Kubernetes network policy for apiserver with linkerd

[matt-mercer]

before meshing a namespace with linkerd , I was able to use a kubernetes network policy like below, to allow egress to the api server, now that linkerd is involved , I can no longer access the api server when the network policy is in-place .. ( there are other egress rules in place to allow outbound dns and access to linkerd namespace, this is just the apiserver snippet )..

With no network policies in place, everything is fine ... but when I apply the network policies, I get a connection error ..

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ .Release.Name }}-standard-egress
  namespace: {{ .Release.Namespace }}
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              "kubernetes.io/metadata.name": "default"
        - podSelector:
            matchLabels:
              component: apiserver
              provider: kubernetes

in the logs for linkerd-proxy I see

[  2228.400698s]  INFO ThreadId(01) outbound: linkerd_app_core::serve: Connection closed error=logical service kubernetes.default.svc.cluster.local:443: route default.opaq: concrete service kubernetes.default.svc.cluster.local:443: connect timed out after 1s error.sources=[route default.opaq: concrete service kubernetes.default.svc.cluster.local:443: connect timed out after 1s, concrete service kubernetes.default.svc.cluster.local:443: connect timed out after 1s, connect timed out after 1s] client.addr=172.12.204.46:41918 server.addr=10.101.0.1:443

I've also tried adding network policies for explict egress to the API server IP e.g.

    - to:
        - ipBlock:
            cidr: 10.101.0.1/32
      ports:
        - protocol: TCP
          port: 443

but no joy

I have also considered the config.linkerd.io/skip-outbound-ports: 443 ... but as a need to use an EgressNetwork on some traffic from 443 .. I'm thinking this isn't really an option

any help appreciated ..