NPM ingress rule blocks egress of pod

[mgrabarz]

Is this a request for help?:

NO

Is this an ISSUE or FEATURE REQUEST? (choose one):

ISSUE

Which release version?:

containernetworking/azure-npm:v1.0.13

Which component (CNI/IPAM/CNM/CNS):

NPM

Which Operating System (Linux/Windows):

Linux

For Linux: Include Distro and kernel version using "uname -a"

standard AKS-Engine stack, affected pod runs: 16.04.1-Ubuntu SMP

Which Orchestrator and version (e.g. Kubernetes, Docker)

AKS-Engine 0.30.0

What happened:

I applied simple NetworkPolicy rule to pod allow all traffic to that pod. This unfortunately blocks all egress traffic from that pod.

What you expected to happen:

Egress traffic rules should not be changed when applying ingress rule.

How to reproduce it (as minimally and precisely as possible):

1. Deploy latest Aks-Engine with Azure CNI and NPM
2. Deploy HelloWorld Service from following yaml: https://gist.github.com/mgrabarz/70d62eab76954f2a3b156e42df5344ea
3. exec -- /bin/sh on helloworld pod and wget whatever external address - that should work.
4. Apply following NetworkPolicy rule: https://gist.github.com/mgrabarz/348c113b579ed3536d895fb405defb3d
5. exec -- /bin/sh on helloworld pod and wget whatever external address - doesn't work

Anything else we need to know:

This network policy is part of the more complex ruleset, but these simple steps reproduce a problem.

[saiyan86]

@mgrabarz Thanks for submitting the issue! I'm investigating this.

[mgrabarz]

I just reviewed other issues and PRs. Is it somehow related to this?

[saiyan86]

I think it is related. #307 should address this among a bunch of new changes.