Network policies control traffic between pods. By default, Kubernetes allows all pod-to-pod traffic.
Policy structure:
- Pod selector: Which pods does this apply to?
- Policy types: Ingress, Egress, or both
- Rules: Allow from/to specific sources
Example:
- Apply to app=database pods
- Allow ingress only from app=backend
- Allow egress only to port
Default: No policies means all allowed. Any policy means deny unless explicitly allowed.
CNI support: Flannel does not. Calico and Cilium do.