--- title: Network policy is not targeting any pod description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Network policy is not targeting any pod --- # Network policy is not targeting any pod {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-kubernetes-network-policy-is-not-targeting-any-pod` **Provider:** Kubernetes **Platform:** Terraform **Severity:** Low **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#match_labels) ### Description{% #description %} Checks whether any `kubernetes_network_policy` does not target any pod. Validates that `spec.pod_selector.match_labels` contains concrete label key/value pairs that match at least one pod's `metadata.labels` and not unresolved references like `kubernetes_.`. If no pod matches the selector or the label value appears to be a reference, the rule reports an `IncorrectValue` issue. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "kubernetes_network_policy" "example2" { metadata { name = "terraform-example-network-policy" namespace = "default" } spec { pod_selector { match_expressions { key = "name" operator = "In" values = ["webfront", "api"] } match_labels = { app = "ngnix2" } } ingress { ports { port = "http" protocol = "TCP" } ports { port = "8125" protocol = "UDP" } from { namespace_selector { match_labels = { name = "default" } } } from { ip_block { cidr = "10.0.0.0/8" except = [ "10.0.0.0/24", "10.0.1.0/24", ] } } } egress {} # single empty rule to allow all egress traffic policy_types = ["Ingress", "Egress"] } } resource "kubernetes_pod" "test2" { metadata { name = "terraform-example" labels = { app = "ngnix2" } } spec { container { image = "nginx:1.7.9" name = "example" env { name = "environment" value = "test" } port { container_port = 8080 } liveness_probe { http_get { path = "/nginx_status" port = 80 http_header { name = "X-Custom-Header" value = "Awesome" } } initial_delay_seconds = 3 period_seconds = 3 } } dns_config { nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] searches = ["example.com"] option { name = "ndots" value = 1 } option { name = "use-vc" } } dns_policy = "None" } } resource "kubernetes_network_policy" "example222" { metadata { name = "terraform-example-network-policy" namespace = "default" } spec { pod_selector { match_expressions { key = "name" operator = "In" values = ["webfront", "api"] } match_labels = { app = "kubernetes_pod.test2.metadata.0.labels.app" } } ingress { ports { port = "http" protocol = "TCP" } ports { port = "8125" protocol = "UDP" } from { namespace_selector { match_labels = { name = "default" } } } from { ip_block { cidr = "10.0.0.0/8" except = [ "10.0.0.0/24", "10.0.1.0/24", ] } } } egress {} # single empty rule to allow all egress traffic policy_types = ["Ingress", "Egress"] } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "kubernetes_network_policy" "example" { metadata { name = "terraform-example-network-policy" namespace = "default" } spec { pod_selector { match_expressions { key = "name" operator = "In" values = ["webfront", "api"] } match_labels = { app = "ngnix" } } ingress { ports { port = "http" protocol = "TCP" } ports { port = "8125" protocol = "UDP" } from { namespace_selector { match_labels = { name = "default" } } } from { ip_block { cidr = "10.0.0.0/8" except = [ "10.0.0.0/24", "10.0.1.0/24", ] } } } egress {} # single empty rule to allow all egress traffic policy_types = ["Ingress", "Egress"] } } ```