NetworkPolicy & DNS
NetworkPolicy is a pod-level firewall — controls which pods can talk to which other pods. DNS is provided by CoreDNS — pods resolve services by name.
NetworkPolicy = velvet ropes at a club. By default, no ropes (everyone talks to everyone). Adding a policy = putting up ropes and a bouncer who checks your label-badge. CoreDNS = the club's intercom system — 'service-name, you have a visitor at the front.'
By default, all pods can communicate with all other pods in the cluster (no NetworkPolicy = allow all). NetworkPolicy selects pods via podSelector and controls ingress/egress with rules. Empty podSelector ({}) matches all pods in the namespace. DNS: service-name resolves within the same namespace. service-name.namespace resolves cross-namespace. FQDN: service-name.namespace.svc.cluster.local. Pod DNS: pod-ip.namespace.pod.cluster.local.
NetworkPolicy is implemented by the CNI plugin — not all CNIs support it (Flannel doesn't natively; Calico, Cilium, WeaveNet do). A default-deny policy (empty ingress: [] block) denies all ingress to selected pods — explicit policies must open specific ports. Egress policies control outbound too. Default-deny all + explicit allowlist is the secure baseline. CoreDNS runs as a Deployment in kube-system. ndots:5 in /etc/resolv.conf: Pod DNS searches for short names with up to 5 dots added before trying the absolute name — can cause extra DNS queries. DNS caching: node-local DNS cache (NodeLocal DNSCache) reduces CoreDNS load in large clusters.
NetworkPolicy is Kubernetes' microsegmentation — you can restrict which pods talk to which, down to port level. By default there are no restrictions. To implement least-privilege: (1) apply a default-deny policy to the namespace, (2) explicitly allow needed traffic. Important: NetworkPolicy only works if your CNI supports it — Calico or Cilium are the standard choices. DNS is provided by CoreDNS — services are reachable by short name within the same namespace, or fully-qualified name across namespaces.
NetworkPolicy is NOT a firewall for all cluster traffic — it only applies to pod-to-pod and pod-to-service traffic. Traffic from outside the cluster (via Ingress/NodePort) is not controlled by NetworkPolicy directly. Also, NetworkPolicy does nothing if the CNI doesn't support it — installing policies on a Flannel cluster has no effect.