What are Kubernetes Network Policies?
· Category: Kubernetes
Short answer
Kubernetes Network Policies are firewall rules for Pods. They control ingress and egress traffic based on Pod selectors, namespaces, and IP blocks, enabling zero-trust network segmentation.
How it works
By default, all Pods in a cluster can communicate freely. A Network Policy restricts this by defining allow rules. The cluster's network plugin, such as Calico or Cilium, enforces these rules.
Example
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
Why it matters
Network Policies reduce the blast radius of a compromise by limiting lateral movement. They are a critical component of defense-in-depth for Kubernetes workloads.
Key differences
- Default deny: No policy means all traffic is allowed.
- Ingress: Controls incoming traffic.
- Egress: Controls outgoing traffic.
Common issues
- Not all network plugins support Network Policies.
- Misconfigured selectors can inadvertently block legitimate traffic.
- Default-deny policies require explicit allow rules for DNS and health checks.