The Kubernetes NetworkPolicy API controls how groups of Pods communicate with each other and with external network endpoints. Policies define ingress and egress rules based on Pod selectors, namespace selectors, and IP blocks to implement network segmentation.
openapi: 3.1.0
info:
title: Kubernetes Services Kubernetes Network Policies API
description: >-
The Kubernetes NetworkPolicy API controls how groups of Pods communicate
with each other and with external network endpoints. Policies define
ingress and egress rules based on Pod selectors, namespace selectors, and
IP blocks, allowing cluster operators to implement fine-grained network
segmentation and zero-trust networking within a Kubernetes cluster.
version: v1.32.0
contact:
name: Kubernetes Community
url: https://kubernetes.io/community/
termsOfService: https://www.apache.org/licenses/LICENSE-2.0
externalDocs:
description: Kubernetes NetworkPolicy API Reference
url: https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/network-policy-v1/
servers:
- url: https://kubernetes.default.svc
description: In-cluster Kubernetes API Server
tags:
- name: NetworkPolicy
description: >-
NetworkPolicy resources controlling Pod-level traffic ingress and egress
based on label selectors, namespace selectors, and IP CIDR blocks.
security:
- bearerAuth: []
- clientCertificate: []
paths:
/apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies:
get:
operationId: listNamespacedNetworkPolicies
summary: Kubernetes Services List NetworkPolicies in a namespace
description: >-
Returns a list of all NetworkPolicy objects in the specified namespace.
Network policies are enforced by the CNI plugin and define which pods
can send or receive network traffic.
tags:
- NetworkPolicy
parameters:
- $ref: '#/components/parameters/NamespaceParam'
- $ref: '#/components/parameters/LabelSelector'
- $ref: '#/components/parameters/FieldSelector'
- $ref: '#/components/parameters/Limit'
- $ref: '#/components/parameters/Continue'
- $ref: '#/components/parameters/Watch'
responses:
'200':
description: List of NetworkPolicy objects
content:
application/json:
schema:
$ref: '#/components/schemas/NetworkPolicyList'
'401':
$ref: '#/components/responses/Unauthorized'
post:
operationId: createNamespacedNetworkPolicy
summary: Kubernetes Services Create a NetworkPolicy
description: >-
Creates a new NetworkPolicy in the specified namespace. Once created,
the CNI plugin enforces the policy by allowing only the traffic
explicitly permitted by ingress and egress rules.
tags:
- NetworkPolicy
parameters:
- $ref: '#/components/parameters/NamespaceParam'
- $ref: '#/components/parameters/DryRun'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/NetworkPolicy'
responses:
'201':
description: NetworkPolicy created
content:
application/json:
schema:
$ref: '#/components/schemas/NetworkPolicy'
'400':
$ref: '#/components/responses/BadRequest'
'401':
$ref: '#/components/responses/Unauthorized'
/apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}:
get:
operationId: getNamespacedNetworkPolicy
summary: Kubernetes Services Get a NetworkPolicy
description: >-
Returns the specified NetworkPolicy including its pod selector, ingress
rules, egress rules, and policy types (Ingress, Egress, or both).
tags:
- NetworkPolicy
parameters:
- $ref: '#/components/parameters/NamespaceParam'
- $ref: '#/components/parameters/NameParam'
responses:
'200':
description: NetworkPolicy details
content:
application/json:
schema:
$ref: '#/components/schemas/NetworkPolicy'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
put:
operationId: replaceNamespacedNetworkPolicy
summary: Kubernetes Services Replace a NetworkPolicy
description: >-
Replaces the full specification of the specified NetworkPolicy. The CNI
plugin re-evaluates the updated rules immediately for all pods selected
by the policy.
tags:
- NetworkPolicy
parameters:
- $ref: '#/components/parameters/NamespaceParam'
- $ref: '#/components/parameters/NameParam'
- $ref: '#/components/parameters/DryRun'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/NetworkPolicy'
responses:
'200':
description: NetworkPolicy updated
content:
application/json:
schema:
$ref: '#/components/schemas/NetworkPolicy'
'400':
$ref: '#/components/responses/BadRequest'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
patch:
operationId: patchNamespacedNetworkPolicy
summary: Kubernetes Services Patch a NetworkPolicy
description: >-
Applies a partial update to the specified NetworkPolicy using strategic
merge patch. Useful for adding or removing individual ingress or egress
rules.
tags:
- NetworkPolicy
parameters:
- $ref: '#/components/parameters/NamespaceParam'
- $ref: '#/components/parameters/NameParam'
requestBody:
required: true
content:
application/merge-patch+json:
schema:
type: object
responses:
'200':
description: NetworkPolicy patched
content:
application/json:
schema:
$ref: '#/components/schemas/NetworkPolicy'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
delete:
operationId: deleteNamespacedNetworkPolicy
summary: Kubernetes Services Delete a NetworkPolicy
description: >-
Deletes the specified NetworkPolicy. Traffic previously restricted by
this policy will no longer be affected once the policy is removed.
tags:
- NetworkPolicy
parameters:
- $ref: '#/components/parameters/NamespaceParam'
- $ref: '#/components/parameters/NameParam'
responses:
'200':
description: NetworkPolicy deleted
content:
application/json:
schema:
$ref: '#/components/schemas/NetworkPolicy'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
/apis/networking.k8s.io/v1/networkpolicies:
get:
operationId: listNetworkPoliciesAllNamespaces
summary: Kubernetes Services List NetworkPolicies across all namespaces
description: >-
Returns all NetworkPolicy objects across every namespace in the cluster.
Useful for auditing network segmentation, identifying gaps in policy
coverage, and reviewing cross-namespace traffic restrictions.
tags:
- NetworkPolicy
parameters:
- $ref: '#/components/parameters/LabelSelector'
- $ref: '#/components/parameters/FieldSelector'
- $ref: '#/components/parameters/Limit'
- $ref: '#/components/parameters/Watch'
responses:
'200':
description: List of NetworkPolicies across all namespaces
content:
application/json:
schema:
$ref: '#/components/schemas/NetworkPolicyList'
'401':
$ref: '#/components/responses/Unauthorized'
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
description: Kubernetes service account or user bearer token.
clientCertificate:
type: mutualTLS
description: Client TLS certificate signed by the cluster CA.
parameters:
NamespaceParam:
name: namespace
in: path
required: true
description: Namespace name to scope the request.
schema:
type: string
NameParam:
name: name
in: path
required: true
description: Name of the NetworkPolicy resource.
schema:
type: string
LabelSelector:
name: labelSelector
in: query
description: Label selector to filter resources.
schema:
type: string
FieldSelector:
name: fieldSelector
in: query
description: Field selector to filter resources by field values.
schema:
type: string
Limit:
name: limit
in: query
description: Maximum number of items to return.
schema:
type: integer
minimum: 1
Continue:
name: continue
in: query
description: Pagination continuation token.
schema:
type: string
Watch:
name: watch
in: query
description: If true, stream watch events instead of returning a list.
schema:
type: boolean
DryRun:
name: dryRun
in: query
description: If 'All', validates without persisting the change.
schema:
type: string
enum:
- All
responses:
BadRequest:
description: Bad request
content:
application/json:
schema:
$ref: '#/components/schemas/Status'
Unauthorized:
description: Unauthorized
content:
application/json:
schema:
$ref: '#/components/schemas/Status'
NotFound:
description: Not found
content:
application/json:
schema:
$ref: '#/components/schemas/Status'
schemas:
LabelSelector:
type: object
description: >-
A label selector filtering pods or namespaces by their labels.
Combines matchLabels equality requirements with matchExpressions
set-based requirements using AND logic.
properties:
matchLabels:
type: object
additionalProperties:
type: string
description: Key-value pairs that must all match on the target resource labels.
matchExpressions:
type: array
description: Set-based requirements combined with AND logic.
items:
type: object
required:
- key
- operator
properties:
key:
type: string
description: Label key the selector applies to.
operator:
type: string
enum:
- In
- NotIn
- Exists
- DoesNotExist
description: Relationship between the key and values.
values:
type: array
items:
type: string
description: Values for In/NotIn operators.
IPBlock:
type: object
description: >-
An IP block defined by a CIDR range with optional exceptions,
used to allow or restrict traffic to or from specific IP ranges.
required:
- cidr
properties:
cidr:
type: string
description: >-
CIDR range to match. Examples: 192.168.1.0/24, 0.0.0.0/0,
2001:db8::/32.
pattern: '^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$|^[0-9a-fA-F:]+/[0-9]{1,3}$'
except:
type: array
description: >-
CIDR ranges to exclude from the ipBlock. Must be within the
cidr range.
items:
type: string
NetworkPolicyPeer:
type: object
description: >-
A network policy peer specifying a traffic source (in ingress rules)
or destination (in egress rules). Uses AND logic when multiple selector
types are combined.
properties:
podSelector:
$ref: '#/components/schemas/LabelSelector'
namespaceSelector:
$ref: '#/components/schemas/LabelSelector'
ipBlock:
$ref: '#/components/schemas/IPBlock'
NetworkPolicyPort:
type: object
description: >-
A port and protocol combination allowed by a network policy rule.
Empty port/protocol fields match all ports and protocols.
properties:
protocol:
type: string
enum:
- TCP
- UDP
- SCTP
description: Network protocol. Defaults to TCP.
default: TCP
port:
description: >-
Port number or named port to match. If empty, all ports are matched.
oneOf:
- type: integer
minimum: 1
maximum: 65535
- type: string
endPort:
type: integer
minimum: 1
maximum: 65535
description: >-
End of a port range. If specified with port, allows all ports
from port to endPort inclusive.
NetworkPolicyIngressRule:
type: object
description: >-
An ingress rule allowing inbound traffic to selected pods from
specified sources on specified ports. An empty from list allows
traffic from all sources. An empty ports list allows all ports.
properties:
from:
type: array
description: >-
Allowed traffic sources. Items are OR'd together; within an
item, podSelector and namespaceSelector are AND'd.
items:
$ref: '#/components/schemas/NetworkPolicyPeer'
ports:
type: array
description: Ports on which the ingress traffic is allowed.
items:
$ref: '#/components/schemas/NetworkPolicyPort'
NetworkPolicyEgressRule:
type: object
description: >-
An egress rule allowing outbound traffic from selected pods to
specified destinations on specified ports. An empty to list allows
traffic to all destinations.
properties:
to:
type: array
description: Allowed traffic destinations.
items:
$ref: '#/components/schemas/NetworkPolicyPeer'
ports:
type: array
description: Ports to which the egress traffic is allowed.
items:
$ref: '#/components/schemas/NetworkPolicyPort'
NetworkPolicySpec:
type: object
description: >-
Specification of a NetworkPolicy defining which pods are selected,
what policy types apply, and the ingress and egress rules.
required:
- podSelector
properties:
podSelector:
$ref: '#/components/schemas/LabelSelector'
policyTypes:
type: array
description: >-
Policy types that apply to this NetworkPolicy. If Ingress is
specified, only explicitly allowed ingress traffic is permitted.
If Egress is specified, only explicitly allowed egress traffic
is permitted. Defaults based on presence of ingress/egress fields.
items:
type: string
enum:
- Ingress
- Egress
ingress:
type: array
description: >-
Ingress rules. Each rule allows traffic matching all of its
conditions. An empty ingress list denies all ingress traffic.
items:
$ref: '#/components/schemas/NetworkPolicyIngressRule'
egress:
type: array
description: >-
Egress rules. Each rule allows traffic matching all of its
conditions. An empty egress list denies all egress traffic.
items:
$ref: '#/components/schemas/NetworkPolicyEgressRule'
NetworkPolicy:
type: object
description: >-
A NetworkPolicy describes how groups of pods are allowed to
communicate with each other and other network endpoints. Policies
are additive — if multiple policies select a pod, all rules are
combined. Requires a CNI plugin that supports NetworkPolicy enforcement.
properties:
apiVersion:
type: string
const: networking.k8s.io/v1
kind:
type: string
const: NetworkPolicy
metadata:
$ref: '#/components/schemas/ObjectMeta'
spec:
$ref: '#/components/schemas/NetworkPolicySpec'
NetworkPolicyList:
type: object
description: A list of NetworkPolicy objects.
required:
- items
properties:
apiVersion:
type: string
kind:
type: string
const: NetworkPolicyList
metadata:
$ref: '#/components/schemas/ListMeta'
items:
type: array
items:
$ref: '#/components/schemas/NetworkPolicy'
ObjectMeta:
type: object
description: Standard Kubernetes object metadata.
properties:
name:
type: string
description: Name of the object.
namespace:
type: string
description: Namespace of the object.
uid:
type: string
description: Unique server-assigned identifier.
resourceVersion:
type: string
description: Internal version string.
creationTimestamp:
type: string
format: date-time
description: Creation timestamp.
labels:
type: object
additionalProperties:
type: string
description: Label key-value pairs.
annotations:
type: object
additionalProperties:
type: string
description: Non-identifying metadata.
ListMeta:
type: object
description: Metadata for list responses.
properties:
resourceVersion:
type: string
continue:
type: string
remainingItemCount:
type: integer
Status:
type: object
description: Error or result status.
properties:
code:
type: integer
message:
type: string
reason:
type: string
status:
type: string
enum:
- Success
- Failure