Network Policies in Kubernetes provide fine-grained control over network traffic between pods. They act as a firewall for your cluster, allowing you to define rules that specify which pods can communicate with each other and on which ports.
What are Network Policies?
Network Policies are Kubernetes resources that control traffic flow at the network level. They use labels to select pods and define ingress (incoming) and egress (outgoing) rules. Network Policies are implemented by network plugins (CNI) that support them, such as Calico, Cilium, or Weave Net.
Key Concepts
- Pod Selector: Identifies which pods the policy applies to
- Ingress Rules: Control incoming traffic to selected pods
- Egress Rules: Control outgoing traffic from selected pods
- Policy Types: Specify whether ingress, egress, or both are controlled
- Default Deny: When a NetworkPolicy selects a pod, it denies all traffic by default unless explicitly allowed
Prerequisites
Before implementing Network Policies, ensure your cluster uses a CNI plugin that supports Network Policies:
- Calico
- Cilium
- Weave Net
- Antrea
Basic Network Policy Examples
Example 1: Default Deny All
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: default
spec:
podSelector: {} # Selects all pods
policyTypes:
- Ingress
- Egress
Example 2: Allow Specific Pods
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-specific-pods
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
Multi-Tier Application Example
Secure a typical 3-tier application (frontend, backend, database):
# Frontend: Allow ingress from anywhere
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: frontend-policy
spec:
podSelector:
matchLabels:
tier: frontend
policyTypes:
- Ingress
- Egress
ingress:
- from: []
ports:
- protocol: TCP
port: 80
egress:
- to:
- podSelector:
matchLabels:
tier: backend
ports:
- protocol: TCP
port: 8080
---
# Backend: Allow ingress from frontend only
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-policy
spec:
podSelector:
matchLabels:
tier: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
tier: frontend
ports:
- protocol: TCP
port: 8080
---
# Database: Allow ingress from backend only
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database-policy
spec:
podSelector:
matchLabels:
tier: database
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
tier: backend
ports:
- protocol: TCP
port: 5432
Best Practices
- Start with Default Deny: Begin with a deny-all policy, then explicitly allow required traffic
- Use Labels Consistently: Use consistent label naming across your cluster
- Test Incrementally: Apply Network Policies gradually and test after each change
- Document Policies: Document why each policy exists and what traffic it allows
- Allow DNS: Always allow DNS queries in egress rules
Troubleshooting
# List all Network Policies
kubectl get networkpolicies --all-namespaces
# Describe a specific policy
kubectl describe networkpolicy <policy-name> -n <namespace>
# Check pod labels
kubectl get pods --show-labels
# Test connectivity
kubectl run test-pod --image=busybox -it --rm -- wget -O- http://target:port
Related Resources
Learning Path Navigation
📚 Learning Path: Kubernetes Security Learning Path
Master Kubernetes security from basics to advanced
Navigate this path:
← Previous: Kubernetes Secrets Management | Next: Kubernetes Pod Security Standards →
This blog is part of multiple learning paths:
- Kubernetes Security Learning Path (Step 4/9)
- Kubernetes Networking Deep Dive (Step 4/8)
Conclusion
Network Policies are essential for securing Kubernetes clusters and implementing defense-in-depth. They allow you to control traffic flow between pods, isolate workloads, and protect sensitive services. Start with default deny policies, then gradually add allow rules based on your application's communication patterns.