Stage 5 · Platform
Networking, Storage & Service Mesh
CNI & Network Policies
Calico, Cilium, Weave, and Kubernetes NetworkPolicy.
CNI Overview
Container Networking Interface (CNI) is the standard for Kubernetes network plugins. Each node runs a CNI plugin that creates network interfaces, assigns IPs, and sets up routes. The CNI plugin determines how pods communicate across nodes and what network policies are enforced.
Pod created
|
v
kubelet calls CNI ADD
|
v
CNI plugin creates veth pair
|
v
One end in pod namespace, one on host bridge
|
v
IP assigned from pod CIDR
|
v
Route configured for pod trafficEach pod gets a veth (virtual ethernet) pair. One end is inside the pod's network namespace, the other is on the host. The CNI plugin connects the host end to a bridge or overlay network.
CNI Plugins Comparison
| Plugin | Networking | Policy | Performance |
|---|---|---|---|
| Calico | BGP/overlay | Full NetworkPolicy | High — native routing |
| Cilium | eBPF | Full + L7 policies | Highest — kernel bypass |
| Flannel | VXLAN overlay | None (needs Calico) | Medium — overlay overhead |
| Weave | VXLAN/mesh | Basic policies | Medium — mesh overhead |
NetworkPolicy
NetworkPolicy defines ingress and egress rules for pods. By default, all pod traffic is allowed. NetworkPolicy lets you restrict which pods can communicate with each other. Without a CNI that supports NetworkPolicy (like Calico or Cilium), the policies have no effect.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-policy
namespace: production
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: frontend
- podSelector:
matchLabels:
app: web
ports:
- protocol: TCP
port: 8080This policy allows ingress to api pods only from pods labeled app=web in the frontend namespace. All other ingress is blocked. The namespaceSelector uses the built-in kubernetes.io/metadata.name label.
Multiple NetworkPolicies are additive, not exclusive. If policy A allows traffic from X and policy B allows traffic from Y, pods get traffic from both X and Y. There is no way to deny specific sources — only allow specific sources.
Default Deny
Default deny blocks all traffic to pods in a namespace. You then add policies to allow specific traffic. This is a security best practice — start with no access, then grant only what is needed.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {} # Selects all pods in namespace
policyTypes:
- Ingress
- Egress
# No ingress/egress rules = deny allpodSelector: {} selects all pods. policyTypes lists Ingress and Egress with no rules — this denies all traffic in both directions. Then add specific policies to allow required traffic.
Policy Patterns
Common NetworkPolicy patterns: allow DNS egress (critical — without it pods can't resolve service names), allow monitoring scraping, restrict database access, and isolate tenants.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns
namespace: production
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53Without this policy, default-deny blocks DNS resolution. Pods cannot reach CoreDNS and cannot resolve service names. Always add this policy alongside default-deny in every namespace.
Debugging Network Policies
Debugging network policies requires checking whether the CNI supports them, which policies apply, and where traffic is blocked. Use network policy visualization tools and packet captures to trace traffic flow.
# Test connectivity between pods
kubectl exec -it test-pod -- curl -s http://api-service:80
# Check applied network policies
kubectl get networkpolicies --all-namespaces
# Inspect Calico policies
kubectl get networkpolicies -o yaml | grep -A 10 "spec:"
# Run netshoot for advanced debugging
kubectl run netshoot --image=nicolaka/netshoot --rm -it -- /bin/bash
# Inside netshoot: trace connections
tcpdump -i eth0 -nn port 53
dig api-service.production.svc.cluster.localThe netshoot pod has networking tools (curl, dig, tcpdump, nmap) for debugging. It shares the host network by default, so it can reach all pods. Use it to test connectivity and trace traffic flow.
Cilium provides policy verdict logs that show exactly which policy allowed or denied traffic. Enable with --policy-verdict-log. This is invaluable for debugging why traffic is blocked — it shows the exact policy and rule.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.