Day 37advancedMar 9, 2026

Lock Down Pod Traffic with Network Policies

By default every pod can talk to every other pod — Network Policies let you stop that.

kubernetessecuritynetworking

What

By default, all pods in a Kubernetes cluster can communicate freely with each other. Network Policies let you define ingress and egress rules to restrict traffic between pods, namespaces, and external IPs. They act as a firewall at the pod level, giving you fine-grained control over which workloads can talk to each other.

Why It Matters

In a multi-tenant cluster or any production environment, unrestricted pod-to-pod communication is a security risk. If one pod is compromised, an attacker can reach every other service in the cluster. Network Policies implement the principle of least privilege at the network layer, limiting blast radius.

Example

# Allow ingress to backend ONLY from frontend pods on port 8080
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend-allow-frontend
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 8080

# Verify the policy is applied
kubectl get networkpolicies -n production
kubectl describe networkpolicy backend-allow-frontend -n production

yaml

Common Mistake

Creating a NetworkPolicy but not having a CNI plugin that supports them (like Calico, Cilium, or Weave Net). The default kubenet and some managed Kubernetes CNIs silently ignore Network Policies — no errors, no enforcement.

Quick Fix

Before relying on Network Policies, verify your CNI plugin supports them. Run `kubectl get pods -n kube-system` and look for Calico or Cilium pods. If you're on a managed service, check documentation for network policy support.