kubernetes
Kubernetes Network Policy Generator
Generate Kubernetes NetworkPolicy YAML with default-deny and allow rules for namespace isolation. Supports ingress allow-lists, egress port rules, DNS, and Prometheus scraping.
Kubernetes Network Policy Best Practices
NetworkPolicies are the primary way to implement network segmentation in Kubernetes. They operate at the pod level and use label selectors to define which traffic is allowed.
Default Deny + Allowlist
The recommended pattern:
- 1.Apply a default-deny policy (blocks everything)
- 2.Add specific allow rules for what the namespace needs
This is more secure than a default-allow model and makes the security posture explicit.
CNI Support Matrix
| CNI | NetworkPolicy support |
|---|---|
| Flannel | ❌ No enforcement |
| Calico | ✅ Full |
| Cilium | ✅ Full + L7 (HTTP/gRPC aware) |
| Weave Net | ✅ Full |
Namespace Label Requirement
NetworkPolicies using namespaceSelector match on namespace labels. The label kubernetes.io/metadata.name is automatically set by Kubernetes 1.21+ (it equals the namespace name). For older clusters, you must manually label namespaces:
kubectl label namespace monitoring kubernetes.io/metadata.name=monitoringCommon Gotchas
- ›Forgetting DNS (port 53) — breaks all service discovery
- ›Missing metrics port for Prometheus — monitoring stops working silently
- ›Using
podSelector: {}in ingress rules — means "allow from all pods in this namespace" - ›Not allowing egress to the API server — breaks service accounts that call the K8s API
Key Terms
Full glossary →kubeadm
A tool for bootstrapping Kubernetes clusters. It automates the setup of control plane components and joining worker nodes, following Kubernetes best practices.
etcd
A distributed key-value store used by Kubernetes to store all cluster state and configuration. etcd is the single source of truth for the entire cluster.
cert-manager
A Kubernetes controller for automating TLS certificate management. cert-manager can issue certificates from Let's Encrypt, Vault, or internal CAs, and automatically renews them.
Helm
A package manager for Kubernetes. Helm charts bundle Kubernetes manifests into reusable packages with configurable values, versioned and published to chart repositories.
Frequently Asked Questions
What does default-deny mean in Kubernetes NetworkPolicy?
By default, Kubernetes allows all pod-to-pod traffic within a cluster. A default-deny NetworkPolicy (podSelector: {} with no ingress/egress rules) blocks all traffic to/from pods in that namespace. You then add explicit allow rules for what you need.
Do NetworkPolicies work without a CNI that supports them?
No. NetworkPolicies are API objects but enforcement is done by the CNI plugin. Flannel does NOT enforce NetworkPolicies. You need Calico, Cilium, or Weave Net for enforcement. If you use Flannel, NetworkPolicies exist but are silently ignored.
Why do I need to allow port 53 for DNS?
Kubernetes DNS (CoreDNS) listens on port 53 UDP/TCP. When pods make service calls like http://my-service.my-namespace.svc.cluster.local, they resolve via CoreDNS. Without allowing port 53 in your egress rules, all service discovery fails.
How does Prometheus scraping work with NetworkPolicies?
Prometheus in the monitoring namespace needs to reach your app's metrics endpoint (typically :8080/metrics or :9090). If your namespace has a default-deny policy, you must explicitly allow ingress from the monitoring namespace on the metrics port. The generated policy adds this as an optional rule.
Related Calculators
Related Generators
Related Comparisons
Related Guides
kubernetes
CI/CD for Kubernetes with GitHub Actions: A Complete Guide (2026)
A practical walkthrough of building a full GitHub Actions pipeline that builds a container image, pushes it to a registry, and deploys to Kubernetes — with secrets handling, rollback, and Helm support.
kubernetes
ArgoCD vs Flux: Choosing a GitOps Tool for Kubernetes in 2026
A no-fluff comparison of ArgoCD and Flux for GitOps on Kubernetes — covering architecture, UI, Helm support, multi-tenancy, and when to pick each one.
kubernetes
Hetzner vs DigitalOcean for Kubernetes in 2026: An Honest Comparison
Hetzner is 3–5× cheaper than DigitalOcean for equivalent Kubernetes compute. But DO has managed K8s, better global coverage, and a larger app marketplace. Here's when each is the right choice.