Kubernetes CRD unable to make an api call to Kubernetes default service despite egress ipblok rule in Network policy
10:22 28 May 2026

I have installed the CRD External secrets operator to pull secrets from AWS parameter store and use them in the kubernetes cluster. I have secured the namespace external-secrets with the following two network policies:

A default deny all network policy that only allows DNS:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-except-dns
  namespace: external-secrets
spec:
  podSelector: {}

  policyTypes:
    - Ingress
    - Egress

  ingress: []

  egress:
    - to:
        - namespaceSelector: {}
      ports:
        - protocol: UDP
          port: 53

    - to:
        - namespaceSelector: {}
      ports:
        - protocol: TCP
          port: 53

A custom additive network policy for allowing ESO to intercommunicate between pods and an egress rule that allows egress traffic to all ip addresses.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy

metadata:
  name: allow-external-secrets
  namespace: external-secrets

spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/part-of: external-secrets

  policyTypes:
    - Ingress
    - Egress

  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: external-secrets

          podSelector:
            matchLabels:
              app.kubernetes.io/part-of: external-secrets

  egress:
    # Internal ESO communication
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: external-secrets

          podSelector:
            matchLabels:
              app.kubernetes.io/part-of: external-secrets

    # Kubernetes infrastructure
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system

    # AWS access
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0

      ports:
        - protocol: TCP
          port: 443

But despite this rule i still get the following error inside the ESO pods:

{"level":"error","ts":1779974730.0720608,"logger":"setup","msg":"unable to create managed secret client","error":"failed to determine if *v1.Secret is namespaced: failed to get restmapping: failed to get server groups: Get \"https://10.43.0.1:443/api\": dial tcp 10.43.0.1:443: i/o timeout","stacktrace":"github.com/external-secrets/external-secrets/cmd/controller.init.func2\n\t/home/runner/work/external-secrets/external-secrets/cmd/controller/root.go:205\ngithub.com/spf13/cobra.(*Command).execute\n\t/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.10.1/command.go:1019\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\t/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.10.1/command.go:1148\ngithub.com/spf13/cobra.(*Command).Execute\n\t/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.10.1/command.go:1071\ngithub.com/external-secrets/external-secrets/cmd/controller.Execute\n\t/home/runner/work/external-secrets/external-secrets/cmd/controller/root.go:334\nmain.main\n\t/home/runner/work/external-secrets/external-secrets/main.go:27\nruntime.main\n\t/opt/hostedtoolcache/go/1.26.3/x64/src/runtime/proc.go:290"}

Doesen't the internal ip address also fall within the 0.0.0.0 range? I tried explicitly adding the ip address range 10.42.0.0/16 as an extra CIDR but that has no effect either.

So why does it fail to connect?

kubernetes kubernetes-networkpolicy