Network Policy Debugging

Advanced15 min

Debug and verify Kubernetes network policies to ensure traffic is correctly allowed or blocked between pods and services.

Prerequisites

-kubectl configured
-A CNI that supports NetworkPolicy (Calico, Cilium, etc.)

Steps

List network policies in a namespace

View all network policies and what pods they select.

$ kubectl get networkpolicies -n <namespace> -o wide

Inspect a network policy's rules

View the ingress and egress rules of a specific policy.

$ kubectl describe networkpolicy <policy-name> -n <namespace>

Test connectivity between pods

Verify whether traffic is allowed or blocked between two pods.

$ kubectl exec <source-pod> -- curl -s --connect-timeout 5 http://<target-service>:<port>/health || echo 'Connection blocked or failed'

Check which policies apply to a pod

Find all network policies that select a specific pod based on its labels.

$ kubectl get networkpolicies -n <namespace> -o json | jq --arg pod_labels "$(kubectl get pod <pod-name> -n <namespace> -o jsonpath='{.metadata.labels}')" '.items[] | select(.spec.podSelector.matchLabels as $sel | all(to_entries[]; . as $e | ($pod_labels | fromjson)[$e.key] == $e.value)) | .metadata.name'

Deploy a test pod for connectivity testing

Launch a temporary pod with networking tools for manual testing.

$ kubectl run nettest --rm -it --restart=Never --image=nicolaka/netshoot -n <namespace> -- bash

Full Script

full-script.sh

#!/bin/bash
# Network Policy Debugging
set -euo pipefail

NS=${1:-"default"}

echo "=== Network Policies in $NS ==="
kubectl get networkpolicies -n "$NS" 2>/dev/null || echo "No network policies found"

echo ""
echo "=== Policy Details ==="
for policy in $(kubectl get networkpolicies -n "$NS" -o jsonpath='{.items[*].metadata.name}' 2>/dev/null); do
  echo "--- $policy ---"
  kubectl describe networkpolicy "$policy" -n "$NS" | grep -A20 'Spec:'
  echo ""
done

echo ""
echo "=== Debug Commands ==="
echo "Test connectivity: kubectl exec <pod> -n $NS -- curl -s --connect-timeout 5 http://<service>:<port>"
echo "Netshoot pod:      kubectl run nettest --rm -it --restart=Never --image=nicolaka/netshoot -n $NS -- bash"
echo "DNS test:          kubectl exec <pod> -n $NS -- nslookup <service>"

FAQ

Discussion

Loading comments...

#!/bin/bash # Network Policy Debugging set -euo pipefail NS=${1:-"default"} echo "=== Network Policies in $NS ===" kubectl get networkpolicies -n "$NS" 2>/dev/null || echo "No network policies found" echo "" echo "=== Policy Details ===" for policy in $(kubectl get networkpolicies -n "$NS" -o jsonpath='{.items[*].metadata.name}' 2>/dev/null); do echo "--- $policy ---" kubectl describe networkpolicy "$policy" -n "$NS" | grep -A20 'Spec:' echo "" done echo "" echo "=== Debug Commands ===" echo "Test connectivity: kubectl exec <pod> -n $NS -- curl -s --connect-timeout 5 http://<service>:<port>" echo "Netshoot pod: kubectl run nettest --rm -it --restart=Never --image=nicolaka/netshoot -n $NS -- bash" echo "DNS test: kubectl exec <pod> -n $NS -- nslookup <service>"