Appearance
Kubernetes NetworkPolicy: The Networking Perspective
Network Policy
NetworkPolicy is the "firewall" of Kubernetes. While it is defined as a Security resource, it is implemented by the **Networking Layer** (your CNI plugin).
The CNI Requirement
Kubernetes does not enforce network policies itself. The API server simply accepts the YAML. It is up to your Container Network Interface (CNI) plugin to read those policies and enforce them (usually via iptables or eBPF).
- Supported CNIs: Calico, Cilium, Antrea, Weave Net.
- Unsupported CNIs: Flannel (by default), AWS VPC CNI (without add-ons).
WARNING
If your CNI does not support NetworkPolicy, you can create the objects, but traffic will not be blocked.
The Rules
For the detailed guide on how to write policies (Default Deny, Allow-Listing, and Selectors), please see the Security section: