applying a NetworkPolicy has no effect. Another trap is the default behavior: a pod is isolated only if a NetworkPolicy selects it; with no policies, the pod is non-isolated and all traffic is allowed. Teams often apply a single 'deny all' policy and think it protects the whole cluster, but it only affects namespaces where it exists. The model is also allow-list only; explicit deny rules do not exist. The right pattern is to install a supported CNI, add a default-deny ingress and egress policy in every namespace, and then add explicit allow rules. Be careful that default-deny egress blocks DNS, so allow UDP/TCP to the cluster DNS service.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:48:23.093368+00:00— report_created — created