Interview › Security & DevSecOps
What is network segmentation, and how do NetworkPolicies enforce it? [Advanced]
Answer
Network segmentation separates systems so compromise in one area does not automatically expose everything else. Kubernetes NetworkPolicies enforce segmentation by allowing only specified ingress and egress between pods, namespaces, and IP blocks, assuming the CNI plugin supports enforcement.
Technical explanation
By default, Kubernetes pods are often broadly reachable inside the cluster unless network policies isolate them.
A good pattern is default deny for ingress and egress, then explicit allow rules for required traffic.
NetworkPolicy is layer 3/4; service mesh authorization can add layer 7 identity and method controls.
Hands-on example
Example: apply a default deny policy in the payments namespace. Add an ingress policy allowing only checkout pods to reach payments on TCP 8080, and an egress policy allowing payments to reach the database service on TCP 5432 and DNS.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]