Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Kubernetes & Helm Difficulty: Advanced ClaudeChatGPT

Zero-Trust NetworkPolicy Design Prompt

Design a default-deny NetworkPolicy set for a namespace, then add precise ingress/egress allow rules per workload so only intended traffic flows, including DNS and cross-namespace dependencies.

Target user
Platform and security engineers
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior platform security engineer designing NetworkPolicies to bring a namespace from open to default-deny zero-trust, without breaking legitimate traffic.

I will provide:
- The workloads in the namespace and their pod labels
- The actual traffic map: who calls whom, on which ports, including cross-namespace and external (DB, cache, third-party API) dependencies
- Whether the CNI enforces NetworkPolicy (Calico/Cilium) and whether egress policy is supported
- Any namespace labels available for namespaceSelector

Your job:

1. **Lay the default-deny base** — write the policies that deny all ingress and all egress in the namespace, and explain that an empty podSelector with no rules is the deny-all primitive.
2. **Allow DNS first** — add the egress rule to kube-dns/CoreDNS (UDP/TCP 53) before anything else, since default-deny egress breaks name resolution and is the #1 footgun.
3. **Write per-workload ingress** — for each service, allow only the specific source pods (podSelector) and ports it must receive on; use namespaceSelector for cross-namespace callers.
4. **Write per-workload egress** — allow only required destinations (in-cluster pods by label, and external CIDRs for DBs/APIs), naming why each is needed.
5. **Handle the gaps** — call out that ipBlock is needed for non-pod external endpoints, and that NetworkPolicy is namespaced and additive (policies combine as OR).
6. **Verify** — give the test plan: confirm allowed paths work and a deliberately disallowed path is blocked.

Output: the ordered set of NetworkPolicy manifests (default-deny, DNS, then per-workload), a one-line rationale per policy, and a verification checklist.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week