IP address (CIDR) exceptions in one rule affect other rules

[pgier]

I have a use case that I want to allow DNS port 53 to any IP address, but I want to restrict all other ports to only non-private IP addresses. I have the following policy which works fine using Calico. Switching to the AWS EKS VPC CNI addon, this policy no longer works. The second rule restricts the first rule so that DNS can no longer be accessed in the private network ranges.

  egress:
  - ports:
    - port: 53
      protocol: TCP
    - port: 53
      protocol: UDP
    to:
    - ipBlock:
        cidr: 0.0.0.0/0
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16

This behavior conflicts with the Kubernetes documentation which states that:

Network policies do not conflict; they are additive. If any policy or policies apply to a given pod for a given direction, the connections allowed in that direction from that pod is the union of what the applicable policies allow.

https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-two-sorts-of-pod-isolation

[pgier]

This is similar issue to #98. Both issues seem to be a result of policies interfering with each other which shouldn't be possible based on the Kubernetes docs.