Docs
Kubernetes
Security
Network Policies

Applying network policies in Kubernetes using Thalassa Cloud

Network policies are a fundamental security control in Kubernetes that allow fine-grained traffic control between pods, namespaces, and external services. They function like micro-firewalls, defining ingress (incoming) and egress (outgoing) rules for specific workloads.

Network policies do not take effect unless a network plugin (such as Cilium) supports them. By default, Kubernetes allows all traffic between pods unless restricted by network policies.

Denied by Default

With Thalassa Cloud Kubernetes, you can opt-in to disabling network traffic between pods and other services by default, for improved security control.

How Network Policies Work

Network policies operate at the pod level, not at the service level. They use labels and namespaces to determine which pods are affected and define rules based on IP addresses, ports, and namespaces. This means:

  • Policies apply to pods, not services. Defining policies using service labels will not work.
  • Rules restrict traffic at the pod level, using IP addresses and port numbers.
  • Policies are additive, meaning multiple policies can apply to the same pod.

Managing Network Policies

Network policies can be managed using standard Kubernetes commands:

kubectl get networkpolicies                # List network policies in the current namespace
kubectl get networkpolicies -A             # List all network policies across namespaces
kubectl describe networkpolicy <policy>    # View details of a specific network policy

Notes on Network Policies

  • Network policies vs security groups: Unlike cloud security groups, which apply to VM instances, network policies apply at the pod level with in a Kubernetes cluster.
  • Not a replacement for authentication & encryption: Use network policies alongside RBAC, mutual TLS (mTLS), and firewall rules for full security.
  • Order does not matter: Unlike traditional firewall rules, network policies do not have priority or precedence.

Understanding Network Policy Specification

A NetworkPolicy is a Kubernetes object that defines allowed or blocked traffic rules in a cluster. Policies can be Ingress-only, Egress-only, or both.

Key Fields

FieldDescription
ingressDefines allowed incoming traffic to the selected pods. If empty, all ingress traffic is denied.
egressDefines allowed outgoing traffic from the selected pods. If empty, all egress traffic is denied.
podSelectorSelects the pods that the policy applies to, using labels. An empty selector matches all pods in the namespace.
policyTypesSpecifies whether the policy applies to Ingress, Egress, or both. If omitted, defaults to Ingress.

For the full API reference, see the Kubernetes Network Policy API.

Cilium Network Policies

If your Thalassa Cloud Kubernetes cluster uses Cilium as its CNI, you can take advantage of Cilium Network Policies (CNPs) for advanced security enforcement. Cilium extends standard Kubernetes network policies by adding support for:

  • L7 (Application Layer) filtering (e.g., HTTP, gRPC, Kafka rules)
  • DNS-based network policies
  • Identity-aware enforcement
  • Egress rules to external services
  • Visibility and monitoring via Hubble

Defining a Cilium Network Policy

Cilium Network Policies (CNPs) provide more flexibility than standard Kubernetes network policies. Below is an example CNP that allows ingress traffic from a specific namespace and restricts egress traffic to a DNS domain:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-web-traffic
  namespace: web-frontend
spec:
  endpointSelector:
    matchLabels:
      app: web-service
  ingress:
    - fromEntities:
        - cluster
    - fromEndpoints:
        - matchLabels:
            namespace: ingress-nginx
  egress:
    - toFQDNs:
        - matchName: "api.external-service.com"
      toPorts:
        - ports:
            - port: "443"
              protocol: TCP

Key Features of Cilium Network Policies

FeatureDescription
L7 FilteringAllows defining network policies based on HTTP methods, gRPC, or Kafka topics.
DNS-aware PoliciesEnables rules for FQDN-based egress control instead of static IPs.
Identity-based RulesUses Cilium’s identity system for defining fine-grained access control.
Hubble ObservabilityProvides real-time visibility into network flows and policy enforcement.

Enforcing Zero Trust with Cilium

With Cilium, you can implement Zero Trust Networking by defining policies that:

  • Explicitly allow required traffic while blocking everything else.
  • Restrict outbound traffic to only necessary services (e.g., SaaS APIs, cloud storage).
  • Monitor and audit network flows via Hubble UI or CLI.

Managing Cilium Network Policies

To list Cilium Network Policies, use:

kubectl get cnp -A

To describe a specific CNP:

kubectl describe cnp allow-web-traffic

To delete a policy:

kubectl delete cnp allow-web-traffic

Recommended Network Policies

1. Default Deny All Traffic

This policy blocks all network traffic within a namespace unless explicitly allowed.

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: deny-all-traffic
  namespace: backend-services
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
    - Ingress
    - Egress
  ingress: []
  egress: []

2. Allow DNS Traffic

DNS queries are essential for service discovery. This policy allows DNS lookups to CoreDNS running in the kube-system namespace.

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-dns-queries
  namespace: monitoring
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
  - Egress
  egress:
  - ports:
    - port: 53
      protocol: UDP
    - port: 53
      protocol: TCP
    to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system

3. Allow Ingress from an Ingress Controller

This policy allows ingress traffic from the Ingress controller (e.g., NGINX Ingress running in ingress-nginx namespace) to specific pods.

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-web-ingress
  namespace: web-frontend
spec:
  podSelector:
    matchLabels:
      app: web-service
  policyTypes:
    - Ingress
  ingress:
    - ports:
      - port: 443
      from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: ingress-nginx

4. Allow Egress to the Public Internet

This policy allows outgoing traffic to public networks, while preventing access to internal services (RFC1918 private IP ranges).

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-public-egress
  namespace: api-services
spec:
  podSelector:
    matchLabels:
      app: api-gateway
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16

This ensures that the pods can reach external APIs and public cloud services while blocking unintended internal communication.

Additional Resources

Network policies are an essential tool for securing workloads in Thalassa Cloud, providing granular control over pod-to-pod and external communication. Implement them alongside RBAC, encryption, and monitoring securely use your Kubernetes environment.

Pod Security Standards