Master Kubernetes Network Policies: From Basics to Advanced Examples

In a default Kubernetes cluster all Pods can communicate, which may pose security risks. NetworkPolicy provides fine‑grained traffic control by defining rules that allow or deny traffic between Pods.

Core concepts

Policy object : a Kubernetes resource defined in a YAML manifest.

Pod selector : selects the Pods to which the policy applies.

Ingress rules : specify allowed inbound traffic.

Egress rules : specify allowed outbound traffic.

Rule types :

IPBlock : control by IP CIDR.

PodSelector : control by Pod labels.

NamespaceSelector : control by Namespace labels.

Practical examples

Example 1 – Deny all traffic

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

This policy selects every Pod in the default namespace (empty podSelector) and defines empty Ingress and Egress rules, effectively blocking all inbound and outbound traffic.

Example 2 – Allow intra‑namespace communication

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-namespace
  namespace: default
spec:
  podSelector: {}
  ingress:
  - from:
    - podSelector: {}

The policy applies to all Pods in default and permits traffic from any Pod in the same namespace.

Example 3 – Allow traffic from Pods with a specific label

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-frontend
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: backend
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend

Only Pods labeled app: backend are selected, and they accept inbound traffic from Pods labeled app: frontend within the same namespace.

Example 4 – Allow traffic from a specific namespace

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-monitoring
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: backend
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: monitoring

This policy permits Pods app: backend to receive traffic from any Pod in namespaces labeled name: monitoring.

Example 5 – Allow specific IP range, exclude an address

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-external-access
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: backend
  ingress:
  - from:
    - ipBlock:
        cidr: 192.168.1.0/24
        except:
        - 192.168.1.10/32

The policy allows traffic from the 192.168.1.0/24 subnet but blocks the single IP 192.168.1.10.

Example 6 – Allow traffic on a specific port

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-specific-port
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: backend
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 80

Only TCP traffic on port 80 from Pods app: frontend is allowed to reach Pods app: backend.

Important considerations

Supported network plugins : NetworkPolicy works only with CNI plugins that implement it, such as Calico or Cilium.

Policy aggregation : When multiple policies select the same Pod, their rules are combined.

Default behavior : Pods without any NetworkPolicy are unrestricted.

Debugging : Use kubectl describe networkpolicy <policy-name> and plugin‑specific tools to troubleshoot.

Conclusion

NetworkPolicy is a key mechanism for implementing network isolation and access control in Kubernetes. By crafting appropriate policies, you can satisfy a wide range of security requirements and protect containerized workloads.