Egress NetworkPolicy rules block pod outbound traffic. Fix by reviewing policy selectors, adding proper egress rules for DNS and external services.
NetworkPolicies can isolate pods by blocking ingress and egress traffic. When egress is blocked, pods can't reach external services, databases, or APIs.
kubectl get networkpolicies -n <namespace>
kubectl describe networkpolicy -n <namespace> <policy-name>egress:
- to:
- namespaceSelector: {}
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 169.254.169.254/32
ports:
- protocol: TCP
port: 443kubectl run test --rm -it --image=alpine -- wget https://example.comkubectl run debug --rm -it --image=nicolaka/netshoot -- sh
# Inside: curl, wget, dig, etc.Always allow DNS in egress policies. Deny rules are easier than allow rules.
Failed to connect to server: connection refused (HTTP/2)
How to fix "HTTP/2 connection refused" error in Kubernetes
missing request for cpu in container
How to fix "missing request for cpu in container" in Kubernetes HPA
error: invalid configuration
How to fix "error: invalid configuration" in Kubernetes
etcdserver: cluster ID mismatch
How to fix "etcdserver: cluster ID mismatch" in Kubernetes
running with swap on is not supported
How to fix "running with swap on is not supported" in kubeadm