Network Policies: Egress Rules and Default Deny

You apply a default-deny egress NetworkPolicy and suddenly everything breaks. Not the traffic you intended to block. Everything. Your pods can't reach the database, the API they call, or the sidecar running in the same namespace. The error isn't "connection refused" or "connection timed out." It's bad address 'service-name'. DNS is dead.

Egress rules work differently from ingress rules. Ingress controls what can reach your pods. Egress controls what your pods can reach, and by default they can reach everything: every pod, every namespace, every external IP. The moment you add a NetworkPolicy with policyTypes: [Egress], all of that changes. The pod is now isolated for egress: all outbound traffic is blocked unless explicitly permitted. Port 53 traffic to CoreDNS is outbound. So is every other connection you care about.