π Kubernetes Network Policies Demystified β From Basics to Advanced (2025 Edition)
In Kubernetes, everything is designed to be dynamic and open by default β including network communication. While thatβs great for flexibility, itβs a nightmare for security.
Enter:
π Kubernetes Network Policies β your firewall for Pod-level communication.
Whether you’re building a multi-tenant app or locking down microservices, Network Policies give you fine-grained control over who can talk to whom.
In this blog, weβll break it all down β simply, clearly, and with real-world examples.
π§ What Are Network Policies in Kubernetes?
By default, all pods in Kubernetes can talk to each other. No restrictions.
Network Policies are rules that:
- Allow or block traffic to or from pods
- Work at Layer 3 & 4 (IP + port) level
- Are enforced by a CNI plugin like Calico, Cilium, or Weave
β Think of it like iptables for pods β but declarative and namespace-aware.
βοΈ Prerequisite: Your CNI Plugin Must Support It
Not all CNIs enforce Network Policies.
| CNI Plugin | NetworkPolicy Support |
|---|---|
| Calico | β Yes (Full) |
| Cilium | β Yes + eBPF |
| Weave | β Yes (Basic) |
| Flannel | β No (use with Calico) |
| AWS VPC CNI | β Yes (with extra config) |
π You can check support by reviewing your cluster’s network plugin or running:
kubectl get pods -n kube-system
Look for names like calico-node, cilium-agent, etc.
𧱠Basic Anatomy of a NetworkPolicy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-nginx
namespace: default
spec:
podSelector:
matchLabels:
app: nginx
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
Key Sections:
- podSelector: Which pods this policy applies to
- policyTypes:
Ingress,Egress, or both - ingress/egress: Allowed sources or destinations
π Ingress vs Egress
| Type | Controls |
|---|---|
| Ingress | Who can connect to the selected pods |
| Egress | Where the selected pods can connect to |
By default:
- If no NetworkPolicy exists, traffic is allowed.
- If one NetworkPolicy exists, and it has no rules β it blocks everything (deny by default starts here).
π¦ Use Case Examples
1οΈβ£ Allow Only Frontend to Talk to Nginx
podSelector:
matchLabels:
app: nginx
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
π« This blocks all other pods from reaching Nginx.
2οΈβ£ Allow Ingress from Same Namespace Only
ingress:
- from:
- namespaceSelector:
matchLabels:
name: default
β Useful for isolating tenants by namespace.
3οΈβ£ Allow Egress to Internet (DNS & HTTPS only)
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 443
- protocol: UDP
port: 53
policyTypes:
- Egress
β Allows your pod to pull images, call APIs, or resolve DNS β but nothing else.
4οΈβ£ Deny All Ingress
podSelector:
matchLabels:
app: sensitive
ingress: []
π« Fully blocks all inbound traffic to pods with label app=sensitive.
5οΈβ£ Allow Traffic from a Specific Namespace
ingress:
- from:
- namespaceSelector:
matchLabels:
project: web
π Great for multi-team clusters with isolated dev, staging, and prod namespaces.
π§ͺ Testing Network Policies
You can test enforcement using tools like:
kubectl execinto a pod and try to curl another service- Use network testing tools:
- netshoot container
- BusyBox for minimal tests
k8s-netpolicy-tester
Example:
kubectl exec -it test-pod -- curl nginx.default.svc.cluster.local
π§ Advanced NetworkPolicy Tips
| Tip | Explanation |
|---|---|
| β Start with Allow-Only Policies | Declare whatβs allowed, assume rest is blocked |
| π Combine with RBAC & Secrets | NetworkPolicy β identity or data protection |
| π Use Labels Strategically | Group and select pods with intent |
| π§Ύ Version Control YAMLs | Apply with CI/CD and GitOps |
| π§ Avoid Wide ipBlocks | Too broad? Itβs no longer secure |
| π‘ Use Calico Enterprise or Cilium UI | For visual policy dashboards |
π Recommended Tools
| Tool | Purpose |
|---|---|
| Netpol Visualizer | View policies as graphs |
| Calico Policy Manager | GUI for Calico security |
| K9s | CLI for Kubernetes navigation |
| Kubescape | Security audits for policies |
| OPA + Gatekeeper | Policy-as-code validation engine |
π‘ Network Policy β Firewall for Nodes
Important:
Network Policies only affect Pod-to-Pod communication.
They donβt:
- Block host networking
- Protect node-level traffic (use firewalls for that)
- Replace TLS or mutual authentication
π Final Thoughts
Network Policies may seem overwhelming at first, but theyβre critical for zero trust Kubernetes.
Start simple: deny all ingress to a pod.
Then allow only whatβs required β nothing more.
π In todayβs cloud-native world:
- Apps are dynamic.
- Threats are real.
- Secure defaults + declarative controls = resilient systems.
𧩠TL;DR β Network Policy Quick Recap
| Item | Example |
|---|---|
| Block all ingress | ingress: [] |
| Allow frontend β backend | podSelector-based |
| Allow DNS & HTTPS egress | egress + ports |
| Apply to namespace | namespaceSelector |
| Visualize | Netpol Visualizer, Calico UI |