patternbashkubernetesMajor
Network policies: deny all traffic by default then allow selectively
Viewed 0 times
network policydefault denyzero trustcalicociliumingressegresspod selectornamespace selectorcniL4 firewall
Error Messages
connection timed outdial tcp: i/o timeoutProblem
By default, all pods in a Kubernetes cluster can communicate with all other pods freely. A compromised pod can reach any service including databases, internal APIs, and cluster infrastructure.
Solution
Implement a default-deny NetworkPolicy for each namespace, then explicitly allow required traffic.
# Default deny all ingress and egress in namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {} # applies to all pods
policyTypes:
- Ingress
- Egress
---
# Allow app to talk to database
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-app-to-db
namespace: production
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: myapp
ports:
- port: 5432Why
Kubernetes networking is flat — all pods can reach all other pods by default. NetworkPolicies are implemented by the CNI plugin (Calico, Cilium, Weave) and enforce L3/L4 rules. A zero-trust default-deny posture limits blast radius from compromised workloads.
Gotchas
- NetworkPolicies require a CNI plugin that supports them — Flannel does not; Calico, Cilium, and Weave do
- An empty podSelector ({}) selects all pods in the namespace — used for namespace-wide default deny
- NetworkPolicy is additive — if no policy selects a pod, all traffic is allowed; once any policy selects it, only explicitly allowed traffic passes
- DNS (UDP port 53 to kube-dns) must be explicitly allowed in egress policies or pods cannot resolve hostnames
- NetworkPolicies are namespace-scoped but can reference pods in other namespaces using namespaceSelector
Context
Hardening Kubernetes cluster network security for production workloads
Revisions (0)
No revisions yet.