managing-network-policies

Execute use when managing Kubernetes network policies and firewall rules. Trigger with phrases like "create network policy", "configure firewall rules", "restrict pod communication", or "setup ingress/egress rules". Generates Kubernetes NetworkPolicy manifests following least privilege and zero-trust principles.

v1.0.0
Jeremy Longshore
MIT
claude-codecodexopenclaw
6 Tools
network-policy-manager Plugin
devops Category

Allowed Tools

ReadWriteEditGrepGlobBash(kubectl:*)

Provided by Plugin

network-policy-manager

Manage Kubernetes network policies and firewall rules

devops v1.0.0
View Plugin

Installation

This skill is included in the network-policy-manager plugin:

/plugin install network-policy-manager@claude-code-plugins-plus

Click to copy

Instructions

Managing Network Policies

Overview

Create and manage Kubernetes NetworkPolicy manifests to enforce zero-trust networking between pods, namespaces, and external endpoints. Generate ingress and egress rules with label selectors, namespace selectors, CIDR blocks, and port specifications following the principle of least privilege.

Prerequisites

  • Kubernetes cluster with a CNI plugin that supports NetworkPolicy (Calico, Cilium, Weave Net)
  • kubectl configured with permissions to create and manage NetworkPolicy resources
  • Pod labels consistently defined across deployments for accurate selector targeting
  • Service communication map documenting which pods need to talk to which pods on which ports
  • Understanding of DNS requirements (pods need egress to kube-dns on port 53 for name resolution)

Instructions

  1. Map the application communication patterns: identify all service-to-service, service-to-database, and service-to-external connections
  2. Start with a default-deny policy for both ingress and egress in each namespace to establish zero-trust baseline
  3. Add explicit allow rules for each legitimate communication path: specify source pod labels, destination pod labels, and ports
  4. Always include a DNS egress rule allowing traffic to kube-system namespace on UDP/TCP port 53 for CoreDNS
  5. Define egress rules for external API access: use CIDR blocks or namespaceSelector for known external services
  6. Apply policies to a test namespace first and verify connectivity with kubectl exec curl/wget commands
  7. Monitor for blocked traffic in the CNI plugin logs (Calico: calicoctl node status, Cilium: cilium monitor)
  8. Iterate on policies: add missing allow rules for any legitimate traffic that gets blocked
  9. Document each policy with annotations explaining the business reason for the allowed communication

Output

  • Default-deny NetworkPolicy manifests for ingress and egress per namespace
  • Allow-list NetworkPolicy manifests for each service communication path
  • DNS egress policy allowing pod name resolution
  • External access egress policies with CIDR blocks
  • Connectivity test commands for validation

Error Handling

Error Cause Solution
All traffic blocked after applying policy Default-deny applied without corresponding allow rules Apply allow rules before or simultaneously with deny policies; verify with kubectl exec tests
DNS resolution fails after network policy Missing egress rule for kube-dns/CoreDNS Add egress policy allowing UDP and TCP port 53 to kube-system namespace
Policy not targeting intended pods Label mismatch between policy selector and pod labels Verify labels with kubectl get pods --show-labels; match selectors exactly
Traffic still allowed despite deny policy CNI plugin does not support NetworkPolicy or policy in wrong namespace Verify CNI support with kubectl get networkpolicy -A; ensure policy is in the correct namespace
Intermittent connection failures Policy allows traffic but connection pool or timeout settings too aggressive Check if the issue is network policy or application-level; test with kubectl exec during failures

Examples

  • "Create a default-deny policy for the production namespace, then add allow rules so only the ingress controller can reach web pods on port 443."
  • "Generate egress policies that restrict the API pods to communicate only with PostgreSQL (port 5432), Redis (port 6379), and external HTTPS APIs."
  • "Build a complete set of network policies for a 3-tier app: frontend -> API (8080), API -> database (5432), API -> cache (6379), all pods -> DNS (53)."

Resources

  • Kubernetes NetworkPolicy: https://kubernetes.io/docs/concepts/services-networking/network-policies/
  • Calico network policy: https://docs.tigera.io/calico/latest/network-policy/
  • Cilium network policy: https://docs.cilium.io/en/stable/security/policy/
  • Network policy editor (visual): https://editor.networkpolicy.io/

Ready to use network-policy-manager?

Related Skills

adk-infra-expert

Execute use when provisioning Vertex AI ADK infrastructure with Terraform.

ReadWriteEdit

building-cicd-pipelines

Execute use when you need to work with deployment and CI/CD.

ReadWriteEdit

building-gitops-workflows

Execute use when constructing GitOps workflows using ArgoCD or Flux.

ReadWriteEdit

building-terraform-modules

Execute this skill empowers AI assistant to build reusable terraform modules based on user specifications.

ReadWriteEdit

checking-infrastructure-compliance

Execute use when you need to work with compliance checking.

ReadWriteEdit

configuring-auto-scaling-policies

Configure use when you need to work with auto-scaling.

ReadWriteEdit