Policy endpoint does not accurately reflect the network policy #197
Description
I had opened aws/aws-network-policy-agent#481 after we experienced a change in behavior since upgrading to a version of the agent newer than 2.3.1 however after further investigation it looks like the potential issue could lie within the policy controller and the way in which is creates policy endpoint for network policies.
As an example, given the following network policy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
name: test
spec:
egress:
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
to:
- ipBlock:
cidr: 172.16.0.0/12
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 172.16.0.0/12
- to:
- ipBlock:
cidr: 172.16.0.0/12
podSelector:
matchLabels:
app: demo
policyTypes:
- Egress
We see the following policy endpoint created:
apiVersion: networking.k8s.aws/v1alpha1
kind: PolicyEndpoint
metadata:
name: test-csl5v
spec:
egress:
- cidr: 172.16.0.0/12
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
- cidr: 0.0.0.0/0
except:
- 172.16.0.0/12
podIsolation:
- Egress
podSelector:
matchLabels:
app: demo
policyRef:
name: test
namespace: test
The ANY egress rule on 172.16.0.0/12 that exists on the network policy is not present in the policy endpoint, is this expected? I would expect the policy endpoint to reflect the network policy and include this egress rule.