NetworkPolicy
A namespaced resource that defines firewall rules controlling which Pods can send and receive traffic.
What is NetworkPolicy?
A NetworkPolicy is a Kubernetes API object that specifies how groups of Pods are allowed to communicate with each other and with external endpoints. By default, Kubernetes applies no network restrictions — all Pods can reach all other Pods across all namespaces. NetworkPolicies change this to a whitelist model: once any NetworkPolicy selects a Pod (via podSelector), all traffic not explicitly permitted by a policy is denied.
NetworkPolicies define ingress rules (incoming traffic allowed) and egress rules (outgoing traffic allowed), each with selectors for source/destination Pods (podSelector), namespaces (namespaceSelector), and IP blocks (ipBlock). Policies are additive — multiple policies selecting the same Pod have their rules unioned. Network policies are enforced by the CNI plugin (Calico, Cilium, Weave Net), not by kube-proxy; a cluster without a NetworkPolicy-capable CNI silently ignores all NetworkPolicy objects.
Default-deny policies — policies that select all Pods but permit no traffic — are a security baseline for production namespaces. Combined with explicit allow rules for necessary communication paths, they implement a zero-trust network posture within the cluster.
Example
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-api-to-db
namespace: production
spec:
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: web-api
ports:
- protocol: TCP
port: 5432Cost & Waste Implications
NetworkPolicies don't directly incur cloud costs, but missing policies in production namespaces expose workloads to lateral movement attacks — the security cost of a breach far exceeds any infrastructure cost. Overly broad policies that allow unrestricted egress enable data exfiltration and outbound data transfer charges to arbitrary external endpoints, which can appear as unexplained bandwidth costs.
How KorPro Helps
KorPro audits namespaces for the absence of default-deny NetworkPolicies and flags production workloads running without any network isolation, surfacing security risk alongside cost risk.
Scan Your Cluster FreeRelated Terms
Namespace
Core ConceptsA virtual partition within a cluster that isolates resources, access control, and networking between teams or environments.
Read definitionPod
Core ConceptsThe smallest deployable unit in Kubernetes — one or more containers that share a network namespace and storage volumes.
Read definitionService
NetworkingA stable network endpoint that load-balances traffic to a dynamic set of Pods selected by label.
Read definitionPod Security
SecurityKubernetes controls that restrict what Pods can do at the OS level — capabilities, root access, host namespaces, and file system permissions.
Read definitionStop Wasting Money on Orphaned Kubernetes Resources
KorPro connects to your clusters across GCP, AWS, and Azure — no agents, no installation — and surfaces every orphaned resource with its monthly cost estimate.