Interview Kubernetes, Docker, Helm & Podman

What is a NetworkPolicy, and what is the default Pod-to-Pod behaviour without one?

Kubernetes, Docker, Helm & Podman · Intermediate level

Answer

NetworkPolicy defines allowed ingress and egress for selected Pods. Without any NetworkPolicy selecting a Pod, the default behavior is usually allow-all Pod-to-Pod traffic, assuming the CNI supports policy enforcement only when policies exist.

Technical explanation

Policies are additive: multiple policies combine allowed traffic rather than being evaluated in first-match order.

NetworkPolicy requires CNI support; creating policies with a CNI that ignores them gives a false sense of security.

Kubernetes networking separates identity and discovery from Pod IP churn by using Services, DNS, EndpointSlices, and routing rules.

Security is not automatic in the flat Pod network; NetworkPolicy and application auth are required for segmentation.

Cloud integrations such as EKS load balancers add provider-specific annotations, subnet tagging, health checks, and security group behavior.

Hands-on example

1. Deploy an app Pod and a temporary debug Pod to test this traffic path with nslookup, dig, curl, and kubectl get endpointslices: apply default-deny and allowlist NetworkPolicies and test with curl.

2. Add or change Service, Ingress, CNI, or NetworkPolicy resources one at a time and observe the traffic path.

3. Validate both allowed and denied flows so you know the policy is actually enforced by the CNI.

4. Record the troubleshooting path from DNS to Service to endpoint to Pod logs.

Preparing for an interview?

Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.

More Kubernetes, Docker, Helm & Podman interview questions

← All Kubernetes, Docker, Helm & Podman questions