What i want to do is block external egress traffic except few pods/services within the cluster(This cluster have several applications running).
My current level of understanding :
any communication between user server and hub passes via proxy and any communication between user server and external internet or other pods/service with the cluster happens directly (without intervention from proxy or hub).
So to block any traffic i should apply netpol to the user server.
Do correct me if i am wrong.
A key understanding is critical: netpols block all egress/ingress traffic respectively when they apply to a pod, and then traffic is allowed by all other things netpol does. So, you should apply netpols and not allow what you don’t want allowed.
See singleuser.networkpolicy.egressallowrules in the z2jh configuration reference at z2jh.jupyter.org site
The user server/hub communication is straight without proxy, a negpol rule allows it
I think the thing you control is establishment of connections, inbound (ingress) and out outbound (egress). Inbound connections (http traffic) traffic go via proxy to user server, but out outbound doesnt - it can go straight from the k8s node or via a NAT to the external internet for example, or straight from the pod networking to k8s local ips if its allowed (it isnt for user servers by default)