🎯 What It Is

A NetworkPolicy ingress rule lets you allow traffic only from specific Pods (e.g., “only frontend can talk to backend”).

✅ This is the most common use case for NetworkPolicy in microservices apps.

💡 Real-World Analogy

Like a VIP list at a club:

• Only guests with a green wristband (app: frontend) can enter the VIP room (app: backend)

🧪 Example: Allow Only frontend to Access backend

Assume you already have:

• A frontend Deployment (label: app: frontend)
• A backend Deployment (label: app: backend)
• Cilium or Calico installed (NetworkPolicy enabled)

Step 1: Apply a NetworkPolicy to Allow Only frontend

# allow-frontend-to-backend.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
meta
  name: allow-frontend-to-backend
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: backend          # ← Policy applies to backend Pods
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend     # ← Only Pods with this label can connect
    ports:
    - protocol: TCP
      port: 80

Apply it:

kubectl apply -f allow-frontend-to-backend.yaml

Step 2: Test Access

✅ From frontend → backend (should work):

kubectl exec deploy/frontend -- curl -m 3 <http://backend>
# ✅ Returns HTTP response

❌ From any other Pod → backend (should fail):

# Create a test Pod (not labeled as frontend)
kubectl run tester --image=busybox --rm -it -- sh
/ # wget -qO- <http://backend>
# ❌ Hangs or times out