Skillshub managing-network-policies
install
source · Clone the upstream repo
git clone https://github.com/ComeOnOliver/skillshub
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/jeremylongshore/claude-code-plugins-plus-skills/managing-network-policies" ~/.claude/skills/comeonoliver-skillshub-managing-network-policies && rm -rf "$T"
manifest:
skills/jeremylongshore/claude-code-plugins-plus-skills/managing-network-policies/SKILL.mdsource content
Managing Network Policies
Overview
Create and manage Kubernetes NetworkPolicy manifests to enforce zero-trust networking between pods, namespaces, and external endpoints. Generate ingress and egress rules with label selectors, namespace selectors, CIDR blocks, and port specifications following the principle of least privilege.
Prerequisites
- Kubernetes cluster with a CNI plugin that supports NetworkPolicy (Calico, Cilium, Weave Net)
configured with permissions to create and manage NetworkPolicy resourceskubectl- Pod labels consistently defined across deployments for accurate selector targeting
- Service communication map documenting which pods need to talk to which pods on which ports
- Understanding of DNS requirements (pods need egress to kube-dns on port 53 for name resolution)
Instructions
- Map the application communication patterns: identify all service-to-service, service-to-database, and service-to-external connections
- Start with a default-deny policy for both ingress and egress in each namespace to establish zero-trust baseline
- Add explicit allow rules for each legitimate communication path: specify source pod labels, destination pod labels, and ports
- Always include a DNS egress rule allowing traffic to
namespace on UDP/TCP port 53 for CoreDNSkube-system - Define egress rules for external API access: use CIDR blocks or namespaceSelector for known external services
- Apply policies to a test namespace first and verify connectivity with
curl/wget commandskubectl exec - Monitor for blocked traffic in the CNI plugin logs (Calico:
, Cilium:calicoctl node status
)cilium monitor - Iterate on policies: add missing allow rules for any legitimate traffic that gets blocked
- Document each policy with annotations explaining the business reason for the allowed communication
Output
- Default-deny NetworkPolicy manifests for ingress and egress per namespace
- Allow-list NetworkPolicy manifests for each service communication path
- DNS egress policy allowing pod name resolution
- External access egress policies with CIDR blocks
- Connectivity test commands for validation
Error Handling
| Error | Cause | Solution |
|---|---|---|
| Default-deny applied without corresponding allow rules | Apply allow rules before or simultaneously with deny policies; verify with |
| Missing egress rule for kube-dns/CoreDNS | Add egress policy allowing UDP and TCP port 53 to |
| Label mismatch between policy selector and pod labels | Verify labels with |
| CNI plugin does not support NetworkPolicy or policy in wrong namespace | Verify CNI support with |
| Policy allows traffic but connection pool or timeout settings too aggressive | Check if the issue is network policy or application-level; test with |
Examples
- "Create a default-deny policy for the
namespace, then add allow rules so only the ingress controller can reach web pods on port 443."production - "Generate egress policies that restrict the API pods to communicate only with PostgreSQL (port 5432), Redis (port 6379), and external HTTPS APIs."
- "Build a complete set of network policies for a 3-tier app: frontend -> API (8080), API -> database (5432), API -> cache (6379), all pods -> DNS (53)."
Resources
- Kubernetes NetworkPolicy: https://kubernetes.io/docs/concepts/services-networking/network-policies/
- Calico network policy: https://docs.tigera.io/calico/latest/network-policy/
- Cilium network policy: https://docs.cilium.io/en/stable/security/policy/
- Network policy editor (visual): https://editor.networkpolicy.io/