Skip to content

POP-1208: False positive for cross-namespace NetworkPolicy pod selectorsΒ #567

New issue
New issue
Open
Open
POP-1208: False positive for cross-namespace NetworkPolicy pod selectors#567
@AKhozya

Description

@AKhozya
AKhozya
opened on Jan 9, 2026

Describe the bug
Popeye reports [POP-1208] No pods match Egress/Ingress pod selector when a NetworkPolicy uses a namespaceSelector combined with a podSelector to allow traffic from/to pods in a different namespace. Popeye appears to only look for matching pods in the NetworkPolicy's own namespace, not in the target namespace specified by the namespaceSelector.

This was reported in #116 (2020) but appears to still occur in v0.21.5.

Example NetworkPolicy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: linkwarden-network-policy
  namespace: linkwarden
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: linkwarden
  policyTypes:
    - Egress
  egress:
    # Allow access to PostgreSQL in databases namespace
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: databases
          podSelector:
            matchLabels:
              cnpg.io/cluster: main-postgres
      ports:
        - protocol: TCP
          port: 5432

Popeye output:

· linkwarden/linkwarden-network-policy...........................................................😱
  😱 [POP-1208] No pods match Egress pod selector: cnpg.io/cluster=main-postgres in namespace: linkwarden.

The pods exist in the databases namespace:

$ kubectl get pods -n databases -l cnpg.io/cluster=main-postgres
NAME              READY   STATUS    RESTARTS   AGE
main-postgres-1   1/1     Running   0          5d
main-postgres-2   1/1     Running   0          5d

Expected behavior
When a namespaceSelector is specified alongside podSelector, Popeye should look for matching pods in the target namespace (databases), not in the NetworkPolicy's namespace (linkwarden).

Versions:

  • OS: Arch Linux
  • Popeye: v0.21.5
  • K8s: v1.35.0 (K3s)

Additional context
This affects any NetworkPolicy that allows cross-namespace traffic using the combined namespaceSelector + podSelector pattern, which is a very common pattern for:

  • Database access (apps β†’ PostgreSQL/MySQL in databases namespace)
  • API server access (pods β†’ kube-system components)
  • Monitoring (prometheus β†’ app namespaces)
  • Service mesh traffic

The same issue occurs for both ingress and egress rules with cross-namespace selectors.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions