Network Policy Default Deny

Most clusters allow all pod-to-pod. Migrate to default-deny.

Idea

Network policy default deny is the discipline of moving from "all traffic allowed" to "no traffic allowed by default; explicit allows only". The shift bounds lateral movement and compromise blast radius. The discipline is real work but produces meaningful security improvement.

What the idea looks like:

• Default-deny network policy.: The cluster's default behavior is to deny pod-to-pod traffic. Without explicit allow policies, pods cannot communicate; the security model is restrictive.
• Each app explicitly allows traffic.: Applications declare what they need. Service A needs to talk to service B; the policy explicitly allows that connection; nothing else is allowed for service A.
• Lateral movement bounded.: When a pod is compromised, the attacker's lateral movement is bounded by the policies. The pod can only reach what its policies allow; the attack surface from the compromised pod is small.
• Per-namespace and per-pod selectors.: Policies use selectors. Per-namespace, per-label, per-pod combinations all are supported; the policies match the workload's actual structure.
• Egress and ingress.: Both directions can be restricted. Most disciplines focus on ingress (what can talk to me) but egress (what I can talk to) is equally important; comprehensive policies cover both.

The idea is the foundation. The implementation is months of work; the value is permanent.

Migrate

Migrating from default-allow to default-deny is gradual. Audit current traffic, add policies that allow it, switch the default. The phases are sequential; rushing produces broken communication.

• Audit current traffic.: The team observes what traffic flows currently. Service-to-service communication, ingress, egress all are mapped. The audit produces the baseline.
• Add policies.: For each observed traffic pattern, the team adds an allow policy. The policies match the current traffic; nothing is broken yet because the default is still allow.
• Switch default.: Once policies cover the traffic, the default switches to deny. Pods without matching policies cannot communicate; the policies that were added in phase 2 cover the legitimate cases.
• Months-long.: Realistic timelines are months. Some traffic is intermittent (only during specific operations); the audit catches them only with extended observation.
• Pace it.: The discipline is sustained over the migration. Each phase has its own checks; the team's confidence grows; the migration completes successfully.

The migration is the main work. The phased approach minimizes the risk of breaking legitimate communication.

Benefit

The benefits compound. Reduced compromise blast radius; cleaner compliance stories; auditor-ready evidence of network controls.

• Compromise blast radius bounded.: When a pod is compromised, the attacker's reach is bounded by the network policies. The compromise is contained; the security incident is smaller.
• Compliance stories cleaner.: Compliance frameworks increasingly expect network segmentation. Default-deny network policies produce evidence of segmentation; the audit conversation is shorter.
• Anomaly detection improves.: With explicit allow policies, anomalous traffic is more visible. Traffic that violates policies is flagged; investigation is targeted.
• Defense in depth.: Network policies are one layer of defense. Combined with authentication, authorization, encryption, the layers produce comprehensive security.
• Maintained over time.: The discipline is ongoing. New workloads need policies; old workloads' policies are updated; the network security stays current.

Network policy default deny is one of those security disciplines that pays off across many years and many threat scenarios. Nova AI Ops integrates with cluster network telemetry, surfaces policy coverage and violations, and supports the team's network security discipline.