A Kubernetes NetworkPolicy defines how pods communicate with each other and with external endpoints. It provides fine-grained control over ingress and egress traffic at the IP and port level. By enforcing explicit communication rules, it enables microsegmentation and supports zero-trust networking inside a cluster.
How It Works
A policy selects a group of pods using label selectors and then specifies allowed traffic rules. These rules define which sources (for ingress) or destinations (for egress) can communicate with the selected pods, along with permitted ports and protocols. If no policy selects a pod, traffic flows freely by default.
Once a pod is selected by at least one policy, Kubernetes enforces a default deny behavior for the traffic types defined in that policy. Only traffic explicitly allowed in the rules is permitted. This model shifts networking from implicit trust to explicit authorization.
Enforcement depends on the clusterโs Container Network Interface (CNI) plugin. Solutions such as Calico, Cilium, or Antrea translate policy definitions into underlying firewall or eBPF rules. Without a compatible CNI, the resource exists but has no effect.
Why It Matters
In multi-tenant clusters and production environments, unrestricted pod-to-pod communication increases the attack surface. Fine-grained traffic control limits lateral movement during a breach and isolates workloads by environment, team, or application tier.
From an operational perspective, it strengthens compliance and auditability. Teams can formally define which services communicate, align controls with security policies, and reduce reliance on perimeter firewalls. This approach improves resilience while maintaining deployment agility in cloud-native systems.
Key Takeaway
NetworkPolicy brings enforceable, pod-level traffic control to Kubernetes, enabling secure microsegmentation and zero-trust networking by default.