NetworkPolicy does not take effect if NetworkPolicy name is too long.

[bakavets]

What happened: NetworkPolicy does not take effect if NetworkPolicy name is too long.

Attach logs: N/A

What you expected to happen: NetworkPolicy should work regardless of the name length.

How to reproduce it (as minimally and precisely as possible):

apiVersion: v1
kind: Namespace
metadata:
   name: dev
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kuber
  namespace: dev
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: app
        image: nginx
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-egress-evolution-reader-backend-evolution-reader-backend-dev
  namespace: dev
spec:
  podSelector:
    matchLabels:
      app: nginx
  egress:
    - ports:
        - protocol: UDP
          port: 53
        - protocol: TCP
          port: 53
      to:
        - podSelector:
            matchLabels:
              k8s-app: kube-dns
          namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
    - ports:
        - protocol: TCP
          port: 443
      to:
        - ipBlock:
            cidr: 0.0.0.0/0
  policyTypes:
    - Egress

SSH to the pod and run the following commands inside it:

curl http://www.google.com and curl https://www.google.com

Both commands will succeed on ports 80 and 443, but NetworkPolicy does not allow 80 port.
If you change the NetworkPolicy name from allow-egress-evolution-reader-backend-evolution-reader-backend-dev to the shorter one e.g. allow-egress NetworkPolicy will work and port 80 will not be allowed for egress traffic only 443.

Network policy starts taking effect only if the name length is less or equal to 63.

Anything else we need to know?:
The issue was noticed after migrating Calico network policy enforcement to the native network policy engine of VPC CNI.
Network policies have been working before with Calico.
Calico was used in conjunction with VPC CNI only for the Network policy engine.

Environment:

• Kubernetes version (use kubectl version): Server Version: v1.27.7-eks-4f4795d
• CNI Version: v1.15.4-eksbuild.1
• OS (e.g: cat /etc/os-release):

NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"

• Kernel (e.g. uname -a): Linux x86_64 GNU/Linux

[jayanthvn]

Moving this to network policy agent repo..

[achevuru]

We don't enforce any limitations. We will check and get back on this.

[achevuru]

Network policy controller currently places a 64 char limit on the custom resources it creates based on the Network Policy name. We will try to relax this restriction in the next release.

Moving this over to Network Policy controller repo.

[haouc]

We are making a release to correct this limitation and will update when the release is available to all EKS clusters. Thanks.

[haouc]

@bakavets EKS has updated platform version which include the latest version of this controller. Please check the regarding your clusters' platform version in the release note and verify if the issue is resolved. Thanks.