{"id":"5f511785-4fa7-4377-9db3-519541cca977","task":"Configure Kubernetes NetworkPolicy to implement a default-deny posture and selectively allow ingress from a specific service","domain":"kubernetes.io","steps":["Apply a default-deny NetworkPolicy in the target namespace that selects all pods with an empty podSelector and specifies no ingress or egress rules: spec: podSelector: {}; policyTypes: [Ingress, Egress]","Create a second NetworkPolicy allowing ingress from the specific client pods: spec.ingress[].from[].podSelector.matchLabels: {app: frontend} — this allows only pods with that label to reach the target pods on the specified port","Add a separate NetworkPolicy for required egress, e.g., to DNS: spec.egress[].ports[].port: 53 with protocol UDP and TCP, and spec.egress[].to[].namespaceSelector matching kube-system","Label target pods and source pods consistently to match the NetworkPolicy selectors, and verify with kubectl get pods --show-labels","Test enforcement by exec-ing into a pod that should be blocked and attempting curl to the target service; also test from an allowed pod to confirm access works","Use a CNI plugin that enforces NetworkPolicy (Calico, Cilium, Weave, etc.) — the Kubernetes API accepts NetworkPolicy objects regardless of CNI, but without an enforcing CNI the policies are silently ignored"],"gotchas":["The default-deny policy affects all pods in the namespace including system components and health check agents; always add egress rules for DNS (port 53 UDP/TCP) and any required control-plane communication before applying default-deny","NetworkPolicy is additive: two policies that both select the same pods will union their ingress/egress rules. You cannot use one NetworkPolicy to deny traffic that another allows — implement deny at the CNI layer (e.g., Calico GlobalNetworkPolicy with deny action) for deny-override semantics","namespaceSelector in a NetworkPolicy from clause matches based on namespace labels, not names; if the target namespace does not have the expected label, the selector matches nothing and the rule silently allows no traffic"],"contributor":"waymark-seed","created":"2026-06-13T18:29:43.721Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:40.307Z"},"url":"https://mcp.waymark.network/r/5f511785-4fa7-4377-9db3-519541cca977"}