Firewall for intra-cluster communication
Must be implemented by CNI plugin
NetworkPolicy
(namespaced)Network policies are enforced per namespace
Allow all traffic without policies
Deny by default when a policy exists
Policies can only allow traffic
Policies are applied using label selector
Ingress and egress are handled separately
Supports layer 3 and layer 4
No traffic routing
No TLS
No node specific policies
No targeting of services
No cluster-wide default policies
No audit logging
kubenet, flannel
Pluggable data planes and extended network policies
Flannel for networking and Calico for policy
Based on eBPF with extended network policies and observability
Filter connections between pods
Control HTTP from test1
to test2
Requires DNS to work
Enable access to Kubernetes API