Managing Network Policies

Overview

Create and manage Kubernetes NetworkPolicy manifests to enforce zero-trust networking between pods, namespaces, and external endpoints. Generate ingress and egress rules with label selectors, namespace selectors, CIDR blocks, and port specifications following the principle of least privilege.

Prerequisites

• Kubernetes cluster with a CNI plugin that supports NetworkPolicy (Calico, Cilium, Weave Net)
• kubectl configured with permissions to create and manage NetworkPolicy resources
• Pod labels consistently defined across deployments for accurate selector targeting
• Service communication map documenting which pods need to talk to which pods on which ports
• Understanding of DNS requirements (pods need egress to kube-dns on port 53 for name resolution)

Instructions

1. Map the application communication patterns: identify all service-to-service, service-to-database, and service-to-external connections
2. Start with a default-deny policy for both ingress and egress in each namespace to establish zero-trust baseline
3. Add explicit allow rules for each legitimate communication path: specify source pod labels, destination pod labels, and ports
4. Always include a DNS egress rule allowing traffic to kube-system namespace on UDP/TCP port 53 for CoreDNS