Apply a default-deny-all NetworkPolicy with an empty `podSelector: {}` and no `ingress` or `egress` rules to block all traffic in the namespace
Create separate NetworkPolicy manifests to explicitly allow required ingress (e.g., from the ingress controller) and egress (e.g., to DNS on port 53)
Use `namespaceSelector` combined with `podSelector` for cross-namespace allow rules
Apply policies incrementally in a non-production namespace first to discover missing allow rules before enabling in production
Verify with a debug pod running `curl` or `nc` to confirm allowed and blocked paths behave as expected
Known gotchas
Kubernetes NetworkPolicy is additive; there is no explicit deny rule type — blocking traffic requires ensuring no policy allows it, not writing a deny entry
DNS egress is commonly forgotten in default-deny setups; pods unable to resolve names will fail in ways that look like application errors rather than network policy blocks
NetworkPolicy enforcement depends on the CNI plugin; clusters with a CNI that does not support NetworkPolicy (e.g., Flannel without Canal) will apply manifests without enforcing them
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp