What Are Kubernetes Network Policies?

Detailed Answer

Network Policies are Kubernetes resources that define rules for how Pods are allowed to communicate with each other and with external endpoints. They function as an in-cluster firewall, providing fine-grained network access control.

Default Behavior: Allow All

By default, Kubernetes allows all traffic between all Pods. Any Pod can reach any other Pod in any namespace over any port. This is convenient for development but unacceptable for production security.

How Network Policies Work

When a Network Policy selects a Pod (via podSelector), that Pod switches from "allow all" to "deny by default" for the policy types specified. Only traffic that matches an explicit rule is permitted.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-policy
  namespace: backend
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: frontend
      ports:
        - protocol: TCP
          port: 8080
  egress:
    - to:
        - podSelector:
            matchLabels:
              app: database
      ports:
        - protocol: TCP
          port: 5432
    - to:
        - namespaceSelector:
            matchLabels:
              name: kube-system
        - podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - protocol: UDP
          port: 53

This policy for Pods labeled app: api:

• Allows incoming traffic only from Pods labeled app: frontend on port 8080
• Allows outgoing traffic only to database Pods on port 5432 and DNS on port 53
• Denies all other traffic in both directions

Key Concepts

podSelector

Selects which Pods the policy applies to:

podSelector:
  matchLabels:
    app: api        # Applies to Pods with label app=api

An empty podSelector: {} selects all Pods in the namespace.

policyTypes

Specifies whether the policy applies to ingress, egress, or both:

policyTypes:
  - Ingress    # Controls incoming traffic
  - Egress     # Controls outgoing traffic

If not specified, Ingress is assumed. Always be explicit.

from / to Selectors

Define allowed traffic sources (for ingress) or destinations (for egress):

# Allow from specific Pods
- podSelector:
    matchLabels:
      app: frontend

# Allow from specific namespaces
- namespaceSelector:
    matchLabels:
      environment: production

# Allow from specific IP ranges
- ipBlock:
    cidr: 10.0.0.0/8
    except:
      - 10.0.1.0/24

CNI Plugin Requirement

Network Policies are defined via the Kubernetes API, but enforcement is handled by the CNI plugin:

| CNI Plugin | Network Policy Support | |---|---| | Calico | Full support | | Cilium | Full support (with extended features) | | Weave Net | Full support | | Flannel | No support (needs Calico overlay) | | AWS VPC CNI | Partial (with Calico addon) |

If your CNI does not support Network Policies, the policy resources are accepted by the API server but have no effect — a dangerous silent failure.

Policy Evaluation

Multiple policies are additive:

• If no policy selects a Pod → all traffic allowed
• If one policy selects a Pod → only traffic matching that policy is allowed
• If multiple policies select a Pod → traffic matching any policy is allowed (union of rules)

There is no concept of a "deny" rule. Policies only "allow." Unmatched traffic is denied.

Verifying Network Policies

# List policies in a namespace
kubectl get networkpolicies -n backend

# Describe a specific policy
kubectl describe networkpolicy api-policy -n backend

# Test connectivity (from a debug Pod)
kubectl exec -it debug-pod -n frontend -- curl -m 5 http://api-service.backend:8080