What is Kubernetes network policy?

Kubernetes Network Policies are Kubernetes objects that control traffic flow between pods, using pod/namespace selectors and port specifications. Without Network Policies, all pods can communicate with all other pods cluster-wide — the default is "allow all." Network Policy spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: api-network-policy namespace: production spec: podSelector: matchLabels: app: api # Apply to pods with this label policyTypes: [Ingress, Egress] ingress: - from: - namespaceSelector: matchLabels: environment: production # Same namespace - podSelector: matchLabels: role: frontend # From frontend pods - ipBlock: cidr: 203.0.113.0/24 except: [203.0.113.5/32] ports: - protocol: TCP port: 3000 egress: - to: - podSelector: matchLabels: app: postgres ports: - protocol: TCP port: 5432 - to: [] ports: - protocol: TCP port: 443 # Allow HTTPS egress to internet. Default deny-all pattern: create a NetworkPolicy selecting all pods in a namespace with empty ingress/egress rules → blocks all traffic. Then create specific allow policies. This is defense-in-depth. Requirement: Network Policies only work with CNI plugins that enforce them (Calico, Cilium, Weave — NOT Flannel alone). Namespaces and selectors: combine namespaceSelector + podSelector with AND logic (within one from element) vs OR logic (separate from elements). Cilium: extends Network Policy with L7 policy (allow only specific HTTP paths/methods, DNS-based policies).