At the recent Kubernetes Community Days (KCD) in San Francisco, Jim Bugwadia, co-founder of Nirmata and a maintainer of the CNCF project Kyverno, delivered a session on one of the most persistent challenges in platform engineering: the balancing act between developer agility and robust security. His talk, “Network Policy Nirvana,” provided a clear roadmap for taming the complexity of Kubernetes network security through automation and policy-as-code.

 

The Challenge: The Manual Toil of Network Policies

Jim began by framing the core problem. Platform teams are constantly caught between two competing needs:

• Developers require self-service and agility to ship features quickly.
• Security and compliance teams require guardrails and control to protect the platform.

 

Nowhere is this tension more apparent than with Kubernetes Network Policies. While essential for security, native Network Policies can be complex, error-prone, and difficult to manage at scale. By default, Kubernetes allows all pods to talk to each other, so securing a cluster requires a “deny-by-default” stance, which can be difficult to implement manually.

 

This leads to several pain points:

• Complexity: Managing countless YAML files for different applications is prone to error.
• Lack of Automation: Manual policy review creates bottlenecks and slows down development.
• Security Gaps: Misconfigurations can easily lead to unintended security vulnerabilities.

The Solution: Kyverno for Guardrails and Automation

Jim introduced Kyverno, a policy engine built for Kubernetes, as the solution. Instead of just thinking of network policies as “pod firewall rules,” he urged the audience to think of Kyverno policies as “guardrails and automation.”

 

The core idea is to use a simple, declarative Policy as Code with Kyverno to manage, validate, mutate, and even generate the more complex network policies automatically. This approach empowers platform teams to set high-level standards while giving developers the freedom to work within those secure boundaries.

 

Key Insights from the Live Demo

The highlight of the session was a live demo where Jim demonstrated how to achieve “Network Policy Nirvana” using a simple but powerful labeling strategy (workspace and tier).

 

Here are the key takeaways from the demo:

1. Validate and Standardize with validate Policies

Jim first showed how a simple Kyverno policy could enforce proper labeling. His attempt to create a new namespace without the required workspace and tier labels was immediately blocked. This simple validate rule ensures that every new resource conforms to the platform’s standards from the moment of creation.

 

2. Automate Configuration with mutate Policies

Once he created a namespace with the correct labels, he deployed a Redis pod. Instantly, a Kyverno mutate policy automatically applied the parent namespace’s labels to the pod. This eliminates the need for developers to remember to label every single pod, reducing cognitive load and preventing errors.

 

3. Generate Policies on the Fly with generate Policies

This was where the true power of automation became clear. Upon the creation of the new namespace, a Kyverno generate policy automatically created a default “deny-all” Cilium Network Policy within it. Later, when he added a simple allow-dns-traffic=true label to the namespace, Kyverno instantly generated a second network policy to allow DNS traffic. When the label was removed, the DNS policy was automatically cleaned up. This dynamic, event-driven automation is a game-changer for managing policies at scale.

 

4. Achieve True Application Segmentation

Finally, he tied it all together by deploying two instances of a “guestbook” application in two different workspaces (wks1 and wks2). The demo clearly showed that:

• Traffic within a workspace (e.g., wks1-frontend to wks1-backend) was successful.
• Traffic across workspaces (e.g., wks1-frontend to wks2-backend) timed out and failed.

 

This was achieved not by manually writing complex rules, but by letting Kyverno’s automation generate the correct, restrictive network policies based on the simple workspace label.

Conclusion: Empowering Platform Teams

Jim concluded by summarizing how Kyverno empowers platform engineering teams to:

• Simplify Kubernetes operations.
• Standardize and Automate security and best practices.
• Enable developer self-service and agility.
• Deliver robust security and compliance.

 

If you’re looking to move beyond the manual toil of managing network policies and create a truly scalable, secure, and self-service platform, this session is a must-watch.

You can learn more about the project at kyverno.io.