NetworkPolicy Starter Pack (Preview)

Oct 14, 2025

Included policies

00-default-deny-ingress.yaml — deny all ingress
01-default-deny-egress.yaml — deny all egress
10-allow-dns-egress.yaml — allow UDP/TCP 53 to kube-dns
20-allow-app-ingress.yaml — allow inbound to your app port

00-default-deny-ingress.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
spec:
  podSelector: {}
  policyTypes: ["Ingress"]
  ingress: []

01-default-deny-egress.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
spec:
  podSelector: {}
  policyTypes: ["Egress"]
  egress: []

10-allow-dns-egress.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns-egress
spec:
  podSelector: {}
  policyTypes: ["Egress"]
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: UDP
      port: 53
    - protocol: TCP
      port: 53

20-allow-app-ingress.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-app-ingress
spec:
  podSelector:
    matchLabels:
      app: app   # adjust to your Deployment label
  policyTypes: ["Ingress"]
  ingress:
  - ports:
    - protocol: TCP
      port: 3000  # adjust to your container port
    # no 'from' selector = allow from anywhere on this port

Tip: label your pods app: app (or update the selector above). If you have an Ingress Controller, scope from to its pods for tighter ingress.

NetworkPolicy Starter Pack (Preview)

Included policies

00-default-deny-ingress.yaml

01-default-deny-egress.yaml

10-allow-dns-egress.yaml

20-allow-app-ingress.yaml

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter