8 expert Kubernetes Network Policies answers researched from official documentation. Every answer cites authoritative sources you can verify.
API objects defining allowed traffic between Pods/namespaces. Default: all Pod communication allowed. NetworkPolicy: whitelist rules (allow specific traffic, deny rest). Requires CNI plugin support (Calico, Cilium, Weave, not Flannel). Use cases: zero-trust networking, namespace isolation, egress control. Not a firewall replacement (operates at Pod level, not node).
Supported CNIs: Calico (most features, egress + ingress), Cilium (eBPF-based, L7 policies), Weave Net, Azure CNI, GKE Network Policy. Not supported: Flannel (requires Calico in policy-only mode), AWS VPC CNI (use Calico/Cilium instead). Managed K8s: GKE (Calico), EKS (Calico/Cilium), AKS (Azure Network Policy or Calico).
YAML: apiVersion: networking.k8s.io/v1, kind: NetworkPolicy, metadata: {name: deny-all, namespace: default}, spec: {podSelector: {}, policyTypes: [Ingress]}. This denies all ingress to all Pods in namespace. Allow specific: spec: {podSelector: {matchLabels: {app: web}}, ingress: [{from: [{podSelector: {matchLabels: {app: frontend}}}]}]}. Apply: kubectl apply -f policy.yaml.
Zero-trust pattern: (1) Default deny all: create NetworkPolicy with empty podSelector + policyTypes: [Ingress, Egress], (2) Explicit allow: create specific policies for each communication path, (3) Namespace isolation: deny cross-namespace by default, allow via namespaceSelector. Example: frontend→backend→database, each with explicit policy. Verify: test denied connections fail.
Ingress: incoming traffic to selected Pods (from: clause). Egress: outgoing traffic from selected Pods (to: clause). Both use: podSelector, namespaceSelector, ipBlock for sources/destinations. Example: Ingress from app=frontend, Egress to external API (ipBlock: 1.2.3.4/32). policyTypes: [Ingress, Egress] applies both (default: Ingress only if ingress rules exist).
DNS traffic (UDP port 53 to kube-dns/CoreDNS) often required. Explicit allow: spec: {egress: [{to: [{namespaceSelector: {matchLabels: {name: kube-system}}, podSelector: {matchLabels: {k8s-app: kube-dns}}}], ports: [{protocol: UDP, port: 53}]}]}. Simpler: allow all DNS: egress to port 53. Without DNS allow, Pods can't resolve service names.
Debug steps: (1) Verify CNI supports NetworkPolicy (kubectl get networkpolicies shows policies but may not enforce), (2) Check policy selectors match Pods (kubectl describe networkpolicy), (3) Test both allowed and denied paths, (4) Verify policyTypes includes Ingress/Egress, (5) Check for conflicting policies (multiple policies = union of allows). Tools: kubectl exec Pod -- curl or nc for testing.
Best practices: (1) Start with default deny-all in each namespace, (2) Use labels consistently for podSelector, (3) Document allowed traffic paths, (4) Test policies in staging before production, (5) Monitor denied connections (Calico/Cilium logging), (6) Avoid broad ipBlock (use services), (7) Version policies with apps (GitOps), (8) Use namespace selectors for cross-namespace carefully. Review quarterly.