Execute use when managing Kubernetes network policies and firewall rules.
ReadWriteEditGrepGlobBash(kubectl:*)
Managing Network Policies
Overview
Create and manage Kubernetes NetworkPolicy manifests to enforce zero-trust networking between pods, namespaces, and external endpoints. Generate ingress and egress rules with label selectors, namespace selectors, CIDR blocks, and port specifications following the principle of least privilege.
Prerequisites
- Kubernetes cluster with a CNI plugin that supports NetworkPolicy (Calico, Cilium, Weave Net)
kubectl configured with permissions to create and manage NetworkPolicy resources- Pod labels consistently defined across deployments for accurate selector targeting
- Service communication map documenting which pods need to talk to which pods on which ports
- Understanding of DNS requirements (pods need egress to kube-dns on port 53 for name resolution)
Instructions
- Map the application communication patterns: identify all service-to-service, service-to-database, and service-to-external connections
- Start with a default-deny policy for both ingress and egress in each namespace to establish zero-trust baseline
- Add explicit allow rules for each legitimate communication path: specify source pod labels, destination pod labels, and ports
- Always include a DNS egress rule allowing traffic to
kube-system namespace on UDP/TCP port 53 for CoreDNS
- Define egress rules for external API access: use CIDR blocks or namespaceSelector for known external services
- Apply policies to a test namespace first and verify connectivity with
kubectl exec curl/wget commands
- Monitor for blocked traffic in the CNI plugin logs (Calico:
calicoctl node status, Cilium: cilium monitor)
- Iterate on policies: add missing allow rules for any legitimate traffic that gets blocked
- Document each policy with annotations explaining the business reason for the allowed communication
Output
- Default-deny NetworkPolicy manifests for ingress and egress per namespace
- Allow-list NetworkPolicy manifests for each service communication path
- DNS egress policy allowing pod name resolution
- External access egress policies with CIDR blocks
- Connectivity test commands for validation
Error Handling
| Error |
Cause |
Solution |
All traffic blocked after applying policy |
Default-deny applied without corresponding allow rules |
Apply allow rules before or simultaneously with deny policies; verify with kubectl exec tests |
DNS resolution fails after network policy |
Missing egress rule for kube-dns/CoreDNS |
Add egress policy allowing UDP and TCP port 53 to kube-system namespace |
Po
Ready to use network-policy-manager?
|
