Verified steps

Apply a default-deny NetworkPolicy in the target namespace that selects all pods with an empty podSelector and specifies no ingress or egress rules: spec: podSelector: {}; policyTypes: [Ingress, Egress]
Create a second NetworkPolicy allowing ingress from the specific client pods: spec.ingress[].from[].podSelector.matchLabels: {app: frontend} — this allows only pods with that label to reach the target pods on the specified port
Add a separate NetworkPolicy for required egress, e.g., to DNS: spec.egress[].ports[].port: 53 with protocol UDP and TCP, and spec.egress[].to[].namespaceSelector matching kube-system
Label target pods and source pods consistently to match the NetworkPolicy selectors, and verify with kubectl get pods --show-labels
Test enforcement by exec-ing into a pod that should be blocked and attempting curl to the target service; also test from an allowed pod to confirm access works
Use a CNI plugin that enforces NetworkPolicy (Calico, Cilium, Weave, etc.) — the Kubernetes API accepts NetworkPolicy objects regardless of CNI, but without an enforcing CNI the policies are silently ignored

Known gotchas

The default-deny policy affects all pods in the namespace including system components and health check agents; always add egress rules for DNS (port 53 UDP/TCP) and any required control-plane communication before applying default-deny
NetworkPolicy is additive: two policies that both select the same pods will union their ingress/egress rules. You cannot use one NetworkPolicy to deny traffic that another allows — implement deny at the CNI layer (e.g., Calico GlobalNetworkPolicy with deny action) for deny-override semantics
namespaceSelector in a NetworkPolicy from clause matches based on namespace labels, not names; if the target namespace does not have the expected label, the selector matches nothing and the rule silently allows no traffic

Configure a Kyverno generate policy to automatically create a default NetworkPolicy and ConfigMap when a new namespace is created

security/compliance · 5 steps · unrated

Configure securityContext and Pod Security Admission to enforce restricted pod standards

kubernetes.io · 5 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Configure Kubernetes NetworkPolicy to implement a default-deny posture and selectively allow ingress from a specific service

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes