NetworkPolicy is blocking outbound traffic from the pod
Production Risk
Pods cannot reach databases, external APIs, or other services; application functionality is broken.
EgressDenied means outbound network traffic from a pod is being blocked by a NetworkPolicy. When any egress NetworkPolicy selects a pod, all egress traffic not explicitly allowed is denied by default. This causes connection timeouts or refused connections when the pod tries to reach external services, databases, or other pods.
- 1A NetworkPolicy with egress rules selects the pod and does not allow the required destination
- 2Default-deny egress policy is applied to the namespace and no allow policy is added
- 3Missing egress rule for DNS (port 53) preventing name resolution
- 4Egress to a specific CIDR or port not included in the NetworkPolicy
Pod cannot connect to external services or other pods; network connectivity works from pods without NetworkPolicies.
# From inside the pod kubectl exec mypod -- curl -v http://external-service.example.com # Connection timeout # Check NetworkPolicies that select this pod kubectl get networkpolicies -n mynamespace kubectl describe networkpolicy my-policy -n mynamespace
expected output
curl: (28) Connection timed out after 30000 milliseconds
Fix
Allow required egress in NetworkPolicy
WHEN Pod needs to reach specific destinations
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress
namespace: mynamespace
spec:
podSelector:
matchLabels:
app: myapp
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 443
- ports: # Always allow DNS
- protocol: UDP
port: 53Why this works
Explicitly allows the required egress traffic while maintaining other NetworkPolicy restrictions.
✕
Kubernetes Documentation
Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev