Sign in Subscribe
Concepts

Kubernetes Network Policies: Why Default-Open is Dangerous and How to Secure Your Cluster

Andrios Robert

1 min read

The pod had no walls. Every packet could enter. Every packet could leave.

Kubernetes Network Policies change that. They define what traffic can flow between pods, namespaces, and external endpoints. Without them, any service inside your cluster is exposed to internal and potentially external traffic. With them, you gain fine control over ingress and egress, reducing the attack surface.

A Network Policy is a Kubernetes resource using a declarative YAML syntax. It selects pods by labels and then applies rules that either allow or block traffic based on protocol and port. When no Network Policy exists, all traffic is allowed by default. When one is applied, it becomes a whitelist. Pods not matched by any policy remain open unless explicitly covered.

For security, this default-open behavior is dangerous. Internal services, admin tools, or data stores not meant for public consumption can be reached by compromised pods or misconfigured workloads. A proper security review checks:

  • Which pods have zero Network Policy applied.
  • Overly permissive ingress rules that allow traffic from all namespaces.
  • Lack of egress control, letting pods connect to any external IP.
  • Policies that rely only on TCP port matching but ignore protocols or namespaces.

Ingress rules should specify both pod selectors and namespace selectors to limit sources. Egress rules should narrow destinations to trusted networks, DNS names, or specific addresses. Combined, these measures block lateral movement and cut off malicious exfiltration paths.

Auditing Network Policies is continuous work. Every deployment, service addition, and label change can unintentionally bypass rules. Automating security reviews through CI pipelines and real-time monitoring is the only way to keep them effective.

Kubernetes offers no warnings when traffic flows outside your intended design. The absence of rules is silent but dangerous. The presence of overly broad rules creates a false sense of safety. Precision matters.

Lock down your cluster with targeted, tested policies—and keep them under review. See exactly how it works, and run a full Kubernetes Network Policies security review live in minutes with hoop.dev.