All posts
ConceptsOctober 16, 20251 min read

Kubernetes Network Policies for Mosh: Secure, Reliable Remote Shell Sessions

The pod was running, but nothing could reach it. You checked the service, the deployment, the node. All green. The problem was the network policy. Kubernetes Network Policies decide which traffic is allowed in and out of your pods. If you get them wrong, your app is either wide open or completely cut off. A NetworkPolicy in Kubernetes is a resource that defines rules at the IP address or port level. These rules use labels to match pods and namespaces. By default, pods accept all traffic. Once y

Free White Paper

Kubernetes RBAC + VNC Secure Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The pod was running, but nothing could reach it. You checked the service, the deployment, the node. All green. The problem was the network policy. Kubernetes Network Policies decide which traffic is allowed in and out of your pods. If you get them wrong, your app is either wide open or completely cut off.

A NetworkPolicy in Kubernetes is a resource that defines rules at the IP address or port level. These rules use labels to match pods and namespaces. By default, pods accept all traffic. Once you create a policy, the default flips to deny all, unless a rule allows it. This makes policies powerful — and dangerous without precision.

You can control ingress, egress, or both. Ingress governs incoming connections to a pod. Egress governs outgoing connections from a pod. You can match by podSelector, namespaceSelector, and IPBlock. Policies are enforced by the CNI plugin you are using. Not all plugins support all features, so check before you deploy.

When running network-reliant tools like Mosh — the mobile shell that stays connected across network changes — you must configure Network Policies to allow its traffic. Mosh relies on UDP, typically using ports starting from 60000 to 61000. A standard NetworkPolicy example for Mosh requires UDP rules in both ingress and egress for the correct port range. Without these rules, Mosh sessions will fail despite healthy pods.

Continue reading? Get the full guide.

Kubernetes RBAC + VNC Secure Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

A minimal YAML for Mosh and Kubernetes might look like this:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: allow-mosh
 namespace: default
spec:
 podSelector: {}
 policyTypes:
 - Ingress
 - Egress
 ingress:
 - ports:
 - protocol: UDP
 port: 60000
 - protocol: UDP
 port: 61000
 egress:
 - ports:
 - protocol: UDP
 port: 60000
 - protocol: UDP
 port: 61000

Adjust selectors to target only the pods that need Mosh, and set the ports to match your configuration. Overly broad selectors increase the attack surface.

With the right Network Policies for Mosh, you get secure, reliable remote shell sessions that survive IP changes, NAT, and roaming networks. Misconfigurations lead to silent failures and frustrated debugging sessions.

Test your policy changes in a staging environment. Use kubectl describe networkpolicy and your CNI’s logging to confirm traffic is allowed as intended. Keep policies small, explicit, and version-controlled.

You can model and test Kubernetes Network Policies for Mosh instantly with hoop.dev. See it live in minutes.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts