K8SNETPOLICY: K8s Network Policy
A Kubernetes NetworkPolicy controlling ingress and egress traffic rules for pods within a namespace.
Default definition. This article describes the default
K8SNETPOLICY definition shipped with DemandFlow. Administrators can add, remove, rename, or re-type fields, change which ones are required, and alter the layout from the Definitions screen in Settings. Your tenant's current schema may differ from what is shown here. To read the current definition at any time, GET the DEFINITION object whose id matches K8SNETPOLICY.Entity properties
| Property | Value |
|---|---|
| Entity code | K8SNETPOLICY |
| Display name | K8s Network Policy |
| Plural | K8s Network Policies |
| Level | 407 |
Use cases
K8SNETPOLICY models the Kubernetes NetworkPolicy resource that provides micro-segmentation at the pod level. The policyType multiselect (Ingress, Egress) reflects the two traffic directions a policy can govern. The podSelector textarea is required because it defines which pods the policy applies to.
Fields
Policy Information
| Field | Type | Required | Notes |
|---|---|---|---|
name | text | Yes | Policy Name. |
namespace | reference → K8SNAMESPACE | Yes | Namespace. |
policyType | array of enums | Yes | Valid ids: 1 (Ingress), 2 (Egress). |
enabled | boolean | Enabled. | |
enforced | boolean | Enforced. |
Target Selection
| Field | Type | Required | Notes |
|---|---|---|---|
podSelector | text (multi-line) | Yes | Label selector for target pods (JSON) |
matchLabels | text (multi-line) | Labels to match (JSON) | |
affectedPods | number | Affected Pods. | |
affectedWorkloads | number | Affected Workloads. |
Ingress Configuration
| Field | Type | Required | Notes |
|---|---|---|---|
defaultIngressAction | enum | Valid ids: 1 (Allow All), 2 (Deny All). | |
ingressRuleCount | number | Ingress Rule Count. | |
ingressRules | text (multi-line) | Complete ingress rules (JSON format) | |
allowedNamespaces | array of text | Allowed Namespaces. | |
allowedPodSelectors | text (multi-line) | Pod selectors that can access (JSON) | |
allowedPorts | text (multi-line) | Port and protocol rules (JSON) |
Egress Configuration
| Field | Type | Required | Notes |
|---|---|---|---|
defaultEgressAction | enum | Valid ids: 1 (Allow All), 2 (Deny All). | |
egressRuleCount | number | Egress Rule Count. | |
egressRules | text (multi-line) | Complete egress rules (JSON format) | |
allowedDestinations | text (multi-line) | IP blocks and namespaces (JSON) | |
allowedDNS | text (multi-line) | DNS names allowed for egress | |
blockedPorts | text (multi-line) | Ports blocked for egress |
IP Block Rules
| Field | Type | Required | Notes |
|---|---|---|---|
allowedIPBlocks | text (multi-line) | CIDR blocks allowed (one per line) | |
deniedIPBlocks | text (multi-line) | CIDR blocks denied (one per line) | |
internalOnly | boolean | Internal Traffic Only. | |
allowLoopback | boolean | Allow Loopback. |
Port Rules
| Field | Type | Required | Notes |
|---|---|---|---|
defaultPorts | array of enums | Valid ids: 1 (HTTP (80)), 2 (HTTPS (443)), 3 (DNS (53)), 4 (MySQL (3306)), 5 (PostgreSQL (5432)), 6 (Redis (6379)), 7 (MongoDB (27017)). | |
customPorts | text (multi-line) | Custom port definitions (JSON) | |
protocolRestrictions | array of enums | Valid ids: 1 (TCP), 2 (UDP), 3 (SCTP). |
Advanced Configuration
| Field | Type | Required | Notes |
|---|---|---|---|
labels | text (multi-line) | Key-value pairs (JSON) | |
annotations | text (multi-line) | Key-value pairs (JSON) | |
priority | number | Policy evaluation priority | |
direction | enum | Valid ids: 1 (Ingress), 2 (Egress), 3 (Both). |
Compliance & Logging
| Field | Type | Required | Notes |
|---|---|---|---|
complianceFramework | array of enums | Valid ids: 1 (PCI DSS), 2 (HIPAA), 3 (SOC 2), 4 (ISO 27001), 5 (GDPR). | |
loggingEnabled | boolean | Enable Logging. | |
logLevel | enum | Valid ids: 1 (None), 2 (Basic), 3 (Detailed), 4 (Debug). | |
alertOnViolation | boolean | Alert on Violation. | |
blockOnViolation | boolean | Block on Violation. |
Policy Testing
| Field | Type | Required | Notes |
|---|---|---|---|
testMode | boolean | Log but don't enforce | |
lastTestTime | datetime | Last Test. | |
testResults | text (multi-line) | Test Results. | |
simulationScenarios | text (multi-line) | Test scenarios (JSON) | |
violationCount | number | Violations (24h). | |
allowedConnections | number | Allowed Connections (24h). | |
blockedConnections | number | Blocked Connections (24h). | |
effectivenessScore | gauge | Effectiveness Score. |
Impact Analysis
| Field | Type | Required | Notes |
|---|---|---|---|
affectedServices | array of text | Affected Services. | |
affectedIngresses | array of text | Affected Ingresses. | |
dependencyMap | text (multi-line) | Services and workloads affected | |
riskLevel | enum | Valid ids: 1 (Low), 2 (Medium), 3 (High), 4 (Critical). | |
lastRiskAssessment | datetime | Last Risk Assessment. |
Policy Metrics
| Field | Type | Required | Notes |
|---|---|---|---|
evaluationsPerMinute | number | Evaluations/min. | |
avgEvaluationTime | number | Avg Evaluation Time (ms). | |
cacheHitRate | gauge | Cache Hit Rate %. | |
performanceImpact | gauge | Performance Impact %. | |
lastViolation | datetime | Last Violation. | |
violationTrend | enum | Valid ids: 1 (Decreasing), 2 (Stable), 3 (Increasing). | |
events | text (multi-line) | Last 50 policy events |
Relationships
- Lookups:
namespacepoints at aK8SNAMESPACErecord.
Creating a K8s Network Policy via the API
POST /v1/objects
Authorization: Bearer <your-pat>
Content-Type: application/json
{
"entity": "K8SNETPOLICY",
"level": 407,
"comboKey": "SUB:<your-sub-id>|ENT:",
"name": "Example",
"namespace": "",
"policyType": "...",
"podSelector": "..."
} Listing K8s Network Policies
# All records in your tenant
GET /v1/entities/K8SNETPOLICY/SUB:<your-sub-id>