Sign in Subscribe
Concepts

Internal Port Restrictions in Kubernetes Network Policies

Andrios Robert

1 min read

Smoke curls from the logs, but nothing moves through the port. In Kubernetes, that’s by design. Network Policies control exactly which traffic flows inside your cluster, and internal port rules are the guardrails that decide what connects — and what stays silent.

Kubernetes Network Policies are declarative rules that define how pods communicate. You decide if a pod can talk to another pod, to a namespace, or to an external endpoint. Without a policy, all communication is open. When you set one, every path not granted is blocked. This includes access to internal ports — the numbered endpoints where services listen.

An internal port in Kubernetes is the target port on a pod or service, usually not exposed outside the cluster. You use it for inter-pod communication, API calls, or database connections within the cluster. Network Policies can allow traffic to specific internal ports while denying all others. This is critical for security. It limits attack surfaces and prevents unauthorized services from probing sensitive applications.

To write a Network Policy for an internal port, you specify ports inside the ingress or egress rules. The YAML looks like this:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: allow-db-traffic
 namespace: backend
spec:
 podSelector:
 matchLabels:
 app: database
 policyTypes:
 - Ingress
 ingress:
 - from:
 - namespaceSelector:
 matchLabels:
 name: frontend
 ports:
 - protocol: TCP
 port: 5432

This example allows TCP traffic to port 5432 on pods labeled app: database only from the frontend namespace. All other ports, pods, and namespaces are denied by default.

For internal port control, remember:

  • Always define both protocol and port for precision.
  • Use namespace and pod selectors to scope access tightly.
  • Combine with egress rules to stop unwanted outbound traffic.

Misconfigured network policies can block critical services or leave unnecessary ports open. Always test in a staging environment before committing to production. Audit policies regularly. As applications evolve, ports and connectivity needs change.

Internal port restrictions in Kubernetes Network Policies are not optional. They are the direct line between a secure cluster and an exposed one. The right policy locks the gates without slowing the work inside.

Lock your ports. Control your paths. See how fast you can get it right — try it live with hoop.dev in minutes.