Network policy errors occur when Calico policies are not enforced or configured incorrectly. Fix by verifying policy syntax, enabling enforcement mode, and checking for conflicting rules.
Calico implements Kubernetes NetworkPolicy and native Calico policy for network access control. When policies are not enforced, traffic flows despite policy rules that should block it. This happens due to misconfigured policies, incorrect enforcement mode, or issues with the policy controller.
Ensure the policy controller deployment is healthy:
kubectl get deployment -n calico-system calico-kube-controllers
kubectl logs -n calico-system -l app=calico-kube-controllersIf not running, restart it.
Validate policy YAML for errors:
kubectl apply -f network-policy.yaml --dry-run=client
kubectl validate -f network-policy.yamlLook for indentation errors, invalid selectors, or missing required fields.
Ensure your selectors correctly identify target pods:
kubectl get pods --show-labels
kubectl get networkpolicy -o yaml | grep -A 5 "podSelector|namespaceSelector"Matching labels must be present on the target pods.
When enforcing policies, start with logging before blocking:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
allow-traffic: "true"For more control, use native Calico policies:
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: default-deny
spec:
selector: "all()"
order: 0
types:
- IngressCalico policies have more features like policy ordering.
Policies are evaluated in order - deny rules must come after allow:
spec:
order: 10 # Lower numbers evaluated first
ingress:
- action: Allow
from:
- namespaceSelector:
matchLabels:
team: backend
- action: Deny
from:
- namespaceSelector: {}Enable flow logs to see which policies are matching:
calicoctl apply -f - << EOF
apiVersion: projectcalico.org/v3
kind: FelixConfiguration
metadata:
name: default
spec:
flowLogsFileEnabled: true
flowLogsFile: /var/log/calico/flows.log
EOFReview logs to see policy evaluations.
Force policy reload by restarting controller:
kubectl rollout restart deployment/calico-kube-controllers -n calico-system
kubectl rollout status deployment/calico-kube-controllers -n calico-systemFor production, use Calico policy for precise control over deny/allow ordering and performance. Test policies in logging mode before enforcement. Document policy intent and keep rules as simple as possible. Use namespaceSelector and podSelector consistently. Monitor policy violations via logs to catch unintended blocks. For service mesh, ensure policies work with sidecar proxies or disable proxying for policy enforcement.
No subnets found for EKS cluster
How to fix "eks subnet not found" in Kubernetes
unable to compute replica count
How to fix "unable to compute replica count" in Kubernetes HPA
error: context not found
How to fix "error: context not found" in Kubernetes
default backend - 404
How to fix "default backend - 404" in Kubernetes Ingress
serviceaccount cannot list resource
How to fix "serviceaccount cannot list resource" in Kubernetes