Default Deny Network Policy
A zero-trust NetworkPolicy that blocks all ingress and egress traffic by default, forcing explicit allow rules for every traffic flow.
Overview
This template deploys a default deny all NetworkPolicy that blocks both ingress and egress traffic for every pod in the target namespace. By default, Kubernetes allows all pod-to-pod communication across the entire cluster. This policy enforces a zero-trust networking model where no traffic flows unless explicitly permitted.
Security threat addressed: Without a default deny policy, a compromised pod can scan and connect to every other service in the cluster, enabling lateral movement and data exfiltration.
When to use: Apply this as the very first NetworkPolicy in every namespace. Layer additional allow rules on top to permit only the traffic your application requires.
Threat Model
- Lateral movement prevention: An attacker who compromises a single pod cannot scan or reach other internal services (databases, caches, APIs) because all traffic is blocked by default.
- Data exfiltration blocking: Outbound connections to attacker-controlled servers are denied, preventing stolen data from leaving the cluster.
- Network reconnaissance defense: Port scanning and service discovery within the cluster are blocked, forcing attackers to operate blind.
MITRE ATT&CK:
- T1046 — Network Service Scanning: Without deny-all, attackers scan and pivot across all services.
Real-world scenario: An SSRF vulnerability in a frontend application allows an attacker to make requests to internal services. With default deny, those requests are blocked at the network level regardless of the application vulnerability.
YAML Source
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: default # ACTION REQUIRED: Change this to your target namespace
labels:
app.kubernetes.io/name: k8s-security
app.kubernetes.io/part-of: k8s-security-pro
app.kubernetes.io/managed-by: k8s-security-pro
spec:
podSelector: {} # Selects ALL pods in the namespace
policyTypes:
- Ingress # Blocks incoming traffic
- Egress # Blocks outgoing traffic
# By default, Kubernetes allows ALL traffic between ALL pods in the cluster.
# If one pod is compromised, an attacker can scan and attack your entire internal network.
#
# This policy implements a "Zero Trust" model by blocking everything.
# You must then explicitly allow only the traffic you need (e.g., allow DNS, allow Frontend -> Backend).Installation
kubectl:
kubectl apply -f 01_default_deny_netpol.yamlHelm:
helm install k8s-security ./charts/k8s-security -f values-prod.yamlKustomize:
kubectl apply -k kustomize/overlays/prodVerification
# Verify the NetworkPolicy exists in your namespace
kubectl get networkpolicies -n <namespace>
# Check policy details
kubectl describe networkpolicy default-deny-all -n <namespace>
# Test that egress is blocked (should timeout)
kubectl exec -n <namespace> <pod-name> -- wget -q -O- --timeout=2 http://google.com 2>&1
# Test that pod-to-pod traffic is blocked (should timeout)
kubectl exec -n <namespace> <pod-name> -- wget -q -O- --timeout=2 http://<other-service>:8080 2>&1CIS Benchmark References
- 5.3.2 — Ensure that all Namespaces have NetworkPolicies defined. This template directly satisfies this control by providing a baseline deny-all policy.
MITRE ATT&CK References
- T1046 — Network Service Scanning: Attackers use network scanning tools (nmap, netcat) to discover accessible services after gaining initial access. Default deny prevents service discovery across namespace boundaries.
Further Reading
- Kubernetes Network Policies: The Complete Guide to Zero Trust Networking — Learn the theory behind default deny, DNS policies, namespace isolation, and complete 3-tier architecture examples.