Advanced Network Policy Patterns and Debugging

You locked down your namespace with default-deny, allowed DNS egress, and wrote your first pod-to-pod selectors. Then someone asks you to restrict egress to a specific external IP range, prevent the staging namespace from reaching production, and debug why a pod that passed every connectivity test last week is now timing out. The fundamentals got you started. These patterns are where NetworkPolicy earns its keep.

Grafana Loki, Datadog, and kube-prometheus-stack all ship layered NetworkPolicy suites that solve exactly these problems. The CKA exam tests them too. This lesson covers CIDR-based egress with ipBlock, namespace isolation, combined ingress/egress enforcement, port ranges, and a systematic approach to debugging blocked traffic.