← Back to blog
NetworkPolicyNetworkingSecurityCKAD
NetworkPolicy: The Silent Traffic Drop
Pods are Running, Service has Endpoints, but nothing connects — a default-deny NetworkPolicy may block traffic with no obvious pod error.
1 min read
Everything looks healthy:
- Pods Running and Ready
- Service Endpoints populated
- No CrashLoop, no Pending
Yet traffic between namespaces fails — or ingress from a frontend pod to an API pod times out.
NetworkPolicy changes the rules
Without policies, most clusters allow pod-to-pod traffic by default (CNI-dependent). With a default-deny policy:
spec:
podSelector: {}
policyTypes: [Ingress, Egress]All pods in that namespace need explicit allow rules — or they accept no ingress.
Symptoms are maddeningly quiet: no pod Events, just connection timeouts.
First steps
- Confirm the path — which source pod/IP → which destination port?
- List policies in both namespaces:
kubectl get networkpolicy -n shop
kubectl get networkpolicy -n api- Describe policies affecting labels on source and destination pods
- Test from a debug pod with matching labels:
kubectl run netshoot --rm -it --image=nicolaka/netshoot -- curl -v telnet://api.shop.svc:8080Common exam traps
- Fixing the Deployment when policy blocks port 8080 but allow rule only lists 80
- Forgetting egress rules when destination requires client-side allow
- Ignoring namespace boundaries — policy is namespace-scoped
Fix pattern
Add or patch a NetworkPolicy allowing:
frompodSelector or namespaceSelector matching the clientportsmatching the Service targetPort
Verify with netshoot before declaring success.
Service Connectivity + CKAD Exam Prep include NetworkPolicy scenario cases with graded trap answers.