Why is my networkpolicy not being applied on a minikube cluster with calico enabled?

Question

Im using Calico on minikube by following the instructions here:

https://docs.tigera.io/calico/latest/getting-started/kubernetes/minikube

I have followed the verification process and confirm I am seeing what is expected. I have a nginx deployment running in 3 namespaces. This is my output of kubectl get pods -A:

NAMESPACE     NAME                                      READY   STATUS    RESTARTS      AGE
kube-system   calico-kube-controllers-949d58b75-n52zg   1/1     Running   0             15m
kube-system   calico-node-s7xqh                         1/1     Running   0             15m
kube-system   coredns-787d4945fb-zldh9                  1/1     Running   0             17m
kube-system   etcd-minikube                             1/1     Running   0             17m
kube-system   kube-apiserver-minikube                   1/1     Running   0             17m
kube-system   kube-controller-manager-minikube          1/1     Running   0             17m
kube-system   kube-proxy-2lskh                          1/1     Running   0             17m
kube-system   kube-scheduler-minikube                   1/1     Running   0             17m
kube-system   storage-provisioner                       1/1     Running   1 (17m ago)   17m
ns1           new-deploy-7c577ddf69-nsptf               1/1     Running   0             4m17s
ns1           new-deploy-7c577ddf69-rdj4s               1/1     Running   0             4m17s
ns2           new-deploy-7c577ddf69-4hnx5               1/1     Running   0             4m16s
ns2           new-deploy-7c577ddf69-wwqm5               1/1     Running   0             4m16s
ns3           new-deploy-7c577ddf69-hvnkb               1/1     Running   0             4m14s
ns3           new-deploy-7c577ddf69-s92q5               1/1     Running   0             4m14s

I have this networkpolicy defined in ns3:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: deny-ns2
  namespace: ns3
spec:
  podSelector:
    matchLabels:
      environment: test
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          permission: allowed

I confirm its been applied by running kubectl describe networkpolicy -n ns3. This is the output:

Name:         deny-ns2
Namespace:    ns3
Created on:   2023-07-10 13:28:50 +0200 CEST
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     environment=test
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From:
      NamespaceSelector: permission=allowed
  Not affecting egress traffic
  Policy Types: Ingress

Why am I able to ping and get a response using a pod in ns2 to ns3 without it being blocked? Here is the command I use and it returns the nginx response, I expect it not to work.

kubectl exec --namespace ns2 new-deploy-7c577ddf69-4hnx5 -- curl IP_POD_IN_NS3

Answer 1

Minikube usually starts with kubenet as a network plugin which does not support network policy. I suggest using minikube with cni to install cni that support network policy. Network Policy is implemented by network plugins. Click prerequisite to understand more about network policy.