Sign in Subscribe
Concepts

Kubernetes Network Policy Misconfigurations Can Freeze Your Linux Terminal

Andrios Robert

1 min read

The cursor freezes. You type kubectl exec into the Linux terminal, but the output hangs for seconds that feel like minutes. The network policy you deployed yesterday is the suspect. Kubernetes Network Policies control the flow of traffic between pods, but a misapplied rule can lock down your cluster in ways you never intended.

This isn’t an abstract issue. A recent Linux terminal bug, triggered during live debugging sessions in restricted namespaces, blocks command output when egress traffic is denied. The pod responds, but the terminal never receives the data. Engineers report that this happens when network policies enforce deny-all defaults without allowing DNS or API calls.

Kubernetes Network Policies use labels to select pods and rules to permit traffic. In clusters with Calico, Cilium, or Kube-router, these rules get compiled into low-level packet filters. If you misconfigure them, standard CLI tools stop working, especially during kubectl exec, kubectl logs, or remote port-forward sessions. On Linux terminals, the effect looks like a stalled connection. TCP sessions fail quietly after SYN packets are dropped, and UDP-based workflows, like DNS lookups, fail instantly.

To confirm the cause, run:

kubectl get networkpolicies -A
kubectl describe networkpolicy <policy-name>

Check if all egress rules block traffic to cluster services or to your terminal host. If DNS is missing, add:

egress:
- to:
  - namespaceSelector: {}
    podSelector:
      matchLabels:
        k8s-app: kube-dns
    ports:
    - protocol: UDP
      port: 53

Reload the policy and test again. In most cases, fixing the egress rules restores terminal interactivity. Log output streams resume. Port-forwards work. Exec calls respond immediately.

This bug lives at the intersection of Kubernetes Network Policy enforcement and how Linux terminals handle blocked streams. It is not a core Kubernetes defect, but a side effect of aggressive rule sets combined with the CLI workflow most engineers depend on. The fastest way to avoid it: set explicit allow rules for system services and developer tools before applying broad deny policies.

Want to see how correct network policy design works without breaking your Linux terminal? Spin up a cluster with hoop.dev and watch it live in minutes.