Networking: Services, DNS, and IngressLesson 3.4

Kubernetes NetworkPolicy: how to lock down pod-to-pod communication

NetworkPolicy resource, default-deny pattern, ingress rules, egress rules, podSelector, namespaceSelector, ipBlock, CNI plugin requirement, policy evaluation model

By Default, All Pods Can Talk to Each Other

Kubernetes NetworkPolicy before and after diagram

Without NetworkPolicies, any Pod can reach any other Pod in the cluster. This is a security risk. NetworkPolicy lets you define exactly which Pods (and external IPs) can send or receive traffic to a Pod.

Default-Deny All Ingress

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: production
spec:
  podSelector: {}     # selects ALL pods in namespace
  policyTypes:
  - Ingress           # no ingress rules = deny all ingress

Allow Specific Traffic

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-api
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: api         # this policy applies to api pods
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend  # only frontend pods can call api
    ports:
    - protocol: TCP
      port: 8080

NetworkPolicies require a CNI plugin that supports them (Calico, Cilium, Weave). The default kind CNI does not enforce NetworkPolicies — install Calico if you need enforcement in local development.