🎯 What It Is

Even with correct YAML, NetworkPolicies can fail silently. This topic covers how to debug and apply production-grade practices.

✅ Goal: Go from “why isn’t this working?” to “traffic flows exactly as intended.”

💡 Real-World Analogy

Like a network engineer with a packet sniffer:

• You don’t guess — you observe, test, and verify
• You have a checklist for common failures

🧪 Step-by-Step Troubleshooting Guide

🔍 Step 1: Confirm Your CNI Supports NetworkPolicy

# Check if Cilium/Calico is running
kubectl get pods -n kube-system | grep -E 'cilium|calico'

# If using Flannel (default in k3s) → NetworkPolicy **won’t work!**

✅ Fix: Install Cilium:

curl -L --remote-name <https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz>
tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
cilium install

🔍 Step 2: Verify Policy Is Applied to the Right Pods

# Check if policy matches your Pod labels
kubectl describe netpol my-policy

# List Pods that should be affected
kubectl get pods -l app=backend

✅ Common mistake: Typo in labels (app: backned vs app: backend)

🔍 Step 3: Test Connectivity Manually

# Start a debug Pod in the same namespace
kubectl run debug --image=busybox --rm -it -- sh

# Test ingress: can others reach target?
/ # wget -qO- <http://backend> --timeout=3

# Test egress: can target reach others?
kubectl exec deploy/backend -- wget -qO- <http://database> --timeout=3

✅ Use --timeout to avoid hanging