sawrus/network-policies
areas/devops/kubernetes/skills/network-policies/SKILL.md
Design and implement Kubernetes NetworkPolicy and Cilium network policies for namespace isolation and service-to-service access control.
$ install --global
skillsauthnpx skillsauth add sawrus/agent-guides network-policiesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 4:51 AM15.0s1 file scanned
SKILL.md
- name:
- network-policies
- type:
- skill
- description:
- Design and implement Kubernetes NetworkPolicy and Cilium network policies for namespace isolation and service-to-service access control.
- allowed-tools:
- Read, Write, Edit, Bash
Skill: Network Policies
Expertise: K8s NetworkPolicy + Cilium policy design for multi-tenant namespace isolation and zero-trust traffic control.
When to load
When isolating a new namespace, allowing specific service-to-service communication, debugging traffic being blocked, or auditing inter-namespace access.
Standard Policy Set (apply to every new namespace)
# 1. Default deny-all (must be first)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: my-app
spec:
podSelector: {} # matches ALL pods in namespace
policyTypes: [Ingress, Egress]
---
# 2. Allow DNS (required for all pods)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns-egress
namespace: my-app
spec:
podSelector: {}
policyTypes: [Egress]
egress:
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
---
# 3. Allow ingress from ingress controller
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-controller
namespace: my-app
spec:
podSelector:
matchLabels:
app: my-service
policyTypes: [Ingress]
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ingress-nginx
ports:
- port: 8080
Service-to-Service Policy
# Allow order-service (in orders ns) to call payment-service (in payments ns)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-orders
namespace: payments
spec:
podSelector:
matchLabels:
app: payment-service
policyTypes: [Ingress]
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: orders
podSelector:
matchLabels:
app: order-service
ports:
- port: 8080
Monitoring Ingress (Prometheus scraping)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-prometheus-scrape
namespace: my-app
spec:
podSelector: {} # allow scraping all pods in ns
policyTypes: [Ingress]
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: monitoring
ports:
- port: 9090 # metrics port
Cilium Policies (extended capabilities)
# Cilium L7 policy — allow only GET /api/* (not POST/DELETE)
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: order-service-l7
namespace: production
spec:
endpointSelector:
matchLabels:
app: order-service
ingress:
- fromEndpoints:
- matchLabels:
app: frontend
toPorts:
- ports:
- port: "8080"
protocol: TCP
rules:
http:
- method: GET
path: /api/.*
Debugging Blocked Traffic
# Cilium: observe dropped packets in real-time
kubectl -n kube-system exec -it $(kubectl -n kube-system get pods -l k8s-app=cilium -o jsonpath='{.items[0].metadata.name}') \
-- cilium monitor --type drop
# Hubble (if installed): flows between pods
hubble observe --namespace my-app --verdict DROPPED
# Calico: check policy hits
kubectl exec -n kube-system <calico-node-pod> -- calicoctl get networkpolicy -n my-app
# Test connectivity manually
kubectl run test-pod --image=curlimages/curl -it --rm --restart=Never -- \
curl -v http://payment-service.payments.svc.cluster.local:8080/health
Policy Design Checklist
- [ ] Default deny-all applied to namespace
- [ ] DNS egress allowed (port 53 UDP+TCP)
- [ ] All required ingress/egress explicitly whitelisted
- [ ] Ingress controller namespace allowed where applicable
- [ ] Monitoring (Prometheus) scrape allowed
- [ ] Cross-namespace refs use
namespaceSelectorwith metadata label - [ ] Labels used in policies exist on actual pods
Related Skills
sawrus/qa_expert
testing
VerifiedTrustedCommunity
QA Expert for writing E2E tests, test scenarios, test plans, and ensuring test coverage quality.
12SKILL.mdUpdated Apr 18, 2026
sawrus/design_expert
development
VerifiedTrustedCommunity
Expert UI/UX design intelligence for creating distinctive, high-craft, and mobile-first interfaces. Focuses on premium aesthetics, touch-first ergonomics, and Flutter performance.
12SKILL.mdUpdated Apr 18, 2026
sawrus/code_review_expert
development
VerifiedTrustedCommunity
Code Review Expert for static analysis, security auditing, architecture review, and ensuring code quality standards.
12SKILL.mdUpdated Apr 18, 2026
sawrus/babysit-pr
development
VerifiedTrustedCommunity
Babysit a GitHub pull request after creation by continuously polling review comments, CI checks/workflow runs, and mergeability state until the PR is merged/closed or user help is required. Diagnose failures, retry likely flaky failures up to 3 times, auto-fix/push branch-related issues when appropriate, and keep watching open PRs so fresh review feedback is surfaced promptly. Use when the user asks Codex to monitor a PR, watch CI, handle review comments, or keep an eye on failures and feedback on an open PR.
12SKILL.mdUpdated Apr 18, 2026