Skip to content

Network Policies

NetworkPolicy controls pod-to-pod traffic at Layer 3 and Layer 4.

By default, many clusters allow broad lateral traffic. NetworkPolicy lets you move to explicit allow rules.

Prerequisite

Your CNI must implement NetworkPolicy. If it does not, policy objects may apply successfully but have no effect.

Trust model

graph LR
    subgraph payments namespace
        API[api pod]
        DB[db pod]
    end
    subgraph monitoring namespace
        PROM[prometheus pod]
    end
    subgraph frontend namespace
        WEB[web pod]
    end

    WEB -->|allowed: 8080| API
    PROM -->|allowed: 9090| API
    API -->|allowed: 5432| DB
    WEB -. blocked .-> DB

Define your trust boundaries per namespace first. Then build allow rules to match.

Default-deny foundation

Start sensitive namespaces with default-deny, then add explicit allow rules.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: payments
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

Allow app-to-app ingress

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-web-to-api
  namespace: payments
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: web
      ports:
        - protocol: TCP
          port: 8080

Cross-namespace allow

Use namespaceSelector when source pods live in another namespace.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-monitoring-scrape
  namespace: payments
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: monitoring
      ports:
        - protocol: TCP
          port: 9090

Egress and DNS

When egress restrictions are enabled, allow DNS explicitly or service discovery will break.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns-egress
  namespace: payments
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
      ports:
        - protocol: UDP
          port: 53
        - protocol: TCP
          port: 53

IP block rules

Use ipBlock to control traffic to or from external IP ranges. This is useful for allowing access from a corporate network or blocking cloud metadata endpoints.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-external-api
  namespace: payments
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 203.0.113.0/24
            except:
              - 203.0.113.10/32
      ports:
        - protocol: TCP
          port: 443

except lets you exclude specific IPs within a broader allowed range.

Troubleshooting

kubectl get netpol -A
kubectl describe netpol allow-web-to-api -n payments
kubectl get pods -A --show-labels

Also validate policy behavior with test pods and explicit connectivity checks (curl, nc, or purpose-built policy tests).

Design guidance

  • define namespace trust boundaries first
  • apply default-deny early in new namespaces
  • make allow rules specific by label and port
  • keep policy manifests version-controlled and reviewed

Summary

NetworkPolicy is a core Kubernetes security control for lateral movement reduction. It should be standard in production clusters, especially in multi-team environments.