Kubernetes Network Policies Explained

By Admin · Mar 1, 2026 · Updated Apr 24, 2026 · 27 views · 2 min read

What Are Network Policies?

Network Policies are Kubernetes resources that control traffic flow between Pods. By default, all Pods can communicate with each other. Network Policies let you restrict this traffic to improve security on your Breeze.

Prerequisites

Your cluster needs a CNI plugin that supports Network Policies. K3s uses Flannel by default, which does not support them. Install Calico instead:

curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--flannel-backend=none --disable-network-policy" sh -
kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calico.yaml

Deny All Ingress Traffic

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
  namespace: default
spec:
  podSelector: {}
  policyTypes:
    - Ingress

This blocks all incoming traffic to Pods in the default namespace.

Allow Traffic from Specific Pods

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-backend
spec:
  podSelector:
    matchLabels:
      app: backend
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: frontend
      ports:
        - protocol: TCP
          port: 8080

Allow Traffic from a Namespace

ingress:
  - from:
      - namespaceSelector:
          matchLabels:
            purpose: monitoring

Deny All Egress

spec:
  podSelector:
    matchLabels:
      app: restricted
  policyTypes:
    - Egress

Best Practices

Start with a deny-all policy, then allow specific traffic
Label namespaces and Pods consistently for policy selectors
Test policies in a staging environment first
Use kubectl describe networkpolicy to verify rules