💡 Use Case: This is a fundamental policy, blocking all cross-pod networking other than the ones whitelisted via the other Network Policies you deploy.
Consider applying this manifest to any namespace you deploy
workloads to (anything but kube-system).
💡 Best Practice: This policy will give you a default "deny all" functionality. This way, you can clearly identify which components have dependency on which components and deploy Network Policies which can be translated to dependency graphs between components.
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny-all
namespace: default
spec:
podSelector:
matchLabels:Note a few things about this manifest:
namespace: defaultdeploy this policy to thedefaultnamespace.matchLabels:is empty, this means it will match all the pods. Therefore the policy will be enforced to ALL pods in this namspace.- There are no
ingressrules, effectively causing traffic to be dropped to the selected (all) pods.
Save this manifest to default-deny-all.yaml and apply:
$ kubectl apply -f default-deny-all.yaml
networkpolicy "default-deny-all" createdkubectl delete networkpolicy default-deny-all