POP-1206: False positive for NetworkPolicy IPBlock egress rules #566
Description
Describe the bug
Popeye reports [POP-1206] No pods matched Egress IPBlock X.X.X.X/32 for NetworkPolicy rules that use IPBlock to allow traffic to external IP addresses (like DNS servers). This is a false positive because IPBlock rules are intended to match external IPs, not pods.
Example NetworkPolicy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: adguard-home-network-policy
spec:
podSelector:
matchLabels:
app: adguard-home
policyTypes:
- Egress
egress:
# Allow DNS to Cloudflare, Google, Quad9
- to:
- ipBlock:
cidr: 1.1.1.1/32
- ipBlock:
cidr: 1.0.0.1/32
- ipBlock:
cidr: 8.8.8.8/32
- ipBlock:
cidr: 8.8.4.4/32
- ipBlock:
cidr: 9.9.9.9/32
ports:
- protocol: UDP
port: 53Popeye output:
· adguard-home/adguard-home-network-policy.......................................................😱
😱 [POP-1206] No pods matched Egress IPBlock 1.1.1.1/32.
😱 [POP-1206] No pods matched Egress IPBlock 1.0.0.1/32.
😱 [POP-1206] No pods matched Egress IPBlock 8.8.8.8/32.
😱 [POP-1206] No pods matched Egress IPBlock 8.8.4.4/32.
😱 [POP-1206] No pods matched Egress IPBlock 9.9.9.9/32.
Expected behavior
IPBlock rules should not trigger POP-1206 warnings. The purpose of IPBlock is to allow traffic to/from external IP addresses outside the cluster, not to select pods.
Per Kubernetes documentation:
ipBlock: This selects particular IP CIDR ranges to allow as ingress sources or egress destinations.
Versions:
- OS: Arch Linux
- Popeye: v0.21.5
- K8s: v1.35.0 (K3s)
Additional context
This affects any NetworkPolicy using IPBlock for:
- External DNS servers (1.1.1.1, 8.8.8.8, etc.)
- External services
- Home network ranges (192.168.0.0/16, 172.16.0.0/12)
- Any-destination rules (0.0.0.0/0)
The check at POP-1206 appears to be looking for pods matching the IPBlock CIDR, but IPBlock rules are specifically for non-pod IPs and should be exempted from pod-matching validation.