Inferensys

Glossary

Kubernetes Network Policy

An application-centric construct in Kubernetes that specifies how pods are allowed to communicate with each other and other network endpoints, enforcing micro-segmentation for healthcare microservices.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
MICRO-SEGMENTATION

What is Kubernetes Network Policy?

A Kubernetes Network Policy is an application-centric construct that defines how groups of pods are authorized to communicate with each other and other network endpoints, enforcing micro-segmentation for healthcare microservices.

A Kubernetes Network Policy is a specification that controls the flow of traffic at the IP address or port level (OSI layer 3 and 4) within a cluster. It defines a set of allowed ingress (inbound) and egress (outbound) rules for a selected group of pods, using podSelector and namespaceSelector labels to identify the source and destination entities. By default, pods are non-isolated and accept all traffic; applying a policy immediately restricts connectivity to only what is explicitly permitted, establishing a default-deny posture essential for protecting electronic Protected Health Information (ePHI).

In a HIPAA-compliant healthcare architecture, Network Policies are the primary mechanism for enforcing Zero Trust principles between microservices, such as isolating a FHIR Resource Mapping service from a Clinical De-identification Pipeline. The policies are enforced by the cluster's Container Network Interface (CNI) plugin, which must support the NetworkPolicy API. This allows DevOps engineers to codify segmentation rules as Policy as Code, ensuring that a compromised data extraction pod cannot laterally access the Protected Health Information (PHI) stored in a separate database service, thereby satisfying the technical safeguards required under the HIPAA Security Rule.

MICRO-SEGMENTATION FOR HEALTHCARE

Key Features of Kubernetes Network Policies

Kubernetes Network Policies enforce zero-trust communication rules between pods, ensuring that healthcare microservices handling ePHI remain isolated from unauthorized access.

01

Pod-Level Micro-Segmentation

Network Policies operate at the pod level, not the host or IP level. This allows precise control over which microservices can communicate, enforcing the principle of least privilege. For example, a PHI-processing pod can be restricted to only accept ingress traffic from a specific FHIR API gateway pod on port 443, blocking all lateral movement from compromised services.

Pod-Level
Granularity
02

Namespace Isolation

Policies can isolate entire namespaces to create logical security boundaries between environments. A common healthcare pattern denies all ingress from other namespaces by default, then explicitly allows traffic only from an ingress controller namespace. This prevents a development pod from accidentally accessing production ePHI data stores.

03

Label-Based Selectors

Network Policies use Kubernetes labels to dynamically select pods and namespaces. This decouples security rules from ephemeral IP addresses. Key selector types:

  • podSelector: Targets specific application tiers (e.g., app: fhir-server)
  • namespaceSelector: Targets entire environments (e.g., environment: production)
  • ipBlock: Whitelists external CIDR ranges for egress to on-premise systems
04

Ingress and Egress Control

Policies independently govern ingress (inbound) and egress (outbound) traffic. A healthcare AI model pod can be configured to:

  • Ingress: Accept inference requests only from the clinical API gateway
  • Egress: Connect only to the encrypted PHI database and a specific model registry endpoint This bidirectional control prevents data exfiltration even if the pod is compromised.
05

Default Deny Posture

A foundational zero-trust pattern is the default deny-all policy. By applying a policy that denies all ingress and egress traffic to a namespace, you create a whitelist-only environment. Every allowed connection must then be explicitly defined, ensuring no implicit trust exists between services. This is a critical HIPAA technical safeguard for ePHI environments.

06

CNI Plugin Enforcement

Network Policies are enforced by the Container Network Interface (CNI) plugin, not by kube-proxy. To use policies, the cluster must have a compatible CNI like Calico, Cilium, or Weave Net. Cilium, for example, uses eBPF to enforce policies at the kernel level, providing deep observability and high-performance filtering for healthcare workloads.

KUBERNETES NETWORK POLICY

Frequently Asked Questions

Essential questions and answers about implementing Kubernetes Network Policies to enforce micro-segmentation and zero-trust networking for HIPAA-compliant healthcare workloads.

A Kubernetes Network Policy is an application-centric construct that defines how groups of pods are authorized to communicate with each other and other network endpoints. It operates as a firewall rule at the pod level, specifying ingress (inbound) and egress (outbound) traffic rules using label selectors to identify pods, namespaces, and IP blocks. The policy is enforced by the cluster's Container Network Interface (CNI) plugin, such as Calico, Cilium, or Weave Net, which must support NetworkPolicy enforcement. By default, Kubernetes allows all pod-to-pod traffic; a NetworkPolicy explicitly whitelists permitted connections, implementing a zero-trust networking model where only explicitly allowed traffic flows. For healthcare microservices processing Protected Health Information (PHI), this ensures that a clinical data extraction service can only communicate with the FHIR mapping service and the audit log, not with any other pod in the cluster.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.