network-policies

# Skill: Network Policies > **Expertise:** K8s NetworkPolicy + Cilium policy design for multi-tenant namespace isolation and zero-trust traffic control. ## When to load When isolating a new namespace, allowing specific service-to-service communication, debugging traffic being blocked, or auditing inter-namespace access. ## Standard Policy Set (apply to every new namespace) ```yaml # 1. Default deny-all (must be first) apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: my-app spec: podSelector: {} # matches ALL pods in namespace policyTypes: [Ingress, Egress] --- # 2. Allow DNS (required for all pods) apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-dns-egress namespace: my-app spec: podSelector: {} policyTypes: [Egress] egress: - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP --- # 3. Allow ingress from ingress controller apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-ingress-controller namespace: my-app spec: podSelector: matchLabels: app: my-service policyTypes: [Ingress] ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: ingress-nginx ports: - port: 8080 ``` ## Service-to-Service Policy ```yaml # Allow order-service (in orders ns) to call payment-service (in payments ns) apiVersion: netw...