Network Policies for Traffic Control

By default, every pod in a Kubernetes cluster can talk to every other pod. No firewall rules, no segmentation, no access controls. A compromised container in a development namespace can reach your production database. A rogue workload can scan the entire cluster network. Kubernetes ships with a flat network model, and unless you do something about it, that flat network is wide open.

Network Policies are how you fix that. They are the only built-in Kubernetes API for controlling pod-to-pod and pod-to-external traffic at L3/L4. The core pattern is straightforward: default deny, then whitelist. The implementation details, especially selector semantics and CNI plugin requirements, are where things get interesting.