The pods can send outbound traffic. Nothing else gets in.
Kubernetes Network Policies make this possible with precision. By default, Kubernetes allows all inbound and outbound connections between pods. For security, compliance, and control, this is too open. Outbound-only connectivity locks pods down. They can reach the internet or other services, but they cannot be reached except by allowed endpoints.
To implement outbound-only connectivity, you define a NetworkPolicy resource with no ingress rules and explicit egress rules. The lack of ingress means zero incoming traffic unless an exception is stated. The egress rules specify destinations the pod can talk to—by namespace, label, or CIDR block.
Example:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: outbound-only
namespace: default
spec:
podSelector:
matchLabels:
role: backend
policyTypes:
- Egress
- Ingress
ingress: []
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 443
This policy applies to pods with role: backend. It blocks all inbound access, and allows outbound HTTPS to any address. Add more to rules for other services as needed.
Key design points:
- Keep ingress empty if you want full inbound denial.
- Use CIDR ranges to restrict destinations to known networks.
- Apply labels carefully—NetworkPolicies only apply to pods matching the selectors.
- Remember policies are additive, not destructive. Multiple policies can apply to the same pod.
Outbound-only connectivity is a strong default stance in cluster security. It reduces exposure, limits attack surfaces, and enforces predictable networking behavior. Combine it with tight ingress controls at the namespace and service level for layered protection.
Want to skip YAML wrangling and see outbound-only Kubernetes Network Policies running now? Launch it in minutes at hoop.dev.