ReviseAlgo Logo

Kubernetes Networking & Services

Network Policies — Firewalling Traffic Between Pods

Declaring ingress/egress firewall rules for namespace pods.

Interview: Zero-trust networking is heavily tested. Explain the default-allow behavior of Kubernetes networks (any Pod can talk to any Pod) and how NetworkPolicies implement zero-trust firewall rules. Be ready to explain that NetworkPolicies require a CNI plugin that supports enforcement (like Calico or Cilium).

Last Updated: June 15, 2026 10 min read

The Default-Allow Risk

By default, Kubernetes networking is completely open (a "default-allow" model). Any Pod in any namespace can send traffic to any other Pod in the cluster. If an attacker compromises an exposed frontend container, they can query database systems or backend engines without restriction.

**NetworkPolicies** act as distributed firewall rules inside the cluster, enabling you to implement zero-trust security topologies using labels.

CNI Plugin Enforcement

A NetworkPolicy is a declarative resource definition. The Kubernetes API server parses it and writes it to etcd, but the default network driver does not enforce it. To secure network traffic, your cluster must deploy a CNI plugin that supports policy enforcement (such as **Calico**, **Cilium**, or **Weave Net**).

Ingress and Egress Configurations

  • Ingress: Firewall rules that control inbound traffic to a targeted group of Pods.
  • Egress: Firewall rules that control outbound traffic leaving a targeted group of Pods.

NetworkPolicy Manifest Example

Here is a NetworkPolicy that restricts access to the database Pod, allowing ingress traffic only from API backend containers: