Kubernetes Network Policy
What is Kubernetes Network Policy?
Kubernetes Network PolicyKubernetes NetworkPolicy is a namespaced resource that controls which pods can connect to which pods or external endpoints over IP, port, and protocol.
A NetworkPolicy is enforced by the cluster's CNI plugin (Calico, Cilium, Antrea, etc.) and selects target pods by label. Each policy lists Ingress and Egress rules with optional from/to selectors for pods, namespaces, or CIDRs, plus port and protocol. Policies are additive within a namespace and default-deny only takes effect once any policy matches a pod for a direction. NetworkPolicy is the primary east-west firewall in Kubernetes, used to implement microsegmentation, isolate tenants, and limit blast radius after a pod compromise. AdminNetworkPolicy and BaselineAdminNetworkPolicy (Kubernetes 1.29+) provide cluster-scoped, prioritized rules suitable for platform teams.
● Examples
- 01
A default-deny ingress NetworkPolicy in a tenant namespace combined with explicit allow rules for an ingress controller.
- 02
An Egress policy restricting application pods to a managed database CIDR and the cluster DNS service.
● Frequently asked questions
What is Kubernetes Network Policy?
Kubernetes NetworkPolicy is a namespaced resource that controls which pods can connect to which pods or external endpoints over IP, port, and protocol. It belongs to the Cloud Security category of cybersecurity.
What does Kubernetes Network Policy mean?
Kubernetes NetworkPolicy is a namespaced resource that controls which pods can connect to which pods or external endpoints over IP, port, and protocol.
How does Kubernetes Network Policy work?
A NetworkPolicy is enforced by the cluster's CNI plugin (Calico, Cilium, Antrea, etc.) and selects target pods by label. Each policy lists Ingress and Egress rules with optional from/to selectors for pods, namespaces, or CIDRs, plus port and protocol. Policies are additive within a namespace and default-deny only takes effect once any policy matches a pod for a direction. NetworkPolicy is the primary east-west firewall in Kubernetes, used to implement microsegmentation, isolate tenants, and limit blast radius after a pod compromise. AdminNetworkPolicy and BaselineAdminNetworkPolicy (Kubernetes 1.29+) provide cluster-scoped, prioritized rules suitable for platform teams.
How do you defend against Kubernetes Network Policy?
Defences for Kubernetes Network Policy typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Kubernetes Network Policy?
Common alternative names include: NetworkPolicy, K8s netpol, AdminNetworkPolicy.
● Related terms
- cloud-security№ 838
Pod Security Standards
Pod Security Standards (PSS) are Kubernetes-defined security profiles — Privileged, Baseline, and Restricted — that codify safe pod configuration and replace the deprecated PodSecurityPolicy.
- cloud-security№ 597
Kubernetes Admission Controller
An admission controller is a Kubernetes API server plugin that intercepts authenticated requests before persistence to validate, mutate, or reject objects against policy.
- cloud-security№ 757
OPA Gatekeeper
OPA Gatekeeper is a CNCF policy controller that uses Open Policy Agent and the Rego language to enforce admission and audit policies on Kubernetes resources.
- cloud-security№ 602
Kyverno
Kyverno is a CNCF Kubernetes policy engine that validates, mutates, and generates resources using policies written as native Kubernetes YAML rather than a new DSL.
- cloud-security№ 582
Kata Containers
Kata Containers is an open-source runtime that wraps each container or Kubernetes pod in a lightweight virtual machine to provide hardware-level isolation between workloads.
- cloud-security№ 455
gVisor
gVisor is an open-source application kernel from Google that intercepts container system calls in user space, shrinking the host kernel attack surface exposed to untrusted workloads.