Kubernetes NetworkPolicy: A Practical Guide to Default-Deny
The first time I tried to enforce NetworkPolicy in a real cluster, I broke DNS for an entire namespace and spent the next forty minutes wondering why every pod was returning i/o timeout. This post is the guide I wish I had read first. The mental model A NetworkPolicy is a label-selector-driven firewall rule. It only does two things: Selects pods by label (in a single namespace). Specifies allowed ingress, egress, or both for those pods. Three rules that took me too long to internalize: ...