managing-network-policies
tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill managing-network-policiesExecute use when managing Kubernetes network policies and firewall rules. Trigger with phrases like "create network policy", "configure firewall rules", "restrict pod communication", or "setup ingress/egress rules". Generates Kubernetes NetworkPolicy manifests following least privilege and zero-trust principles.
Network Policy Manager
This skill provides automated assistance for network policy manager tasks.
Overview
Creates Kubernetes NetworkPolicy manifests to enforce least-privilege ingress/egress between pods and namespaces, and helps validate connectivity after changes.
Prerequisites
Before using this skill, ensure:
- Kubernetes cluster has network policy support enabled
- Network plugin supports policies (Calico, Cilium, Weave)
- Pod labels are properly defined for policy selectors
- Understanding of application communication patterns
- Namespace isolation strategy is defined
Instructions
- Identify Requirements: Determine which pods need to communicate
- Define Selectors: Use pod/namespace labels for policy targeting
- Configure Ingress: Specify allowed incoming traffic sources and ports
- Configure Egress: Define allowed outgoing traffic destinations
- Test Policies: Verify connectivity works as expected
- Monitor Denials: Check for blocked traffic in network plugin logs
- Iterate: Refine policies based on application behavior
Output
Network Policy Examples:
# {baseDir}/network-policies/allow-frontend-to-backend.yaml
## Overview
This skill provides automated assistance for the described functionality.
## Examples
Example usage patterns will be demonstrated in context.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-backend
namespace: production
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
---
# Deny all ingress by default
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: production
spec:
podSelector: {}
policyTypes:
- IngressEgress Policy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-external-api
spec:
podSelector:
matchLabels:
app: api-client
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
name: external-services
ports:
- protocol: TCP
port: 443Error Handling
Policy Not Applied
- Error: Traffic still blocked/allowed contrary to policy
- Solution: Verify network plugin supports policies and policy is applied to correct namespace
DNS Resolution Fails
- Error: Pods cannot resolve DNS after applying policy
- Solution: Add egress rule allowing DNS traffic to kube-dns/coredns
No Communication After Policy
- Error: All traffic blocked unexpectedly
- Solution: Check for default-deny policies and ensure explicit allow rules exist
Label Mismatch
- Error: Policy not targeting intended pods
- Solution: Verify pod labels match policy selectors using
kubectl get pods --show-labels
Examples
- "Restrict namespace
prodso only the ingress controller can reach the web pods on 443." - "Create egress rules that allow the API to talk only to Postgres and Redis."
Resources
- Kubernetes NetworkPolicy: https://kubernetes.io/docs/concepts/services-networking/network-policies/
- Calico documentation: https://docs.projectcalico.org/
- Example policies in {baseDir}/network-policy-examples/
- Last updated
- Created
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.