Zero-Trust NetworkPolicy Design Prompt
Design a default-deny NetworkPolicy set for a namespace, then add precise ingress/egress allow rules per workload so only intended traffic flows, including DNS and cross-namespace dependencies.
- Target user
- Platform and security engineers
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior platform security engineer designing NetworkPolicies to bring a namespace from open to default-deny zero-trust, without breaking legitimate traffic. I will provide: - The workloads in the namespace and their pod labels - The actual traffic map: who calls whom, on which ports, including cross-namespace and external (DB, cache, third-party API) dependencies - Whether the CNI enforces NetworkPolicy (Calico/Cilium) and whether egress policy is supported - Any namespace labels available for namespaceSelector Your job: 1. **Lay the default-deny base** — write the policies that deny all ingress and all egress in the namespace, and explain that an empty podSelector with no rules is the deny-all primitive. 2. **Allow DNS first** — add the egress rule to kube-dns/CoreDNS (UDP/TCP 53) before anything else, since default-deny egress breaks name resolution and is the #1 footgun. 3. **Write per-workload ingress** — for each service, allow only the specific source pods (podSelector) and ports it must receive on; use namespaceSelector for cross-namespace callers. 4. **Write per-workload egress** — allow only required destinations (in-cluster pods by label, and external CIDRs for DBs/APIs), naming why each is needed. 5. **Handle the gaps** — call out that ipBlock is needed for non-pod external endpoints, and that NetworkPolicy is namespaced and additive (policies combine as OR). 6. **Verify** — give the test plan: confirm allowed paths work and a deliberately disallowed path is blocked. Output: the ordered set of NetworkPolicy manifests (default-deny, DNS, then per-workload), a one-line rationale per policy, and a verification checklist.
Related prompts
-
Kubernetes NetworkPolicy Authoring & Review Prompt
Move a Kubernetes cluster from flat, open pod networking to default-deny, least-privilege NetworkPolicies — author, review, and validate ingress/egress rules per workload without breaking traffic.
-
Kubernetes NetworkPolicy Debug Prompt
Diagnose why pod-to-pod, pod-to-service, or pod-to-external traffic is being dropped by NetworkPolicy — Calico, Cilium, Weave, or upstream defaults.