[{"data":1,"prerenderedAt":1604},["ShallowReactive",2],{"blog-en-kubernetes-network-policies-security":3,"blog-en-kubernetes-network-policies-security-alt":1499},{"id":4,"title":5,"author":6,"body":7,"date":1589,"description":1590,"extension":1591,"image":120,"locale":1592,"meta":1593,"navigation":1499,"path":1594,"seo":1595,"stem":1596,"tags":1597,"__hash__":1603},"blog\u002Fblog\u002Fen\u002Fkubernetes-network-policies-security.md","Zero Trust Security with Kubernetes Network Policies: A Practical Guide","Kubo Team",{"type":8,"value":9,"toc":1563},"minimark",[10,14,24,32,37,46,51,59,82,85,98,102,106,114,226,230,302,306,384,397,401,405,408,752,756,764,903,907,915,1083,1087,1101,1104,1112,1138,1331,1334,1340,1366,1441,1445,1453,1457,1460,1464,1467,1471,1474,1478,1481,1485,1488,1538,1551,1559],[11,12,13],"p",{},"By default, Kubernetes allows completely unrestricted pod-to-pod communication across all namespaces. If a single container is compromised, the attacker gains network access to every service in the cluster — databases, internal APIs, and sensitive services included.",[11,15,16,23],{},[17,18,22],"a",{"href":19,"rel":20},"https:\u002F\u002Fkubernetes.io\u002Fdocs\u002Fconcepts\u002Fservices-networking\u002Fnetwork-policies\u002F",[21],"nofollow","Kubernetes Network Policies"," provide the native solution to this problem. This guide walks through implementing a complete zero trust network, from Default Deny to advanced L7 policies with Cilium and Calico, using practical YAML examples throughout.",[11,25,26,31],{},[17,27,30],{"href":28,"rel":29},"https:\u002F\u002Fkubo.hexabase.io\u002F",[21],"Kubo"," is a managed Kubernetes platform from ¥48,000\u002Fmonth that includes baseline Network Policy enforcement as part of its security foundation.",[33,34,36],"h2",{"id":35},"understanding-the-zero-trust-model","Understanding the Zero Trust Model",[11,38,39,40,45],{},"Zero trust means \"nothing is trusted by default; every connection must be explicitly allowed.\" According to ",[17,41,44],{"href":42,"rel":43},"https:\u002F\u002Fwww.groundcover.com\u002Flearn\u002Fsecurity\u002Fzero-trust-kubernetes",[21],"Groundcover's explanation",", in Kubernetes this means that pods can only communicate when there is a clear policy permitting it.",[47,48,50],"h3",{"id":49},"why-kubernetes-needs-zero-trust","Why Kubernetes Needs Zero Trust",[11,52,53,58],{},[17,54,57],{"href":55,"rel":56},"https:\u002F\u002Fatmosly.com\u002Fblog\u002Fkubernetes-network-policies-security-implementation-guide-2025",[21],"Atmosly's security guide"," identifies these critical risks:",[60,61,62,70,76],"ul",{},[63,64,65,69],"li",{},[66,67,68],"strong",{},"Lateral movement",": A compromised pod can reach every service in the cluster",[63,71,72,75],{},[66,73,74],{},"Data exfiltration",": Direct access to database pods becomes trivial",[63,77,78,81],{},[66,79,80],{},"Supply chain attacks",": Compromised third-party containers can explore internal networks",[11,83,84],{},"Network Policies control traffic at OSI layers 3-4 (IP\u002Fport) to mitigate these risks.",[11,86,87,88,91,92,97],{},"On ",[17,89,30],{"href":28,"rel":90},[21]," with ",[17,93,96],{"href":94,"rel":95},"https:\u002F\u002Fwww.hexabase.com\u002Fproduct\u002Fcaptain-ai\u002F",[21],"Captain.AI",", communication between AI workers is also restricted to the minimum necessary via Network Policies.",[33,99,101],{"id":100},"default-deny-the-foundation-of-zero-trust","Default Deny: The Foundation of Zero Trust",[47,103,105],{"id":104},"deny-all-ingress-traffic","Deny All Ingress Traffic",[11,107,108,109,113],{},"The Default Deny policy from the ",[17,110,112],{"href":19,"rel":111},[21],"Kubernetes official documentation",":",[115,116,121],"pre",{"className":117,"code":118,"language":119,"meta":120,"style":120},"language-yaml shiki shiki-themes tokyo-night","apiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: default-deny-ingress\n  namespace: production\nspec:\n  podSelector: {}      # Empty selector = applies to all pods in namespace\n  policyTypes:\n  - Ingress             # Deny ingress only; egress remains allowed\n","yaml","",[122,123,124,140,151,160,171,182,190,205,213],"code",{"__ignoreMap":120},[125,126,129,133,136],"span",{"class":127,"line":128},"line",1,[125,130,132],{"class":131},"s0U2E","apiVersion",[125,134,113],{"class":135},"sAklC",[125,137,139],{"class":138},"sPY7s"," networking.k8s.io\u002Fv1\n",[125,141,143,146,148],{"class":127,"line":142},2,[125,144,145],{"class":131},"kind",[125,147,113],{"class":135},[125,149,150],{"class":138}," NetworkPolicy\n",[125,152,154,157],{"class":127,"line":153},3,[125,155,156],{"class":131},"metadata",[125,158,159],{"class":135},":\n",[125,161,163,166,168],{"class":127,"line":162},4,[125,164,165],{"class":131},"  name",[125,167,113],{"class":135},[125,169,170],{"class":138}," default-deny-ingress\n",[125,172,174,177,179],{"class":127,"line":173},5,[125,175,176],{"class":131},"  namespace",[125,178,113],{"class":135},[125,180,181],{"class":138}," production\n",[125,183,185,188],{"class":127,"line":184},6,[125,186,187],{"class":131},"spec",[125,189,159],{"class":135},[125,191,193,196,198,201],{"class":127,"line":192},7,[125,194,195],{"class":131},"  podSelector",[125,197,113],{"class":135},[125,199,200],{"class":135}," {}",[125,202,204],{"class":203},"sbD-w","      # Empty selector = applies to all pods in namespace\n",[125,206,208,211],{"class":127,"line":207},8,[125,209,210],{"class":131},"  policyTypes",[125,212,159],{"class":135},[125,214,216,220,223],{"class":127,"line":215},9,[125,217,219],{"class":218},"sgJMe","  -",[125,221,222],{"class":138}," Ingress",[125,224,225],{"class":203},"             # Deny ingress only; egress remains allowed\n",[47,227,229],{"id":228},"deny-all-egress-traffic","Deny All Egress Traffic",[115,231,233],{"className":117,"code":232,"language":119,"meta":120,"style":120},"apiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: default-deny-egress\n  namespace: production\nspec:\n  podSelector: {}\n  policyTypes:\n  - Egress\n",[122,234,235,243,251,257,266,274,280,289,295],{"__ignoreMap":120},[125,236,237,239,241],{"class":127,"line":128},[125,238,132],{"class":131},[125,240,113],{"class":135},[125,242,139],{"class":138},[125,244,245,247,249],{"class":127,"line":142},[125,246,145],{"class":131},[125,248,113],{"class":135},[125,250,150],{"class":138},[125,252,253,255],{"class":127,"line":153},[125,254,156],{"class":131},[125,256,159],{"class":135},[125,258,259,261,263],{"class":127,"line":162},[125,260,165],{"class":131},[125,262,113],{"class":135},[125,264,265],{"class":138}," default-deny-egress\n",[125,267,268,270,272],{"class":127,"line":173},[125,269,176],{"class":131},[125,271,113],{"class":135},[125,273,181],{"class":138},[125,275,276,278],{"class":127,"line":184},[125,277,187],{"class":131},[125,279,159],{"class":135},[125,281,282,284,286],{"class":127,"line":192},[125,283,195],{"class":131},[125,285,113],{"class":135},[125,287,288],{"class":135}," {}\n",[125,290,291,293],{"class":127,"line":207},[125,292,210],{"class":131},[125,294,159],{"class":135},[125,296,297,299],{"class":127,"line":215},[125,298,219],{"class":218},[125,300,301],{"class":138}," Egress\n",[47,303,305],{"id":304},"deny-all-traffic-ingress-egress","Deny All Traffic (Ingress + Egress)",[115,307,309],{"className":117,"code":308,"language":119,"meta":120,"style":120},"apiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: default-deny-all\n  namespace: production\nspec:\n  podSelector: {}\n  policyTypes:\n  - Ingress\n  - Egress\n",[122,310,311,319,327,333,342,350,356,364,370,377],{"__ignoreMap":120},[125,312,313,315,317],{"class":127,"line":128},[125,314,132],{"class":131},[125,316,113],{"class":135},[125,318,139],{"class":138},[125,320,321,323,325],{"class":127,"line":142},[125,322,145],{"class":131},[125,324,113],{"class":135},[125,326,150],{"class":138},[125,328,329,331],{"class":127,"line":153},[125,330,156],{"class":131},[125,332,159],{"class":135},[125,334,335,337,339],{"class":127,"line":162},[125,336,165],{"class":131},[125,338,113],{"class":135},[125,340,341],{"class":138}," default-deny-all\n",[125,343,344,346,348],{"class":127,"line":173},[125,345,176],{"class":131},[125,347,113],{"class":135},[125,349,181],{"class":138},[125,351,352,354],{"class":127,"line":184},[125,353,187],{"class":131},[125,355,159],{"class":135},[125,357,358,360,362],{"class":127,"line":192},[125,359,195],{"class":131},[125,361,113],{"class":135},[125,363,288],{"class":135},[125,365,366,368],{"class":127,"line":207},[125,367,210],{"class":131},[125,369,159],{"class":135},[125,371,372,374],{"class":127,"line":215},[125,373,219],{"class":218},[125,375,376],{"class":138}," Ingress\n",[125,378,380,382],{"class":127,"line":379},10,[125,381,219],{"class":218},[125,383,301],{"class":138},[385,386,387],"blockquote",{},[11,388,389,392,393,396],{},[66,390,391],{},"Critical",": After applying Default Deny, you must add explicit allow policies for required communication, or your applications will stop working. In particular, ",[66,394,395],{},"never forget to allow DNS (port 53) egress",".",[33,398,400],{"id":399},"practical-network-policy-patterns","Practical Network Policy Patterns",[47,402,404],{"id":403},"pattern-1-frontend-to-backend-to-database","Pattern 1: Frontend to Backend to Database",[11,406,407],{},"A typical three-tier architecture with Network Policies:",[115,409,411],{"className":117,"code":410,"language":119,"meta":120,"style":120},"# Backend: Allow ingress only from frontend\napiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: allow-frontend-to-backend\n  namespace: production\nspec:\n  podSelector:\n    matchLabels:\n      app: backend\n  policyTypes:\n  - Ingress\n  ingress:\n  - from:\n    - podSelector:\n        matchLabels:\n          app: frontend\n    ports:\n    - protocol: TCP\n      port: 8080\n---\n# Database: Allow ingress only from backend\napiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: allow-backend-to-database\n  namespace: production\nspec:\n  podSelector:\n    matchLabels:\n      app: database\n  policyTypes:\n  - Ingress\n  ingress:\n  - from:\n    - podSelector:\n        matchLabels:\n          app: backend\n    ports:\n    - protocol: TCP\n      port: 5432\n",[122,412,413,418,426,434,440,449,457,463,469,476,486,493,500,508,518,529,537,548,556,569,581,588,594,603,612,619,629,638,645,652,659,669,676,683,690,699,708,715,724,731,742],{"__ignoreMap":120},[125,414,415],{"class":127,"line":128},[125,416,417],{"class":203},"# Backend: Allow ingress only from frontend\n",[125,419,420,422,424],{"class":127,"line":142},[125,421,132],{"class":131},[125,423,113],{"class":135},[125,425,139],{"class":138},[125,427,428,430,432],{"class":127,"line":153},[125,429,145],{"class":131},[125,431,113],{"class":135},[125,433,150],{"class":138},[125,435,436,438],{"class":127,"line":162},[125,437,156],{"class":131},[125,439,159],{"class":135},[125,441,442,444,446],{"class":127,"line":173},[125,443,165],{"class":131},[125,445,113],{"class":135},[125,447,448],{"class":138}," allow-frontend-to-backend\n",[125,450,451,453,455],{"class":127,"line":184},[125,452,176],{"class":131},[125,454,113],{"class":135},[125,456,181],{"class":138},[125,458,459,461],{"class":127,"line":192},[125,460,187],{"class":131},[125,462,159],{"class":135},[125,464,465,467],{"class":127,"line":207},[125,466,195],{"class":131},[125,468,159],{"class":135},[125,470,471,474],{"class":127,"line":215},[125,472,473],{"class":131},"    matchLabels",[125,475,159],{"class":135},[125,477,478,481,483],{"class":127,"line":379},[125,479,480],{"class":131},"      app",[125,482,113],{"class":135},[125,484,485],{"class":138}," backend\n",[125,487,489,491],{"class":127,"line":488},11,[125,490,210],{"class":131},[125,492,159],{"class":135},[125,494,496,498],{"class":127,"line":495},12,[125,497,219],{"class":218},[125,499,376],{"class":138},[125,501,503,506],{"class":127,"line":502},13,[125,504,505],{"class":131},"  ingress",[125,507,159],{"class":135},[125,509,511,513,516],{"class":127,"line":510},14,[125,512,219],{"class":218},[125,514,515],{"class":131}," from",[125,517,159],{"class":135},[125,519,521,524,527],{"class":127,"line":520},15,[125,522,523],{"class":218},"    -",[125,525,526],{"class":131}," podSelector",[125,528,159],{"class":135},[125,530,532,535],{"class":127,"line":531},16,[125,533,534],{"class":131},"        matchLabels",[125,536,159],{"class":135},[125,538,540,543,545],{"class":127,"line":539},17,[125,541,542],{"class":131},"          app",[125,544,113],{"class":135},[125,546,547],{"class":138}," frontend\n",[125,549,551,554],{"class":127,"line":550},18,[125,552,553],{"class":131},"    ports",[125,555,159],{"class":135},[125,557,559,561,564,566],{"class":127,"line":558},19,[125,560,523],{"class":218},[125,562,563],{"class":131}," protocol",[125,565,113],{"class":135},[125,567,568],{"class":138}," TCP\n",[125,570,572,575,577],{"class":127,"line":571},20,[125,573,574],{"class":131},"      port",[125,576,113],{"class":135},[125,578,580],{"class":579},"sOJ5S"," 8080\n",[125,582,584],{"class":127,"line":583},21,[125,585,587],{"class":586},"sGX4V","---\n",[125,589,591],{"class":127,"line":590},22,[125,592,593],{"class":203},"# Database: Allow ingress only from backend\n",[125,595,597,599,601],{"class":127,"line":596},23,[125,598,132],{"class":131},[125,600,113],{"class":135},[125,602,139],{"class":138},[125,604,606,608,610],{"class":127,"line":605},24,[125,607,145],{"class":131},[125,609,113],{"class":135},[125,611,150],{"class":138},[125,613,615,617],{"class":127,"line":614},25,[125,616,156],{"class":131},[125,618,159],{"class":135},[125,620,622,624,626],{"class":127,"line":621},26,[125,623,165],{"class":131},[125,625,113],{"class":135},[125,627,628],{"class":138}," allow-backend-to-database\n",[125,630,632,634,636],{"class":127,"line":631},27,[125,633,176],{"class":131},[125,635,113],{"class":135},[125,637,181],{"class":138},[125,639,641,643],{"class":127,"line":640},28,[125,642,187],{"class":131},[125,644,159],{"class":135},[125,646,648,650],{"class":127,"line":647},29,[125,649,195],{"class":131},[125,651,159],{"class":135},[125,653,655,657],{"class":127,"line":654},30,[125,656,473],{"class":131},[125,658,159],{"class":135},[125,660,662,664,666],{"class":127,"line":661},31,[125,663,480],{"class":131},[125,665,113],{"class":135},[125,667,668],{"class":138}," database\n",[125,670,672,674],{"class":127,"line":671},32,[125,673,210],{"class":131},[125,675,159],{"class":135},[125,677,679,681],{"class":127,"line":678},33,[125,680,219],{"class":218},[125,682,376],{"class":138},[125,684,686,688],{"class":127,"line":685},34,[125,687,505],{"class":131},[125,689,159],{"class":135},[125,691,693,695,697],{"class":127,"line":692},35,[125,694,219],{"class":218},[125,696,515],{"class":131},[125,698,159],{"class":135},[125,700,702,704,706],{"class":127,"line":701},36,[125,703,523],{"class":218},[125,705,526],{"class":131},[125,707,159],{"class":135},[125,709,711,713],{"class":127,"line":710},37,[125,712,534],{"class":131},[125,714,159],{"class":135},[125,716,718,720,722],{"class":127,"line":717},38,[125,719,542],{"class":131},[125,721,113],{"class":135},[125,723,485],{"class":138},[125,725,727,729],{"class":127,"line":726},39,[125,728,553],{"class":131},[125,730,159],{"class":135},[125,732,734,736,738,740],{"class":127,"line":733},40,[125,735,523],{"class":218},[125,737,563],{"class":131},[125,739,113],{"class":135},[125,741,568],{"class":138},[125,743,745,747,749],{"class":127,"line":744},41,[125,746,574],{"class":131},[125,748,113],{"class":135},[125,750,751],{"class":579}," 5432\n",[47,753,755],{"id":754},"pattern-2-cross-namespace-communication-control","Pattern 2: Cross-Namespace Communication Control",[11,757,758,759,113],{},"Namespace-based isolation recommended by ",[17,760,763],{"href":761,"rel":762},"https:\u002F\u002Fwww.redhat.com\u002Fen\u002Fblog\u002Fguide-to-kubernetes-ingress-network-policies",[21],"Red Hat's guide",[115,765,767],{"className":117,"code":766,"language":119,"meta":120,"style":120},"# Allow metrics collection only from monitoring namespace\napiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: allow-monitoring\n  namespace: production\nspec:\n  podSelector: {}\n  policyTypes:\n  - Ingress\n  ingress:\n  - from:\n    - namespaceSelector:\n        matchLabels:\n          purpose: monitoring\n    ports:\n    - protocol: TCP\n      port: 9090\n",[122,768,769,774,782,790,796,805,813,819,827,833,839,845,853,862,868,878,884,894],{"__ignoreMap":120},[125,770,771],{"class":127,"line":128},[125,772,773],{"class":203},"# Allow metrics collection only from monitoring namespace\n",[125,775,776,778,780],{"class":127,"line":142},[125,777,132],{"class":131},[125,779,113],{"class":135},[125,781,139],{"class":138},[125,783,784,786,788],{"class":127,"line":153},[125,785,145],{"class":131},[125,787,113],{"class":135},[125,789,150],{"class":138},[125,791,792,794],{"class":127,"line":162},[125,793,156],{"class":131},[125,795,159],{"class":135},[125,797,798,800,802],{"class":127,"line":173},[125,799,165],{"class":131},[125,801,113],{"class":135},[125,803,804],{"class":138}," allow-monitoring\n",[125,806,807,809,811],{"class":127,"line":184},[125,808,176],{"class":131},[125,810,113],{"class":135},[125,812,181],{"class":138},[125,814,815,817],{"class":127,"line":192},[125,816,187],{"class":131},[125,818,159],{"class":135},[125,820,821,823,825],{"class":127,"line":207},[125,822,195],{"class":131},[125,824,113],{"class":135},[125,826,288],{"class":135},[125,828,829,831],{"class":127,"line":215},[125,830,210],{"class":131},[125,832,159],{"class":135},[125,834,835,837],{"class":127,"line":379},[125,836,219],{"class":218},[125,838,376],{"class":138},[125,840,841,843],{"class":127,"line":488},[125,842,505],{"class":131},[125,844,159],{"class":135},[125,846,847,849,851],{"class":127,"line":495},[125,848,219],{"class":218},[125,850,515],{"class":131},[125,852,159],{"class":135},[125,854,855,857,860],{"class":127,"line":502},[125,856,523],{"class":218},[125,858,859],{"class":131}," namespaceSelector",[125,861,159],{"class":135},[125,863,864,866],{"class":127,"line":510},[125,865,534],{"class":131},[125,867,159],{"class":135},[125,869,870,873,875],{"class":127,"line":520},[125,871,872],{"class":131},"          purpose",[125,874,113],{"class":135},[125,876,877],{"class":138}," monitoring\n",[125,879,880,882],{"class":127,"line":531},[125,881,553],{"class":131},[125,883,159],{"class":135},[125,885,886,888,890,892],{"class":127,"line":539},[125,887,523],{"class":218},[125,889,563],{"class":131},[125,891,113],{"class":135},[125,893,568],{"class":138},[125,895,896,898,900],{"class":127,"line":550},[125,897,574],{"class":131},[125,899,113],{"class":135},[125,901,902],{"class":579}," 9090\n",[47,904,906],{"id":905},"pattern-3-dns-and-external-communication","Pattern 3: DNS and External Communication",[11,908,909,910,113],{},"The essential DNS allow rule emphasized by ",[17,911,914],{"href":912,"rel":913},"https:\u002F\u002Fdaily.dev\u002Fblog\u002Fkubernetes-network-policies-best-practices\u002F",[21],"Daily.dev's best practices",[115,916,918],{"className":117,"code":917,"language":119,"meta":120,"style":120},"# Allow DNS egress for all pods (required with Default Deny Egress)\napiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: allow-dns\n  namespace: production\nspec:\n  podSelector: {}\n  policyTypes:\n  - Egress\n  egress:\n  - to:\n    - namespaceSelector: {}\n      podSelector:\n        matchLabels:\n          k8s-app: kube-dns\n    ports:\n    - protocol: UDP\n      port: 53\n    - protocol: TCP\n      port: 53\n",[122,919,920,925,933,941,947,956,964,970,978,984,990,997,1006,1016,1023,1029,1039,1045,1056,1065,1075],{"__ignoreMap":120},[125,921,922],{"class":127,"line":128},[125,923,924],{"class":203},"# Allow DNS egress for all pods (required with Default Deny Egress)\n",[125,926,927,929,931],{"class":127,"line":142},[125,928,132],{"class":131},[125,930,113],{"class":135},[125,932,139],{"class":138},[125,934,935,937,939],{"class":127,"line":153},[125,936,145],{"class":131},[125,938,113],{"class":135},[125,940,150],{"class":138},[125,942,943,945],{"class":127,"line":162},[125,944,156],{"class":131},[125,946,159],{"class":135},[125,948,949,951,953],{"class":127,"line":173},[125,950,165],{"class":131},[125,952,113],{"class":135},[125,954,955],{"class":138}," allow-dns\n",[125,957,958,960,962],{"class":127,"line":184},[125,959,176],{"class":131},[125,961,113],{"class":135},[125,963,181],{"class":138},[125,965,966,968],{"class":127,"line":192},[125,967,187],{"class":131},[125,969,159],{"class":135},[125,971,972,974,976],{"class":127,"line":207},[125,973,195],{"class":131},[125,975,113],{"class":135},[125,977,288],{"class":135},[125,979,980,982],{"class":127,"line":215},[125,981,210],{"class":131},[125,983,159],{"class":135},[125,985,986,988],{"class":127,"line":379},[125,987,219],{"class":218},[125,989,301],{"class":138},[125,991,992,995],{"class":127,"line":488},[125,993,994],{"class":131},"  egress",[125,996,159],{"class":135},[125,998,999,1001,1004],{"class":127,"line":495},[125,1000,219],{"class":218},[125,1002,1003],{"class":131}," to",[125,1005,159],{"class":135},[125,1007,1008,1010,1012,1014],{"class":127,"line":502},[125,1009,523],{"class":218},[125,1011,859],{"class":131},[125,1013,113],{"class":135},[125,1015,288],{"class":135},[125,1017,1018,1021],{"class":127,"line":510},[125,1019,1020],{"class":131},"      podSelector",[125,1022,159],{"class":135},[125,1024,1025,1027],{"class":127,"line":520},[125,1026,534],{"class":131},[125,1028,159],{"class":135},[125,1030,1031,1034,1036],{"class":127,"line":531},[125,1032,1033],{"class":131},"          k8s-app",[125,1035,113],{"class":135},[125,1037,1038],{"class":138}," kube-dns\n",[125,1040,1041,1043],{"class":127,"line":539},[125,1042,553],{"class":131},[125,1044,159],{"class":135},[125,1046,1047,1049,1051,1053],{"class":127,"line":550},[125,1048,523],{"class":218},[125,1050,563],{"class":131},[125,1052,113],{"class":135},[125,1054,1055],{"class":138}," UDP\n",[125,1057,1058,1060,1062],{"class":127,"line":558},[125,1059,574],{"class":131},[125,1061,113],{"class":135},[125,1063,1064],{"class":579}," 53\n",[125,1066,1067,1069,1071,1073],{"class":127,"line":571},[125,1068,523],{"class":218},[125,1070,563],{"class":131},[125,1072,113],{"class":135},[125,1074,568],{"class":138},[125,1076,1077,1079,1081],{"class":127,"line":583},[125,1078,574],{"class":131},[125,1080,113],{"class":135},[125,1082,1064],{"class":579},[33,1084,1086],{"id":1085},"cilium-vs-calico-choosing-an-advanced-cni","Cilium vs Calico: Choosing an Advanced CNI",[11,1088,1089,1090,1095,1096,396],{},"Standard Kubernetes Network Policies are limited to L3-L4 (IP\u002Fport) control. For L7 (HTTP\u002FgRPC) policies and advanced features, consider ",[17,1091,1094],{"href":1092,"rel":1093},"https:\u002F\u002Fcilium.io\u002F",[21],"Cilium"," or ",[17,1097,1100],{"href":1098,"rel":1099},"https:\u002F\u002Fdocs.tigera.io\u002Fcalico\u002Flatest\u002Fnetwork-policy\u002Fadopt-zero-trust",[21],"Calico",[47,1102,1094],{"id":1103},"cilium",[11,1105,1106,1107,113],{},"According to ",[17,1108,1111],{"href":1109,"rel":1110},"https:\u002F\u002Fazurebeast.com\u002Fposts\u002Fimplement-zero-trust-network-security-with-cilium-in-aks\u002F",[21],"Cilium zero trust implementation guides",[60,1113,1114,1120,1126,1132],{},[63,1115,1116,1119],{},[66,1117,1118],{},"eBPF-based",": High-performance packet processing at the kernel level",[63,1121,1122,1125],{},[66,1123,1124],{},"L7 policies",": Filter by HTTP method, path, and headers",[63,1127,1128,1131],{},[66,1129,1130],{},"DNS-based egress control",": Restrict external destinations by FQDN",[63,1133,1134,1137],{},[66,1135,1136],{},"Hubble",": Real-time network flow visualization",[115,1139,1141],{"className":117,"code":1140,"language":119,"meta":120,"style":120},"# Cilium L7 policy example: Allow only GET requests\napiVersion: cilium.io\u002Fv2\nkind: CiliumNetworkPolicy\nmetadata:\n  name: l7-api-policy\nspec:\n  endpointSelector:\n    matchLabels:\n      app: api\n  ingress:\n  - fromEndpoints:\n    - matchLabels:\n        app: frontend\n    toPorts:\n    - ports:\n      - port: \"8080\"\n        protocol: TCP\n      rules:\n        http:\n        - method: \"GET\"\n          path: \"\u002Fapi\u002Fv1\u002F.*\"\n",[122,1142,1143,1148,1157,1166,1172,1181,1187,1194,1200,1209,1215,1224,1233,1242,1249,1258,1277,1286,1293,1300,1317],{"__ignoreMap":120},[125,1144,1145],{"class":127,"line":128},[125,1146,1147],{"class":203},"# Cilium L7 policy example: Allow only GET requests\n",[125,1149,1150,1152,1154],{"class":127,"line":142},[125,1151,132],{"class":131},[125,1153,113],{"class":135},[125,1155,1156],{"class":138}," cilium.io\u002Fv2\n",[125,1158,1159,1161,1163],{"class":127,"line":153},[125,1160,145],{"class":131},[125,1162,113],{"class":135},[125,1164,1165],{"class":138}," CiliumNetworkPolicy\n",[125,1167,1168,1170],{"class":127,"line":162},[125,1169,156],{"class":131},[125,1171,159],{"class":135},[125,1173,1174,1176,1178],{"class":127,"line":173},[125,1175,165],{"class":131},[125,1177,113],{"class":135},[125,1179,1180],{"class":138}," l7-api-policy\n",[125,1182,1183,1185],{"class":127,"line":184},[125,1184,187],{"class":131},[125,1186,159],{"class":135},[125,1188,1189,1192],{"class":127,"line":192},[125,1190,1191],{"class":131},"  endpointSelector",[125,1193,159],{"class":135},[125,1195,1196,1198],{"class":127,"line":207},[125,1197,473],{"class":131},[125,1199,159],{"class":135},[125,1201,1202,1204,1206],{"class":127,"line":215},[125,1203,480],{"class":131},[125,1205,113],{"class":135},[125,1207,1208],{"class":138}," api\n",[125,1210,1211,1213],{"class":127,"line":379},[125,1212,505],{"class":131},[125,1214,159],{"class":135},[125,1216,1217,1219,1222],{"class":127,"line":488},[125,1218,219],{"class":218},[125,1220,1221],{"class":131}," fromEndpoints",[125,1223,159],{"class":135},[125,1225,1226,1228,1231],{"class":127,"line":495},[125,1227,523],{"class":218},[125,1229,1230],{"class":131}," matchLabels",[125,1232,159],{"class":135},[125,1234,1235,1238,1240],{"class":127,"line":502},[125,1236,1237],{"class":131},"        app",[125,1239,113],{"class":135},[125,1241,547],{"class":138},[125,1243,1244,1247],{"class":127,"line":510},[125,1245,1246],{"class":131},"    toPorts",[125,1248,159],{"class":135},[125,1250,1251,1253,1256],{"class":127,"line":520},[125,1252,523],{"class":218},[125,1254,1255],{"class":131}," ports",[125,1257,159],{"class":135},[125,1259,1260,1263,1266,1268,1271,1274],{"class":127,"line":531},[125,1261,1262],{"class":218},"      -",[125,1264,1265],{"class":131}," port",[125,1267,113],{"class":135},[125,1269,1270],{"class":135}," \"",[125,1272,1273],{"class":138},"8080",[125,1275,1276],{"class":135},"\"\n",[125,1278,1279,1282,1284],{"class":127,"line":539},[125,1280,1281],{"class":131},"        protocol",[125,1283,113],{"class":135},[125,1285,568],{"class":138},[125,1287,1288,1291],{"class":127,"line":550},[125,1289,1290],{"class":131},"      rules",[125,1292,159],{"class":135},[125,1294,1295,1298],{"class":127,"line":558},[125,1296,1297],{"class":131},"        http",[125,1299,159],{"class":135},[125,1301,1302,1305,1308,1310,1312,1315],{"class":127,"line":571},[125,1303,1304],{"class":218},"        -",[125,1306,1307],{"class":131}," method",[125,1309,113],{"class":135},[125,1311,1270],{"class":135},[125,1313,1314],{"class":138},"GET",[125,1316,1276],{"class":135},[125,1318,1319,1322,1324,1326,1329],{"class":127,"line":583},[125,1320,1321],{"class":131},"          path",[125,1323,113],{"class":135},[125,1325,1270],{"class":135},[125,1327,1328],{"class":138},"\u002Fapi\u002Fv1\u002F.*",[125,1330,1276],{"class":135},[47,1332,1100],{"id":1333},"calico",[11,1335,1106,1336,113],{},[17,1337,1339],{"href":1098,"rel":1338},[21],"Calico's zero trust guide",[60,1341,1342,1348,1354,1360],{},[63,1343,1344,1347],{},[66,1345,1346],{},"BGP routing",": High scalability for large networks",[63,1349,1350,1353],{},[66,1351,1352],{},"GlobalNetworkPolicy",": Cluster-wide policy enforcement",[63,1355,1356,1359],{},[66,1357,1358],{},"Policy tiers",": Hierarchical policy management (Security > Platform > Application)",[63,1361,1362,1365],{},[66,1363,1364],{},"Enterprise-ready",": Mature compliance capabilities",[1367,1368,1369,1383],"table",{},[1370,1371,1372],"thead",{},[1373,1374,1375,1379,1381],"tr",{},[1376,1377,1378],"th",{},"Feature",[1376,1380,1094],{},[1376,1382,1100],{},[1384,1385,1386,1398,1408,1419,1430],"tbody",{},[1373,1387,1388,1392,1395],{},[1389,1390,1391],"td",{},"Data plane",[1389,1393,1394],{},"eBPF",[1389,1396,1397],{},"iptables \u002F eBPF",[1373,1399,1400,1402,1405],{},[1389,1401,1124],{},[1389,1403,1404],{},"Native support",[1389,1406,1407],{},"Requires Envoy integration",[1373,1409,1410,1413,1416],{},[1389,1411,1412],{},"Visualization",[1389,1414,1415],{},"Hubble (built-in)",[1389,1417,1418],{},"Calico Enterprise",[1373,1420,1421,1424,1427],{},[1389,1422,1423],{},"Scalability",[1389,1425,1426],{},"High (eBPF)",[1389,1428,1429],{},"High (BGP)",[1373,1431,1432,1435,1438],{},[1389,1433,1434],{},"Learning curve",[1389,1436,1437],{},"Moderate-high",[1389,1439,1440],{},"Moderate",[33,1442,1444],{"id":1443},"phased-rollout-monitor-then-enforce","Phased Rollout: Monitor-then-Enforce",[11,1446,1447,1452],{},[17,1448,1451],{"href":1449,"rel":1450},"https:\u002F\u002Fwww.youngju.dev\u002Fblog\u002Fkubernetes\u002F2026-03-11-kubernetes-network-policy-cilium-calico-security.en",[21],"2026 best practices"," recommend a \"Monitor-then-Enforce\" lifecycle to avoid breaking production traffic.",[47,1454,1456],{"id":1455},"step-1-map-current-traffic-flows","Step 1: Map Current Traffic Flows",[11,1458,1459],{},"Use Hubble (Cilium) or Calico Enterprise flow visualization to record actual communication patterns.",[47,1461,1463],{"id":1462},"step-2-test-policies-in-audit-mode","Step 2: Test Policies in Audit Mode",[11,1465,1466],{},"Apply policies in staging environments and verify no unintended blocks occur.",[47,1468,1470],{"id":1469},"step-3-enforce-gradually","Step 3: Enforce Gradually",[11,1472,1473],{},"Apply Default Deny namespace-by-namespace, confirming stability before moving to the next.",[47,1475,1477],{"id":1476},"step-4-continuous-monitoring-and-iteration","Step 4: Continuous Monitoring and Iteration",[11,1479,1480],{},"Update policies continuously as new services are added and communication patterns change.",[33,1482,1484],{"id":1483},"zero-trust-implementation-checklist","Zero Trust Implementation Checklist",[11,1486,1487],{},"Implement zero trust networking with Kubernetes Network Policies by following these steps:",[60,1489,1492,1502,1508,1514,1520,1526,1532],{"className":1490},[1491],"contains-task-list",[63,1493,1496,1501],{"className":1494},[1495],"task-list-item",[1497,1498],"input",{"disabled":1499,"type":1500},true,"checkbox"," Apply Default Deny (Ingress + Egress) to all namespaces",[63,1503,1505,1507],{"className":1504},[1495],[1497,1506],{"disabled":1499,"type":1500}," Explicitly allow DNS egress",[63,1509,1511,1513],{"className":1510},[1495],[1497,1512],{"disabled":1499,"type":1500}," Allow minimum necessary application-to-application communication",[63,1515,1517,1519],{"className":1516},[1495],[1497,1518],{"disabled":1499,"type":1500}," Control cross-namespace traffic",[63,1521,1523,1525],{"className":1522},[1495],[1497,1524],{"disabled":1499,"type":1500}," Restrict egress to only required external destinations",[63,1527,1529,1531],{"className":1528},[1495],[1497,1530],{"disabled":1499,"type":1500}," Deploy Cilium or Calico if L7 control is needed",[63,1533,1535,1537],{"className":1534},[1495],[1497,1536],{"disabled":1499,"type":1500}," Follow the Monitor-then-Enforce phased rollout",[11,1539,1540,1546,1547,1550],{},[66,1541,1542,1545],{},[17,1543,30],{"href":28,"rel":1544},[21]," applies baseline Network Policies at the platform level."," From just ¥48,000\u002Fmonth, you get a secure Kubernetes environment ready for production. Combined with ",[17,1548,96],{"href":94,"rel":1549},[21],", your AI workload security is comprehensive.",[11,1552,1553,1554,396],{},"For zero trust implementation support, ",[17,1555,1558],{"href":1556,"rel":1557},"https:\u002F\u002Fwww.hexabase.com\u002Fcontact-us\u002F",[21],"contact us",[1560,1561,1562],"style",{},"html pre.shiki code .s0U2E, html code.shiki .s0U2E{--shiki-default:#F7768E}html pre.shiki code .sAklC, html code.shiki .sAklC{--shiki-default:#89DDFF}html pre.shiki code .sPY7s, html code.shiki .sPY7s{--shiki-default:#9ECE6A}html pre.shiki code .sbD-w, html code.shiki .sbD-w{--shiki-default:#51597D;--shiki-default-font-style:italic}html pre.shiki code .sgJMe, html code.shiki .sgJMe{--shiki-default:#9ABDF5}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html pre.shiki code .sOJ5S, html code.shiki .sOJ5S{--shiki-default:#FF9E64}html pre.shiki code .sGX4V, html code.shiki .sGX4V{--shiki-default:#A9B1D6}",{"title":120,"searchDepth":142,"depth":142,"links":1564},[1565,1568,1573,1578,1582,1588],{"id":35,"depth":142,"text":36,"children":1566},[1567],{"id":49,"depth":153,"text":50},{"id":100,"depth":142,"text":101,"children":1569},[1570,1571,1572],{"id":104,"depth":153,"text":105},{"id":228,"depth":153,"text":229},{"id":304,"depth":153,"text":305},{"id":399,"depth":142,"text":400,"children":1574},[1575,1576,1577],{"id":403,"depth":153,"text":404},{"id":754,"depth":153,"text":755},{"id":905,"depth":153,"text":906},{"id":1085,"depth":142,"text":1086,"children":1579},[1580,1581],{"id":1103,"depth":153,"text":1094},{"id":1333,"depth":153,"text":1100},{"id":1443,"depth":142,"text":1444,"children":1583},[1584,1585,1586,1587],{"id":1455,"depth":153,"text":1456},{"id":1462,"depth":153,"text":1463},{"id":1469,"depth":153,"text":1470},{"id":1476,"depth":153,"text":1477},{"id":1483,"depth":142,"text":1484},"2026-05-27","Implement zero trust networking in Kubernetes with Network Policies. From Default Deny to Cilium and Calico advanced policies with real YAML examples.","md","en",{},"\u002Fblog\u002Fen\u002Fkubernetes-network-policies-security",{"title":5,"description":1590},"blog\u002Fen\u002Fkubernetes-network-policies-security",[1598,1599,1600,1601,1094,1100,1602],"Kubernetes","Network Policy","Zero Trust","Security","Networking","CRF6lCW-bveDS_gYUPRwdDIRYAYB3oiGiwprP11qTx0",1779964618984]