eastbaycyber

What is securing inter-pod communication with network policies? A Practitioner's Definition

FAQs 5 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-06-24
Short answer

TL;DR - Network policies let you control which pods can talk to other pods and services. - They reduce lateral movement by enforcing allow rules at the workload level. - Use them when you need least-privilege networking inside Kubernetes, especially in multi-app or shared clusters.

Definition

Securing inter-pod communication with network policies means using Kubernetes NetworkPolicy objects to explicitly allow or deny traffic between pods, namespaces, and sometimes external endpoints. In practice, it is how teams segment east-west traffic inside a cluster so compromised workloads cannot freely reach everything else.

How it works

By default, many Kubernetes environments allow broad pod-to-pod communication unless restricted by the CNI plugin or platform defaults. A NetworkPolicy changes that model by selecting target pods and then defining which inbound (Ingress) and outbound (Egress) connections are permitted.

The important operational point is this: network policies are usually allow lists, not block lists. Once a pod is selected by a policy for a given direction, only the traffic explicitly allowed by matching rules is permitted for that direction.

A typical workflow looks like this:

  1. Identify the application flow.
  2. Select the pods you want to protect with labels.
  3. Allow only required sources, destinations, ports, and protocols.
  4. Test application behavior.
  5. Monitor for denied connections and refine.

For example, a frontend pod may need to talk to an API pod on TCP 8443, while the API pod may need to reach a database pod on TCP 5432. With network policies, you define only those paths instead of allowing full mesh connectivity across the namespace.

Technical Notes

A basic deny-all ingress policy for a namespace-scoped app tier often starts like this:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Ingress

That policy selects all pods in the production namespace and denies all inbound traffic unless another policy allows it.

Then you add a specific allow rule:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-api
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: frontend
      ports:
        - protocol: TCP
          port: 8443

This allows only pods labeled app: frontend to connect to app: api on TCP 8443 within the same namespace.

To inspect policies:

kubectl get networkpolicy -A
kubectl describe networkpolicy allow-frontend-to-api -n production

To verify pod labels before writing rules:

kubectl get pods -n production --show-labels

One key caveat: Kubernetes defines the policy object, but enforcement depends on your network plugin supporting it, such as Calico, Cilium, or another compatible CNI. If your CNI does not enforce NetworkPolicy, the YAML may exist but provide no protection.

When you’ll encounter it

You will encounter network policies any time Kubernetes networking moves from “it works” to “it must be controlled.”

Common situations include:

  • Multi-tier applications: You need frontend, API, worker, and database pods to communicate only on required paths.
  • Shared clusters: Different teams or business units run workloads in the same cluster, and you need namespace or app isolation.
  • Compliance work: Auditors ask how east-west traffic is restricted and how least privilege is enforced.
  • Incident response: After a compromise, you want to limit lateral movement between workloads.
  • Zero trust initiatives: You are replacing broad internal trust with explicit service-to-service controls.
  • Platform engineering: You are building secure namespace baselines for developers.

For small and midsize organizations, this often becomes important after the first security review, customer questionnaire, or production incident. Teams realize that a flat pod network makes internal reconnaissance and post-compromise movement much easier.

Why it matters operationally

The main security benefit is containment. If an attacker gains code execution in one pod, unrestricted networking can let them scan services, hit internal admin ports, or reach data stores that were never meant to be exposed cluster-wide. Network policies narrow that path.

They also improve change discipline. Once traffic must be declared, hidden dependencies surface. That can temporarily slow deployment, but it usually leads to better documentation and more predictable operations.

A practical rollout pattern is:

  1. Start with non-production namespaces.
  2. Map current flows with logs or service mesh telemetry.
  3. Apply default deny policies.
  4. Add minimal allow rules per app.
  5. Promote tested policies into production.

Technical Notes

An egress control example for an API pod that should reach only PostgreSQL:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-egress-db-only
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes:
    - Egress
  egress:
    - to:
        - podSelector:
            matchLabels:
              app: postgres
      ports:
        - protocol: TCP
          port: 5432

Be careful with DNS. Many teams apply egress restrictions and accidentally break name resolution. You may need an explicit rule for CoreDNS, depending on your environment.

Example check:

kubectl get svc -n kube-system
kubectl get pods -n kube-system -l k8s-app=kube-dns

Common mistakes to avoid

The most common mistake is assuming a policy is global when it is namespace-scoped. A podSelector without a namespaceSelector usually applies only within the same namespace context.

Other frequent issues:

  • No default deny baseline: You write allow policies, but nothing is actually denied because the target pods were never isolated first.
  • Wrong labels: Policies match labels, not deployment names or service names.
  • Forgetting egress: Teams often lock down ingress and leave outbound traffic wide open.
  • Ignoring platform dependencies: Some CNIs extend behavior beyond standard Kubernetes, but core policy behavior still depends on enforcement support.
  • Breaking DNS or metrics paths: Observability and service discovery often need explicit allowances.

Technical Notes

A namespace-aware allow rule can look like this:

ingress:
  - from:
      - namespaceSelector:
          matchLabels:
            team: shared-services
        podSelector:
          matchLabels:
            app: ingress-controller

This pattern is useful when traffic should be allowed only from a labeled namespace and a specific pod group inside it.

  • Kubernetes NetworkPolicy: The native resource used to define allowed ingress and egress traffic for pods.
  • CNI plugin: The networking component that must enforce the policy, such as Calico or Cilium.
  • East-west traffic: Internal cluster or data center traffic between workloads, not user-to-app traffic.
  • Microsegmentation: Fine-grained isolation between workloads based on identity, labels, or policy.
  • Least privilege networking: Allow only the minimum network access a workload needs.
  • Namespace isolation: Restricting traffic between workloads in different namespaces.
  • Egress control: Limiting where pods can send outbound traffic.
  • Lateral movement: The post-compromise movement of an attacker from one workload to others.

Bottom line

Securing inter-pod communication with network policies is the Kubernetes-native way to limit which workloads can talk to each other. For practitioners, the real value is simple: reduce blast radius, enforce least privilege, and make internal cluster traffic intentional instead of implicitly trusted.

For further reading, check out our articles on Kubernetes security best practices and what VPN protocol should I use.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-06-24

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.