Interactive Lab · CKA + CKS Topic · Intermediate

NETWORK POLICIES

$ kubectl apply -f deny-all.yaml

🚫 Step 1 Default Deny All Ingress

1By default, Kubernetes allows all pods to communicate with each other. A NetworkPolicy changes this.
2A policy with an empty ingress: [] and a podSelector: {} means: select all pods, deny all incoming traffic.
3Apply this policy and watch the traffic visualizer update. All ingress traffic to pods in the namespace is now blocked.

💡 A default deny policy blocks all traffic. You then add specific allow policies on top of it. This is the zero-trust approach Kubernetes security is built on.

Traffic Visualizer

🌐

frontend

app=frontend

port 80

→ allowed

⚙️

backend

app=backend

port 8080

deny-all.yaml

What this does

podSelector: {} selects all pods in the namespace.

policyTypes: [Ingress] with no ingress rules means deny all incoming traffic.

The result: no pod can receive traffic from any source.

terminalLIVE

✅ Step 2 Allow Traffic from a Specific Pod

1Now that all traffic is denied, we allow only the frontend pod to reach the backend on port 8080.
2The podSelector at the top selects which pods this policy applies to (backend). The from.podSelector defines who is allowed in (frontend).
3Try changing the matchLabels in the from section to app: database and apply. Notice how the frontend can no longer reach the backend.

💡 You can combine podSelector and namespaceSelector in the same rule to allow traffic from specific pods in specific namespaces.

Traffic Visualizer

🌐

frontend

app=frontend

→ checking...

⚙️

backend

app=backend

port 8080

→ checking...

🗄️

database

app=database

allow-frontend.yaml

Current state

Apply the policy to see what changes.

terminalLIVE

🔒 Step 3 Control Egress Traffic

1Egress controls outgoing traffic from a pod. By default egress is open pods can reach anything.
2This policy restricts the backend pod so it can only make outgoing connections to the database pod on port 5432.
3Notice both Ingress and Egress are in policyTypes. If you include Egress in policyTypes you must explicitly define what egress is allowed.

💡 On the CKS exam, combining ingress and egress policies to isolate a namespace is a common scenario. Practice building both together.

egress-policy.yaml

Egress state for backend pod

Apply the policy to see the result.

terminalLIVE

Key Concepts

podSelector: {}Selects all pods in the namespace.

policyTypes: [Ingress]Only restricts incoming traffic.

policyTypes: [Egress]Only restricts outgoing traffic.

ingress: []Empty ingress list means deny all ingress.

namespaceSelectorAllow traffic from pods in specific namespaces.

ipBlockAllow or deny traffic from a specific CIDR range.

Common Patterns

Default deny allpodSelector: {} with empty ingress rules. Blocks everything.

Allow same namespaceUse namespaceSelector with the namespace's own labels.

Allow specific portAdd ports section to the ingress rule.

Multi-rule AND logicpodSelector and namespaceSelector in the same rule element mean AND.

Multi-rule OR logicSeparate elements in the from array mean OR.

kubectl Commands

get networkpoliciesList all network policies in current namespace.

describe netpol <name>Show full policy spec and affected pods.

delete netpol <name>Remove a policy. Traffic immediately flows again.

get pods --show-labelsSee pod labels. Policies match on labels.