Troubleshooting Network Policies
Troubleshooting Network Policies
Network Policy issues often manifest as application connectivity problems that can be challenging to diagnose. Systematic troubleshooting approaches help identify whether Network Policies cause communication failures. Starting with basic connectivity tests using tools like curl or nc from within pods helps isolate network-layer issues from application problems.
DNS resolution frequently causes Network Policy-related failures. Applications cannot resolve service names when egress policies block DNS traffic. The default deny egress examples shown earlier include DNS exceptions for this reason. Testing DNS resolution separately from application connectivity helps identify these issues quickly. Tools like dig or nslookup within pods verify DNS functionality.
# Troubleshooting pod for network connectivity testing
apiVersion: v1
kind: Pod
metadata:
name: netshoot
namespace: production
labels:
app: netshoot
purpose: troubleshooting
spec:
containers:
- name: netshoot
image: nicolaka/netshoot:latest
command: ["/bin/bash"]
args: ["-c", "while true; do sleep 3600; done"]
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
---
# Network policy allowing troubleshooting pod to test connectivity
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-netshoot-egress
namespace: production
spec:
podSelector:
matchLabels:
app: netshoot
policyTypes:
- Egress
egress:
- {} # Allow all egress for troubleshooting
Network Policy debugging tools vary by CNI plugin but provide essential visibility. Calico's calicoctl provides policy debugging commands. Cilium's hubble offers real-time traffic flow visualization. These tools show whether policies block specific connections and which rules apply. Understanding CNI-specific debugging tools improves troubleshooting efficiency.