I am fairly new to networkpolicies on Calico. I have created the following NetworkPolicy on my cluster:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: nginxnp-po
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: nginxnp
  policyTypes:
    - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          acces: frontend
    ports: 
      - port: 80

This is how I read it: All pods that have the selector run=nginxnp are only accessible on port 80 from every pod that has the selector access=frontend.

Here is my nginx pod (with a running nginx in it):

$ kubectl get pods -l run=nginxnp
NAME                      READY   STATUS    RESTARTS   AGE
nginxnp-9b49f4b8d-tkz6q   1/1     Running   0          36h

I created a busybox container like this:

$ kubectl run busybox --image=busybox --restart=Never --labels=access=frontend -- sleep 3600

I can see that it matches the selector access=frontend:

$ kubectl get pods -l access=frontend
NAME      READY   STATUS    RESTARTS   AGE
busybox   1/1     Running   0          6m30s

However when I exec into the busybox pod and try to wget the nginx pod, the connection is still refused.

I also tried setting an egress rule that allows the traffic the other way round, but this didn't do anything as well. As I understood networkpolicies: When no rule is set, nothing is blocked. Hence, when I set no egress rule, egress should not be blocked.

If I delete the networkpolicy it works. Any pointers are highly appreciated.