Kubernetes
Network Policies
Network Policies explains label-based ingress and egress rules enforced by a compatible CNI plugin between selected Pods and network peers for day-to-day application development.
Syntax
kubectl auth can-i VERB RESOURCE
📝 Kubernetes Example
👁 Expected Result
💡 Apply examples in a disposable namespace and inspect the resulting resources, status, and events.
Output
Network Policies: the permitted action is allowed and the sensitive action is denied.
Line-by-Line Explanation
| Line | Meaning |
|---|---|
kubectl auth can-i get pods --as system:serviceaccount:demo:app -n demo | In Network Policies, line 2 checks authorization for an identity and API action. |
kubectl auth can-i delete secrets --as system:serviceaccount:demo:app -n demo | In Network Policies, line 3 checks authorization for an identity and API action. |
Real-World Uses
- 1Network Policies is useful when teams need to limit identities, permissions, traffic, secrets, and workload privileges.
- 2A common production context for Network Policies is multi-team clusters and production workloads.
- 3Within day-to-day application development, Network Policies is proven by least-privilege access with enforced policy evidence.
Common Mistakes
- 1For Network Policies, the central failure is: creating NetworkPolicy objects on a CNI that does not enforce them provides false confidence.
- 2Do not apply Network Policies before checking its required API resources, controllers, permissions, and dependencies.
- 3Avoid copying a Network Policies example without adapting names, selectors, namespaces, capacity, and security settings.
- 4Do not mark Network Policies complete until its status, events, runtime behavior, and cleanup path have been inspected.
Best Practices
- 1For Network Policies, follow this rule: start with default deny, then permit only documented sources, destinations, namespaces, and ports.
- 2Keep the smallest working Network Policies definition in version control so its intent remains reviewable.
- 3Use explicit ownership, labels, resource policy, and namespace scope for every object involved in Network Policies.
- 4Prove Network Policies with this focused check: Run allowed and denied connection tests from labeled Pods and verify both directions where required.
How Network Policies works
- 1Network Policies primarily controls cluster security boundary.
- 2Network Policies uses the Kubernetes mechanism of label-based ingress and egress rules enforced by a compatible CNI plugin between selected Pods and network peers.
- 3The API server records and validates the objects declared for Network Policies.
- 4For Network Policies, the relevant controller, scheduler, node agent, or add-on acts until observed state matches the declaration.
Network Policies workflow
- 1Identify the exact workload, namespace, identity, traffic, storage, or cluster boundary affected by Network Policies.
- 2Create only the manifest or command required for Network Policies instead of combining unrelated changes.
- 3Apply Network Policies in a disposable environment and watch resource status rather than treating command success as completion.
- 4Record the expected result, rollback method, and cleanup command for this Network Policies exercise.
Verify Network Policies
- 1For Network Policies, perform this check: run allowed and denied connection tests from labeled Pods and verify both directions where required.
- 2Inspect conditions and recent events specifically associated with Network Policies.
- 3Test one Network Policies boundary or failure that could prevent least-privilege access with enforced policy evidence.
- 4Repeat the check after an update, restart, replacement, or reconciliation cycle relevant to Network Policies.
Network Policies boundaries
- 1Network Policies owns cluster security boundary; related networking, storage, security, and application concerns may need separate resources.
- 2An unhealthy image, invalid application configuration, or missing dependency can still fail when the Network Policies resource is valid.
- 3Cluster version, provider features, installed controllers, and admission policy can change Network Policies behavior.
- 4Choose a simpler Kubernetes resource when it can produce the required Network Policies outcome with fewer moving parts.
Summary
- Purpose: use Network Policies to limit identities, permissions, traffic, secrets, and workload privileges.
- Mechanism: understand how Network Policies uses label-based ingress and egress rules enforced by a compatible CNI plugin between selected Pods and network peers.
- Configuration: apply this Network Policies rule—start with default deny, then permit only documented sources, destinations, namespaces, and ports.
- Risk: prevent this Network Policies failure—creating NetworkPolicy objects on a CNI that does not enforce them provides false confidence.
- Evidence: confirm least-privilege access with enforced policy evidence with the focused Network Policies verification step.
Interview Questions
Q1. What Kubernetes responsibility does Network Policies own?
Answer: Network Policies primarily owns cluster security boundary.
Q2. How does Network Policies produce its result?
Answer: Network Policies uses label-based ingress and egress rules enforced by a compatible CNI plugin between selected Pods and network peers.
Q3. Where is Network Policies used in practice?
Answer: Network Policies is commonly used for multi-team clusters and production workloads.
Q4. What serious mistake should be avoided with Network Policies?
Answer: The main Network Policies risk is this: creating NetworkPolicy objects on a CNI that does not enforce them provides false confidence.
Q5. How would you demonstrate Network Policies in an interview?
Answer: For Network Policies, run allowed and denied connection tests from labeled Pods and verify both directions where required, then explain how observed state proves least-privilege access with enforced policy evidence.
Quick Quiz
Which approach best demonstrates correct use of Network Policies?