Network Segmentation in Kubernetes: NetworkPolicies in Practice
Default-allow networks make every compromise full-cluster. Default-deny is the upgrade; the patterns make it operable.
Why default-allow is the wrong default
Default Kubernetes networking lets every pod talk to every pod. A compromised pod has lateral movement to everything.
NetworkPolicies enable default-deny + explicit allow. Foundational defense-in-depth.
Four practical patterns
- 1. Namespace isolation. Deny all cross-namespace traffic by default.
- 2. Egress allowlist. Pods can only reach declared external destinations.
- 3. Ingress allowlist. Pods only receive from declared sources.
- 4. DNS allowlist. Even DNS resolution is explicitly permitted.
CNI compatibility
Calico, Cilium, Weave: all support NetworkPolicies. Most managed K8s ships with policies disabled.
Verify your CNI enforces them; some pre-2023 setups silently ignored policies. Test with a deny rule and confirm traffic blocked.
Rollout strategy
Roll out per namespace. Enable observe-only mode first; collect what would have been denied; iterate; enforce.
Skipping observe-only causes a noisy day-one rollout.
Antipatterns
- NetworkPolicies without observability. Denied traffic disappears silently.
- Whole-cluster rollout in one go. Outage by config.
- Default-allow forever because ‘too risky to change.’ Compounds risk.
What to do this week
Three moves. (1) Pick one production system to apply this pattern to first. (2) Measure the security signal before/after. (3) Document the gap and write a follow-up ticket so the program stays alive between quarterly reviews.