K8s Network Policies

Default-deny.

Default-deny baseline

Default Kubernetes networking: all pods can reach all pods. NetworkPolicy resources restrict this.

Default-deny ingress and egress per namespace. Pods explicitly opt-in to specific traffic patterns.

Required CNI: Calico, Cilium, Antrea, or similar. Vanilla Flannel does not enforce NetworkPolicy.

Ingress policies

From specific namespace selector: 'allow traffic from monitoring namespace'. Common for prometheus scraping.

From specific pod selector: 'allow traffic from pods labeled app=frontend'. Service-to-service.

From specific IP block: 'allow traffic from 10.0.0.0/8'. For VPN ranges or trusted networks.

Egress policies

To specific destinations: DNS (kube-dns), specific services, the internet via egress proxy.

Block egress to instance metadata (169.254.169.254). Defends against SSRF-via-pod attacks.

FQDN-based egress (Cilium Enterprise, Calico Enterprise). Allowlist by domain, not IP. Resilient to IP changes.

Rolling out default-deny

Audit current traffic with flow logs (Cilium Hubble, Calico flow logs). Understand what flows exist before restricting.

Add policies based on observed traffic. Test in non-prod first.

Switch to default-deny only after policies cover legitimate flows. Premature switch breaks production.

Operating network policies

Per-namespace policies in git. Reviewed via PR; deployed via CI.

Quarterly review. Stale policies that no longer reflect actual traffic. Tighten or remove.

Drill: deliberately remove a policy in non-prod; verify the alert and detection. Confidence in the safety net.