How do you implement Kubernetes network policies for micro-segmentation and security?

Network policies provide micro-segmentation in Kubernetes by controlling traffic flow between pods, namespaces, and external endpoints using label selectors and rules.\n\nNetwork Policy Components:\n• Pod selector: Target pods for policy application\n• Policy types: Ingress and/or egress rules\n• Ingress rules: Allowed incoming traffic\n• Egress rules: Allowed outgoing traffic\n• Namespace selector: Cross-namespace communication\n\nTraffic Control Mechanisms:\n• Default deny: Block all traffic by default\n• Whitelist approach: Explicitly allow required traffic\n• Label-based selection: Dynamic policy application\n• Port and protocol specification: Fine-grained control\n\nExample Network Policy:\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: web-netpol\n namespace: production\nspec:\n podSelector:\n matchLabels:\n app: web\n policyTypes:\n - Ingress\n - Egress\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: frontend\n ports:\n - protocol: TCP\n port: 8080\n\nImplementation Strategy:\n• Start with monitoring mode\n• Implement gradually per namespace\n• Test thoroughly before enforcement\n• Document policy decisions\n• Regular policy audits\n\nBest Practices:\n• Use CNI plugins that support network policies\n• Implement defense in depth\n• Monitor policy violations\n• Automate policy generation\n• Regular security reviews