Network Policy
The pattern: explicit allowlist for which workloads can reach which workloads, on which ports, in which directions. Default-deny in tenant namespaces; explicit allow rules for legitimate traffic. Without it, a single compromised pod can reach everything in the cluster.
The trade-off: security vs. iteration friction. Default-deny is secure but breaks every new connection until you write the policy. Default-allow is friction-free but means lateral movement is trivial. The right answer is default-deny + a fast loop for adding policies (PR-reviewable, mesh-tested, observable when blocked).
Deepens in Year 1 Phase 7: Kubernetes + GitOps — Cilium NetworkPolicy + a default-deny + explicit-allow exercise. The networking substrate it depends on is laid down in Year 1 Phase 2: Networking, and policy-violation telemetry (drops, denies, flow logs) lands in Year 3 Phase 14: Observability + eBPF.
Related patterns
- zero-trust-networking — the strategic frame; NetworkPolicy is one tactical control.
- service-mesh — L7 authz policies layer on top of L3/L4 NetworkPolicy.
- routing-and-addressing — the layers policies actually filter on.
- least-privilege — the parent principle expressed in network terms.
- defense-in-depth — NetworkPolicy is one layer; identity, mTLS, and runtime controls are others.
- fault-isolation — segmentation as a blast-radius control.