Thanks for all your ongoing help. I am also a bit unsure at this point.
I gave this a try today. I deleted my Kubernetes network policy and replaced it with a Calico network policy:
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: base-allow
namespace: vault
spec:
ingress:
- action: Allow
source:
namespaceSelector: "kubernetes.io/metadata.name in {'vault', 'istio-system', 'monitoring', 'kube-system', 'test'}"
selector: "all()"
types:
- Ingress
egress: []
I tried explicitly allowing the egress to see if that would make any difference, then recreated the test pod.
In my Calico pod logs, I can see the test pod gets spun up with no errors:
calico-node-xbs4g calico-node 2023-06-01 12:28:52.932 [INFO][75] felix/endpoint_mgr.go 481: Re-evaluated workload endpoint status adminUp=true failed=false known=true operUp=true status="up" workloadEndpointID=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"test/test-pod-for-vault", EndpointId:"eth0"}
calico-node-xbs4g calico-node 2023-06-01 12:28:52.932 [INFO][75] felix/status_combiner.go 58: Storing endpoint status update ipVersion=0x4 status="up" workload=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"test/test-pod-for-vault", EndpointId:"eth0"}
calico-node-xbs4g calico-node 2023-06-01 12:28:52.933 [INFO][75] felix/status_combiner.go 81: Endpoint up for at least one IP version id=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"test/test-pod-for-vault", EndpointId:"eth0"} ipVersion=0x4 status="up"
I donāt see anything regarding the web hook here.