diff --git a/pkg/netpol/eval/check.go b/pkg/netpol/eval/check.go index 43af0cc7..5c138f31 100644 --- a/pkg/netpol/eval/check.go +++ b/pkg/netpol/eval/check.go @@ -618,9 +618,10 @@ func (pe *PolicyEngine) getXgressDefaultConns(src, dst k8s.Peer, isIngress bool) } } } - if res.IsEmpty() { // banp rules didn't capture xgress conn between src and dst, return system-default: allow-all - res.AllowedConns = common.MakeConnectionSet(true) - res.AllowedConns.AddCommonImplyingRule(systemDefaultRule, isIngress) - } + // if banp rules didn't capture xgress conn between src and dst, return system-default: allow-all; + // if banp rule captured xgress conn, only DeniedConns should be impacted by banp rule, + // whenever AllowedConns should anyway be system-default: allow-all + res.AllowedConns = common.MakeConnectionSet(true) + res.AllowedConns.AddCommonImplyingRule(systemDefaultRule, isIngress) return res, nil }