Why isn't my NetworkPolicy blocking Prometheus?

[mlbiam]

I have a ServiceMonitor in place. Works great. I added the following to the namespace that has the Pods being monitored:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny-ingress
  namespace: XXXXX
spec:
  podSelector: {}
  policyTypes:
    - Ingress
status: {}

When I try to access the metrics endpoint from any Pod in the cluster, the connection times out as expected, EXCEPT the prometheus Pods are still able to scrape metrics and I can't figure out why. There's no NetworkPolicy allowing prometheus to hit those pods. What am I missing? Kubernetes is AKS using the Calico CNI.

[timaebi]

I ran into the same issue. After restarting prometheus the network policies were properly applied. What I imagine is that prometheus keeps connections open and the network policy might only apply to new connections. This is just a guess...