Skip to content

Same node traffic is always allowed not only in ingress, but also in egress direction #283

New issue
New issue
Open
Open
Same node traffic is always allowed not only in ingress, but also in egress direction#283
@npinaeva

Description

@npinaeva
npinaeva
opened on Dec 10, 2025

With the default-deny behaviour of network policy we had to make sure kubelet probes continue to work, hence we made an exception for the same-node-to-pod ingress connection to be always allowed. The docs say https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-two-sorts-of-pod-isolation

When a pod is isolated for egress, the only allowed connections from the pod are those allowed by the egress list of some NetworkPolicy that applies to the pod for egress.
...
When a pod is isolated for ingress, the only allowed connections into the pod are those from the pod's node and those allowed by the ingress list of some NetworkPolicy that applies to the pod for ingress.

Note how only ingress direction mentions the pod's node to be allowed.
I stumbled on this when running pod-to-host tests in CNP and noticed that pod-to-same-node is always allowed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions