POP-1700: possible false positive (no cilium endpoints matched selector) #563
Description
Describe the bug
Popeye is reporting errors and it's impossible to understand why… The cnp is ok, also when looking at the network policy editor (https://editor.networkpolicy.io/?id=C3ltFryd27l4BPrv)
· valkey/valkey..................................................................................💥
💥 [POP-1700] No cilium endpoints matched ingress selector.
💥 [POP-1700] No cilium endpoints matched egress selector.
To Reproduce
Steps to reproduce the behavior:
- Deploy Valkey helm chart and cilium network policy using the yaml
- Run popeye:
popeye -n valkey -s cnp - See error
Expected behavior
No error
Versions
- OS: macOS 15.7.2
- Popeye 0.22.1 (Commit: 35b5549)
- K8s 1.34.2
- Cilium 1.18.4
Additional context
Deploy Valkey and CNP
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: valkey
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: "https://valkey.io/valkey-helm"
targetRevision: 0.8.1
chart: valkey
helm:
parameters:
- name: "global.imagePullSecrets[0].name"
value: "dockerhub"
destination:
server: "https://kubernetes.default.svc"
namespace: valkey
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
---
apiVersion: v1
data:
.dockerconfigjson: xxxx
kind: Secret
metadata:
name: dockerhub
namespace: valkey
type: kubernetes.io/dockerconfigjson
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: "valkey"
namespace: valkey
spec:
description: "Policy for valkey"
endpointSelector:
matchLabels:
app.kubernetes.io/name: valkey
ingress:
- fromEndpoints:
- matchLabels:
app.kubernetes.io/name: outline
io.kubernetes.pod.namespace: outline
toPorts:
- ports:
- port: "6379"
protocol: TCP
egress:
- toEndpoints:
- matchLabels:
k8s-app: kube-dns
io.kubernetes.pod.namespace: kube-system
toPorts:
- ports:
- port: "53"
protocol: ANY
rules:
dns:
- matchPattern: "*"Cilium endpoints
Valkey
apiVersion: cilium.io/v2
kind: CiliumEndpoint
metadata:
creationTimestamp: "2025-12-09T04:29:42Z"
generation: 1
labels:
app.kubernetes.io/instance: valkey
app.kubernetes.io/name: valkey
checksum/initconfig: 80ea163c40313a5216bbd23457401faa
pod-template-hash: 55b48897d4
name: valkey-55b48897d4-8ndth
namespace: valkey
ownerReferences:
- apiVersion: v1
kind: Pod
name: valkey-55b48897d4-8ndth
uid: f66553bd-78e9-4e94-b25c-41ec587b1145
resourceVersion: "527203451"
uid: 226142c0-2bc6-486a-8388-687d26b6f003
status:
encryption: {}
external-identifiers:
cni-attachment-id: a0d6e0d94bf392c7f577232ae481e84feafd31dab4d7f5828f2b0d32782a7edd:eth0
container-id: a0d6e0d94bf392c7f577232ae481e84feafd31dab4d7f5828f2b0d32782a7edd
k8s-namespace: valkey
k8s-pod-name: valkey-55b48897d4-8ndth
pod-name: valkey/valkey-55b48897d4-8ndth
id: 521
identity:
id: 13517
labels:
- k8s:app.kubernetes.io/instance=valkey
- k8s:app.kubernetes.io/name=valkey
- k8s:checksum/initconfig=80ea163c40313a5216bbd23457401faa
- k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=valkey
- k8s:io.cilium.k8s.policy.cluster=default
- k8s:io.cilium.k8s.policy.serviceaccount=valkey
- k8s:io.kubernetes.pod.namespace=valkey
named-ports:
- name: tcp
port: 6379
protocol: TCP
networking:
addressing:
- ipv4: 10.43.0.23
node: 100.117.71.53
state: readyOutline
apiVersion: cilium.io/v2
kind: CiliumEndpoint
metadata:
creationTimestamp: "2025-12-09T04:37:11Z"
generation: 1
labels:
app.kubernetes.io/instance: outline
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: outline
app.kubernetes.io/version: 0.84.0
helm.sh/chart: outline-0.3.5
pod-template-hash: 84b5875cbd
name: outline-84b5875cbd-hxsl9
namespace: outline
ownerReferences:
- apiVersion: v1
kind: Pod
name: outline-84b5875cbd-hxsl9
uid: 65388e59-972e-4070-b831-685f47a3eb45
resourceVersion: "527207758"
uid: 66741ca5-839e-4c0a-b50f-ff7ea37fa968
status:
encryption: {}
external-identifiers:
cni-attachment-id: 05fc1d8e999161e3891c36bb8b7ad0d027d9401920571d5427ba8a8e782dc667:eth0
container-id: 05fc1d8e999161e3891c36bb8b7ad0d027d9401920571d5427ba8a8e782dc667
k8s-namespace: outline
k8s-pod-name: outline-84b5875cbd-hxsl9
pod-name: outline/outline-84b5875cbd-hxsl9
id: 3854
identity:
id: 7917
labels:
- k8s:app.kubernetes.io/instance=outline
- k8s:app.kubernetes.io/managed-by=Helm
- k8s:app.kubernetes.io/name=outline
- k8s:app.kubernetes.io/version=0.84.0
- k8s:helm.sh/chart=outline-0.3.5
- k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=outline
- k8s:io.cilium.k8s.policy.cluster=default
- k8s:io.cilium.k8s.policy.serviceaccount=outline
- k8s:io.kubernetes.pod.namespace=outline
named-ports:
- name: http
port: 3000
protocol: TCP
networking:
addressing:
- ipv4: 10.43.0.134
node: 100.117.71.53
state: readyCoredns
apiVersion: cilium.io/v2
kind: CiliumEndpoint
metadata:
creationTimestamp: "2025-11-24T23:35:21Z"
generation: 1
labels:
k8s-app: kube-dns
pod-template-hash: 6dfd5df764
name: coredns-6dfd5df764-d26w5
namespace: kube-system
ownerReferences:
- apiVersion: v1
kind: Pod
name: coredns-6dfd5df764-d26w5
uid: e651d5db-48ce-4ca0-a614-cd1b28ce3965
resourceVersion: "515855294"
uid: b579d46b-d603-4db6-8102-a11543a22ff1
status:
encryption: {}
external-identifiers:
cni-attachment-id: d2e6f79c4633a01484cb8c31fd04fbc73e060f993e3328e839d5806eea2b8108:eth0
container-id: d2e6f79c4633a01484cb8c31fd04fbc73e060f993e3328e839d5806eea2b8108
k8s-namespace: kube-system
k8s-pod-name: coredns-6dfd5df764-d26w5
pod-name: kube-system/coredns-6dfd5df764-d26w5
id: 442
identity:
id: 5336
labels:
- k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system
- k8s:io.cilium.k8s.policy.cluster=default
- k8s:io.cilium.k8s.policy.serviceaccount=coredns
- k8s:io.kubernetes.pod.namespace=kube-system
- k8s:k8s-app=kube-dns
named-ports:
- name: dns
port: 53
protocol: UDP
- name: dns-tcp
port: 53
protocol: TCP
- name: metrics
port: 9153
protocol: TCP
networking:
addressing:
- ipv4: 10.43.3.150
node: 100.104.168.48
state: ready