notes blog about

WARNING: To use network policies, you must be using a network plugin which supports NetworkPolicy. Creating a NetworkPolicy resource without a controller that implements it will have no effect.

Only coffeeshop can talk to payment-processor API:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-allow
spec:
  podSelector:
    matchLabels:
      app: payment-processor
      role: api
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: coffeeshop

Isolating all pods within a namespace:

# Deny all ingress and all egress traffic.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {} # all pods in NS
  policyTypes:    # types of traffic
  - Ingress
  - Egress

More