K8s Network Policies

Default-deny.

Default-deny baseline

Default Kubernetes networking lets every pod reach every other pod. NetworkPolicy resources turn that into an explicit allowlist; the CNI choice decides whether the policies actually enforce. Without enforcement, NetworkPolicy is documentation, not security.

• Default Kubernetes networking. Any-pod-to-any-pod by default; NetworkPolicy resources restrict this only when the CNI plugin enforces them.
• Default-deny per namespace. Both ingress and egress denied by default; pods explicitly opt-in to the specific traffic they need.
• Required CNI. Calico, Cilium, or Antrea enforce NetworkPolicy; vanilla Flannel does not. Confirm the CNI before assuming the policy works.
• Named policy owner per namespace. Documented team responsible for changes; "everyone and no one" is the failure mode.

Ingress policies

Ingress policies define who is allowed to talk to a pod. Namespace selectors, pod selectors, and IP blocks are the primitives; explicit ports keep accidental wide-open rules from happening.

• From namespace selector. Allow-from-monitoring rule for Prometheus scraping; standard pattern that scales across namespaces.
• From pod selector. Allow-from-app=frontend for service-to-service traffic; tightens scope to the specific producer.
• From IP block. Allow-from-10.0.0.0/8 for VPN ranges or trusted networks; useful when traffic comes from outside the cluster.
• Named ports per policy. Explicit port and protocol on every rule; the discipline catches the accidental "all ports" rule that defeats the purpose.

Egress policies

Egress policies define what a pod is allowed to call out to. Often skipped; high security value, especially for blocking SSRF and metadata-endpoint attacks.

• To specific destinations. kube-dns, named services, egress proxy targets; explicit allowlist beats implicit any.
• Block egress to instance metadata. 169.254.169.254 block defends against SSRF-via-pod attacks that steal cloud credentials.
• FQDN-based egress. Cilium Enterprise or Calico Enterprise allowlist by domain name; resilient to IP changes that break IP-based rules.
• Egress-only namespace. Dedicated egress proxy through which all outbound traffic flows; supports inspection and policy enforcement.

Rolling out default-deny

The rollout is the high-risk step where premature default-deny breaks production. Audit, add policies, then flip the default; never the other way around.

• Audit current traffic. Cilium Hubble, Calico flow logs, or eBPF tracing; understand what flows exist before you restrict them.
• Add policies based on observed traffic. Per-namespace policies that match real flows; test in non-prod under load before touching production.
• Switch to default-deny only after policies cover legitimate flows. Premature switch breaks production; verify coverage in audit mode first.
• Documented rollback plan per rollout. Policy-removal command ready and tested; the discipline supports recovery when something is missed.

Operating network policies

Operating network policies is a discipline in itself. Git source-of-truth, quarterly review, and a regular drill keep the policies useful instead of stale.

• Per-namespace policies in git. PR-reviewed policy YAML deployed via CI; click-ops in the cluster is the path to drift.
• Quarterly review. Audit stale policies; tighten where traffic patterns have changed, remove where pods no longer exist.
• Policy-removal drill. Deliberately remove a policy in non-prod; verify alerts fire and detection sees the change.
• Flow-log retention per cluster. 30-90 day retention supports incident investigation and audit; without it, "what happened" is unanswerable.