← Lessons

quiz vs the machine

Gold1470

Security

The Network Policies in Kubernetes

How network policies replace flat open pod networking with explicit allowed connections between workloads.

5 min read · core · beat Gold to climb

The Default Is Wide Open

By default every pod in a Kubernetes cluster can talk to every other pod. A single compromised pod can then probe and reach databases and internal services freely. Network policies restrict which pods may connect to which.

How a Policy Selects Pods

A network policy uses labels to choose the pods it governs and to describe allowed peers.

  • Ingress rules define who may connect to the selected pods.
  • Egress rules define where the selected pods may connect.
  • Peers can be other pods, whole namespaces, or address ranges.

The Default Deny Pattern

Once any policy selects a pod, traffic not explicitly allowed is dropped for that direction. A common baseline applies a default deny policy, then adds narrow allow rules for the connections each service truly needs.

Why It Matters

  • It stops lateral movement after a single pod is compromised.
  • It enforces that a frontend may reach an API but not the database directly.
  • It requires a plugin that implements policy, since the API alone does not enforce.

Key idea

Network policies use labels to define ingress and egress rules between pods, and a default deny baseline with narrow allows stops a compromised pod from moving laterally across the cluster.

Check yourself

Answer to earn rating on the learn ladder.

1. What is the default pod to pod connectivity in Kubernetes?

2. What does a network policy use to select pods and peers?

3. What does a default deny baseline accomplish?