🎯 What It Is

An egress rule in a NetworkPolicy lets you restrict which external destinations a Pod can talk to — for example, “backend can only call the database, not the internet.”

✅ This is critical for security compliance and preventing data exfiltration.

💡 Real-World Analogy

Like a corporate firewall:

• Dev laptops can access internal Git, CI/CD, and package repos
• But not social media or random websites

🧪 Example: Allow Backend to Talk Only to Database

Assume you have:

• A backend Deployment (app: backend)
• A database Deployment (app: database)
• Cilium or Calico installed (NetworkPolicy enabled)

Step 1: Apply a NetworkPolicy to Restrict Egress from Backend

# restrict-backend-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
meta
  name: backend-egress-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: backend          # ← Policy applies to backend Pods
  policyTypes:
  - Egress                  # ← Control outgoing traffic
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: database     # ← Only allow traffic to database Pods
    ports:
    - protocol: TCP
      port: 5432            # ← PostgreSQL port

Apply it:

kubectl apply -f restrict-backend-egress.yaml

Step 2: Test Outgoing Traffic

✅ From backend → database (should work):

kubectl exec deploy/backend -- nc -zv database 5432
# ✅ Succeeded

❌ From backend → internet (should fail):

kubectl exec deploy/backend -- wget -qO- <http://example.com> --timeout=3
# ❌ Connection timed out