Execute use when managing Kubernetes network policies and firewall rules. Trigger with phrases like "create network policy", "configure firewall rules", "restrict pod communication", or "setup ingress/egress rules". Generates Kubernetes NetworkPolicy manifests following least privilege and zero-trust principles.
Create and manage Kubernetes NetworkPolicy manifests to enforce zero-trust networking between pods, namespaces, and external endpoints. Generate ingress and egress rules with label selectors, namespace selectors, CIDR blocks, and port specifications following the principle of least privilege.
Prerequisites
Kubernetes cluster with a CNI plugin that supports NetworkPolicy (Calico, Cilium, Weave Net)
kubectl configured with permissions to create and manage NetworkPolicy resources
Pod labels consistently defined across deployments for accurate selector targeting
Service communication map documenting which pods need to talk to which pods on which ports
Understanding of DNS requirements (pods need egress to kube-dns on port 53 for name resolution)
Instructions
Map the application communication patterns: identify all service-to-service, service-to-database, and service-to-external connections
Start with a default-deny policy for both ingress and egress in each namespace to establish zero-trust baseline
Add explicit allow rules for each legitimate communication path: specify source pod labels, destination pod labels, and ports
Always include a DNS egress rule allowing traffic to kube-system namespace on UDP/TCP port 53 for CoreDNS
Define egress rules for external API access: use CIDR blocks or namespaceSelector for known external services
Apply policies to a test namespace first and verify connectivity with kubectl exec curl/wget commands
Monitor for blocked traffic in the CNI plugin logs (Calico: calicoctl node status, Cilium: cilium monitor)
Iterate on policies: add missing allow rules for any legitimate traffic that gets blocked
Document each policy with annotations explaining the business reason for the allowed communication
Output
Default-deny NetworkPolicy manifests for ingress and egress per namespace
Allow-list NetworkPolicy manifests for each service communication path
DNS egress policy allowing pod name resolution
External access egress policies with CIDR blocks
Connectivity test commands for validation
Error Handling
Error
Cause
Solution
All traffic blocked after applying policy
Default-deny applied without corresponding allow rules
Apply allow rules before or simultaneously with deny policies; verify with kubectl exec tests
DNS resolution fails after network policy
Missing egress rule for kube-dns/CoreDNS
Add egress policy allowing UDP and TCP port 53 to kube-system namespace
Policy not targeting intended pods
Label mismatch between policy selector and pod labels
Verify labels with kubectl get pods --show-labels; match selectors exactly
Traffic still allowed despite deny policy
CNI plugin does not support NetworkPolicy or policy in wrong namespace
Verify CNI support with kubectl get networkpolicy -A; ensure policy is in the correct namespace
Intermittent connection failures
Policy allows traffic but connection pool or timeout settings too aggressive
Check if the issue is network policy or application-level; test with kubectl exec during failures
Examples
"Create a default-deny policy for the production namespace, then add allow rules so only the ingress controller can reach web pods on port 443."
"Generate egress policies that restrict the API pods to communicate only with PostgreSQL (port 5432), Redis (port 6379), and external HTTPS APIs."
"Build a complete set of network policies for a 3-tier app: frontend -> API (8080), API -> database (5432), API -> cache (6379), all pods -> DNS (53)."