Debugging Kubernetes Network Policies with CNI Plugin Logs

Kubernetes Network Policies control access at the packet level inside a cluster. They decide which pods can talk to which, across namespaces and IP blocks. When something fails, the default silence makes debugging hard. Without debug logging, all you see is blocked traffic with no reason attached.

Enabling debug logging for Kubernetes Network Policies starts with the CNI plugin in use. Calico, Cilium, and other CNIs each have their own logging configuration. For Calico, set the LogSeverityScreen to Debug in the Felix configuration. This exposes granular details of policy enforcement. For Cilium, toggle debug mode via cilium config and inspect the agent logs. Always restart any updated pods or daemons to apply the change.

Use kubectl describe networkpolicy <policy-name> as a baseline. This command shows the spec—ingress rules, egress rules, selectors. Then watch the logs from the CNI pod daemonset. Look for entries that match the dropped connection’s source and destination. The combination of policy spec and debug logging will reveal if a label mismatch or namespace isolation is causing the denial.

When monitoring, pair debug logs with kubectl exec into affected pods and run network tests. Simple curl or netcat commands can confirm which rules are blocking traffic. Match the timestamps in your test to the CNI debug entries. This correlation is the fastest path to uncovering the cause.

If logging floods your output, filter with kubectl logs --since or pipe to grep for keywords like DROP, DENY, or source IPs. This prevents wasting time in noise-heavy logs while still keeping useful data.

After identifying the issue, update the Kubernetes Network Policy YAML with precise ingress/egress rules. Apply changes, then re-run network tests and verify clean allow entries in the logs. This iterative loop—enable debug logging, run targeted tests, analyze logs—is the most reliable workflow for policy debugging.

Access control in Kubernetes is critical. Debug logging turns it from a blind barrier into a transparent, traceable system. It strengthens security by confirming exactly what is enforced.

See this process in action with live Kubernetes Network Policies debug logging and access control at hoop.dev—spin it up in minutes and watch every packet's fate.