Build fluency in the vocabulary of restricting which pods are allowed to talk to which other pods.
0 / 5 completed
1 / 5
At standup, a dev mentions restricting which pods are allowed to send traffic to which other pods, since Kubernetes allows any pod to reach any other pod by default with no such restriction in place. What Kubernetes object provides this?
A NetworkPolicy restricts which pods are allowed to send traffic to which other pods, since Kubernetes otherwise allows any pod to reach any other pod by default with no such restriction. A ResourceQuota constrains CPU and memory consumption within a namespace, which is an entirely separate concern from pod-to-pod connectivity. This restriction is what lets a cluster enforce least-privilege network access between its workloads.
2 / 5
During a design review, the team wants a pod to be blocked from making any outbound connection at all unless an explicit rule allows it, rather than allowing every outbound connection by default. Which capability supports this?
A default-deny egress NetworkPolicy blocks a pod from making any outbound connection at all unless an explicit rule permits it, flipping the cluster's default-allow posture into a least-privilege one. Allowing every outbound connection by default leaves a compromised pod free to reach any destination it wants. This default-deny approach is a foundational building block of a zero-trust network posture inside a cluster.
3 / 5
In a code review, a dev notices a NetworkPolicy's rule combines a podSelector with a namespaceSelector, so it only allows traffic from pods carrying a specific label within a specific namespace. What does this represent?
Scoped ingress matching that combines a podSelector with a namespaceSelector allows traffic only from pods carrying a specific label within a specific namespace, rather than trusting any pod anywhere in the cluster. Allowing traffic from any pod in any namespace, with no such scoping, undermines the precision a NetworkPolicy is meant to provide. This combined selector matching is what lets a policy express a genuinely narrow, intentional trust relationship between workloads.
4 / 5
An incident report shows a compromised pod was able to exfiltrate data to an external destination because the cluster had no NetworkPolicy at all, so every pod's outbound traffic was allowed by the platform's default. What practice would prevent this?
Applying a default-deny NetworkPolicy and only explicitly allowing the specific traffic a workload genuinely needs limits the blast radius of a compromised pod, since it can no longer reach an arbitrary external destination. Leaving every namespace with no policy applied is exactly what allowed the data exfiltration this incident describes. This default-deny-plus-explicit-allow pattern is a standard defense-in-depth practice for any cluster handling sensitive data.
5 / 5
During a PR review, a teammate asks why the team enforces a NetworkPolicy in addition to already running mutual TLS between services in a service mesh. What is the reasoning?
Mutual TLS authenticates and encrypts traffic between services but doesn't stop an unauthorized connection from being attempted at the network layer in the first place, since it operates above the raw connectivity layer. A NetworkPolicy blocks that connectivity outright at the CNI level, providing a layer of defense that doesn't depend on every workload correctly participating in the mesh. The tradeoff is the added complexity of maintaining two overlapping but distinct security mechanisms across the cluster.