For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-kubernetes-network-policy-is-not-targeting-any-pod.md.
A documentation index is available at /llms.txt.
Checks whether any kubernetes_network_policy does not target any pod. Validates that spec.pod_selector.match_labels contains concrete label key/value pairs that match at least one pod’s metadata.labels and not unresolved references like kubernetes_<resource>.<name>. If no pod matches the selector or the label value appears to be a reference, the rule reports an IncorrectValue issue.
Compliant Code Examples
resource"kubernetes_network_policy""example2"{metadata{name="terraform-example-network-policy"namespace="default"}spec{pod_selector{match_expressions{key="name"operator="In"values=["webfront","api"]}match_labels={app="ngnix2"}}ingress{ports{port="http"protocol="TCP"}ports{port="8125"protocol="UDP"}from{namespace_selector{match_labels={name="default"}}}from{ip_block{cidr="10.0.0.0/8"except=["10.0.0.0/24","10.0.1.0/24",]}}}egress{} # single empty rule to allow all egress traffic
policy_types=["Ingress","Egress"]}}resource"kubernetes_pod""test2"{metadata{name="terraform-example"labels={app="ngnix2"}}spec{container{image="nginx:1.7.9"name="example"env{name="environment"value="test"}port{container_port=8080}liveness_probe{http_get{path="/nginx_status"port=80http_header{name="X-Custom-Header"value="Awesome"}}initial_delay_seconds=3period_seconds=3}}dns_config{nameservers=["1.1.1.1","8.8.8.8","9.9.9.9"]searches=["example.com"]option{name="ndots"value=1}option{name="use-vc"}}dns_policy="None"}}resource"kubernetes_network_policy""example222"{metadata{name="terraform-example-network-policy"namespace="default"}spec{pod_selector{match_expressions{key="name"operator="In"values=["webfront","api"]}match_labels={app="kubernetes_pod.test2.metadata.0.labels.app"}}ingress{ports{port="http"protocol="TCP"}ports{port="8125"protocol="UDP"}from{namespace_selector{match_labels={name="default"}}}from{ip_block{cidr="10.0.0.0/8"except=["10.0.0.0/24","10.0.1.0/24",]}}}egress{} # single empty rule to allow all egress traffic
policy_types=["Ingress","Egress"]}}
Non-Compliant Code Examples
resource"kubernetes_network_policy""example"{metadata{name="terraform-example-network-policy"namespace="default"}spec{pod_selector{match_expressions{key="name"operator="In"values=["webfront","api"]}match_labels={app="ngnix"}}ingress{ports{port="http"protocol="TCP"}ports{port="8125"protocol="UDP"}from{namespace_selector{match_labels={name="default"}}}from{ip_block{cidr="10.0.0.0/8"except=["10.0.0.0/24","10.0.1.0/24",]}}}egress{} # single empty rule to allow all egress traffic
policy_types=["Ingress","Egress"]}}
1
2
rulesets:- Terraform / Kubernetes # Rules to enforce / Kubernetes.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
