Kubernetes network-policy does not do any effect

Question

i started minikube with this command

minikube start --network-plugin=cni --cni=calico

and i create nginx pod in default namespace with this file

apiVersion: v1
kind: Pod
metadata:
  name: web
spec:
  containers:
  - image: nginx
    imagePullPolicy: Always
    name: nginx
    ports:
    - containerPort: 80
      protocol: TCP

and i create a pod in qa namespace to curl the nginx in default namespace with this file

apiVersion: v1
kind: Pod
metadata:
  name: curl-pod
spec:
  containers:
  - name: curlpod
    image: radial/busyboxplus:curl
    command:
    - sh
    - -c
    - while true; do sleep 1; done

when i curl it works well,

after that i need to deny ingress traffic to the nginx pod in my default namespace so i apply this networkpolicy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress

but this does not do any thing when i curl from pod in qa namespace it return response 200 ok

and i don't know how can i fix that, can any one help me.

Answer 1

Can you try changing your minikube start command to this:

minikube start --cni=false --network-plugin=cni

kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.3/manifests/tigera-operator.yaml

kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.3/manifests/custom-resources.yaml

Then verify that Calico is installed and running:

watch kubectl get pods -l k8s-app=calico-node -A

If you want a gloabl default deny (all namespaces) try this:

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: default-deny
spec:
  selector: all()
  types:
    - Ingress
    - Egress

If you want it namespaced to your default ns, try this:

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: default-deny
  namespace: default
spec:
  selector: all()
  types:
    - Ingress
    - Egress