Calico Kubernetes Network Policy is denying all traffic and not working as expected

Question

I am trying to implement some Calico based Kubernetes Network Policies. I have already setup Calico in my cluster and all the Calico based pods are running fine.
In my cluster, There are two pods.
1. An Nginx pod
2. An Apache pod

My requirement is that I need to add a NetworkPolicy for controlling the network traffic in the Nginx pod. I want the egress trafic from the Nginx pod to the Apache pod to be blocked. However, I want to ping to 8.8.8.8 from the Nginx pod.

So in short, I want to block only the traffic to the Apache pod from the Nginx pod.
My YAML file is as follows:

calico-deny-range-policy-yaml

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: deny-egress-external
  namespace: nginx
spec:
  selector:
    app == 'nginx'
  types:
    - Egress
  egress:    
    - action: Deny
      protocol: TCP
      source:
        nets:
        - 192.168.163.0/25
      destination:
        nets:
        - 192.168.163.204/32
        notNets:
        - 8.8.8.8/32

But the problem is that the Nginx pod is getting a 'Deny All' effect. I am unable to ping any IPs from the Nginx pod. The whole traffic is getting blocked.

How can I customize the egress and ingress trafic according to my need? Any working examples for the above requirement is appreciated.

Answer 1

You need to mention the destination pod in the selector label at destination as below :

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: deny-egress-external
  namespace: nginx
spec:
  selector:
    app == 'nginx'
  types:
    - Egress
  egress:    
    - action: Deny
      protocol: TCP
      source:
        nets:
        - 192.168.163.0/25
      destination:
        Selector:
          app == 'apache'
        nets:
        - 192.168.163.204/32
        notNets:
        - 8.8.8.8/32

Please refer to this doc for calico network policy and with few examples.