One of the key capabilities provided by Kubernetes is the container network, which allows workloads to contact each other easily when the containers are running on different nodes or even in different networks.

Kubernetes’ default approach to container networks is to provide a flat unrestricted environment where every container can contact every other container. From a security standpoint, this obviously presents some challenges, in that it's generally advisable to reduce the attack surface of your environment by restricting which applications can contact each other, at a network level. Exactly how restrictive you want to be will depend, as with most things in security, on the threat model of your cluster.

Kubernetes provides a default API, called Network Policy, which can be used by cluster operators and users to restrict access between workloads. This API provides a Kubernetes and container-aware interface to networking controls like firewall rules, which restrict the traffic flowing over the container network.

Container Network Overview

Before we delve directly into how Network Policy is configured, it's worth reviewing how container networks are deployed, as there are some complexities there that can trip you up if you're coming from a more traditional VM-based infrastructure.

There are multiple discrete sets of IP addresses you're likely to see in a Kubernetes cluster, each of which has a different role in handling cluster traffic.