Which CNI Plugins Support Network Policies?
Network Policies require a CNI plugin that implements enforcement. Calico, Cilium, Weave Net, and Antrea support standard Network Policies. Flannel does not. Some CNIs like Cilium offer extended policies beyond the Kubernetes API, such as L7 filtering and DNS-based rules.
Detailed Answer
Network Policies in Kubernetes are a two-part system: the API (defined by the Kubernetes NetworkPolicy resource) and the enforcement (implemented by the CNI plugin). Without a supporting CNI, your policies exist on paper only.
CNI Network Policy Support Matrix
| CNI Plugin | Standard NetworkPolicy | Extended Policies | Notes | |---|---|---|---| | Calico | Full | CiliumNetworkPolicy via Calico API | Most popular for Network Policy | | Cilium | Full | CiliumNetworkPolicy (L7, DNS, identity) | eBPF-based, highest performance | | Weave Net | Full | None | Simple setup, adequate for small clusters | | Antrea | Full | AntreaNetworkPolicy (tiered policies) | VMware-backed, common in enterprise | | Flannel | None | None | Networking only, no security | | AWS VPC CNI | Partial | With Calico addon | Requires additional setup | | Azure CNI | Full | With Azure NPM | Azure-specific enforcement | | GKE Dataplane v2 | Full | Based on Cilium | Google Cloud managed |
The Silent Failure Problem
This is the most dangerous aspect of Network Policies:
# Create a deny-all policy
kubectl apply -f deny-all-policy.yaml
# networkpolicy.networking.k8s.io/deny-all created
# Test connectivity — still works if CNI doesn't enforce!
kubectl exec test-pod -- curl http://api-service:8080
# {"status": "ok"}
# ⚠️ Traffic should be blocked but isn't
The API server accepts and stores the policy. It does not validate whether any controller will enforce it. Always verify enforcement:
# Verify your CNI
kubectl get pods -n kube-system | grep -E 'calico|cilium|weave'
# Test that a deny-all policy actually blocks traffic
kubectl exec test-pod -- curl -m 5 http://api-service:8080
# curl: (28) Connection timed out ← Policy is enforced
Calico
Calico is the most widely used CNI for Network Policy enforcement:
# Install Calico
kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calico.yaml
Features:
- Full Kubernetes NetworkPolicy support
- GlobalNetworkPolicy (cluster-wide rules)
- Host endpoint protection
- eBPF or iptables dataplane
- Network sets (reusable IP/CIDR groups)
# Calico-specific: GlobalNetworkPolicy
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: deny-external-egress
spec:
selector: all()
types:
- Egress
egress:
- action: Deny
destination:
notNets:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
Cilium
Cilium uses eBPF for high-performance, identity-based networking:
# Install Cilium
helm install cilium cilium/cilium \
--namespace kube-system \
--set hubble.enabled=true
Extended features:
# Cilium L7 Policy: Allow only GET /api/public
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: l7-policy
spec:
endpointSelector:
matchLabels:
app: api
ingress:
- fromEndpoints:
- matchLabels:
app: frontend
toPorts:
- ports:
- port: "8080"
protocol: TCP
rules:
http:
- method: GET
path: "/api/public.*"
# Cilium DNS-based Egress: Allow only specific domains
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: dns-egress
spec:
endpointSelector:
matchLabels:
app: api
egress:
- toFQDNs:
- matchName: "api.stripe.com"
- matchName: "api.sendgrid.com"
toPorts:
- ports:
- port: "443"
Flannel + Calico (Canal)
If you need Flannel for networking but want Network Policy support:
# Install Canal (Flannel + Calico)
kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/canal.yaml
Canal uses Flannel for Pod-to-Pod networking and Calico for Network Policy enforcement.
Choosing a CNI for Network Policies
| Requirement | Recommended CNI | |---|---| | Standard K8s Network Policies only | Calico | | L7 (HTTP) policies | Cilium | | DNS-based egress filtering | Cilium | | Maximum performance | Cilium (eBPF) | | Simplest setup | Weave Net | | Enterprise with VMware | Antrea | | AWS EKS | AWS VPC CNI + Calico | | GKE | GKE Dataplane v2 (Cilium-based) |
Validating Network Policy Enforcement
After deploying your CNI, always validate:
# 1. Apply a deny-all policy
kubectl apply -f deny-all.yaml
# 2. Verify traffic is blocked
kubectl exec -it test-client -- curl -m 5 http://target-service:8080
# Expected: timeout or connection refused
# 3. Apply an allow policy
kubectl apply -f allow-rule.yaml
# 4. Verify traffic is now allowed
kubectl exec -it test-client -- curl -m 5 http://target-service:8080
# Expected: successful response
Why Interviewers Ask This
Interviewers ask this to evaluate whether you understand the gap between defining Network Policies and actually enforcing them — a critical distinction that catches many teams off guard.
Common Follow-Up Questions
Key Takeaways
- Network Policy enforcement depends entirely on the CNI plugin — the Kubernetes API server does not enforce them.
- Always verify your CNI supports Network Policies before relying on them for security.
- Extended CNI features (L7 policies, DNS filtering) require CNI-specific CRDs, not the standard NetworkPolicy API.