Network Policies Overview
Network Policies in the MATIH platform implement a zero-trust network model where all pod-to-pod communication is denied by default and explicitly allowed only for known service dependencies. Policies are defined per service in Helm chart templates and enforce ingress, egress, and tenant isolation boundaries.
Network Policy Strategy
The MATIH platform follows a deny-all-then-allow approach:
- Default deny: A namespace-level policy denies all ingress and egress traffic
- Service-specific allow: Each service defines its own NetworkPolicy allowing only required communication paths
- Namespace isolation: Cross-namespace traffic is restricted to documented service dependencies
- Tenant isolation: Tenant namespaces cannot communicate with each other
Policy Architecture
Default Deny (namespace-level)
|
+--> Service-specific policies (per Helm chart)
| |
| +--> Ingress rules (who can talk to me)
| +--> Egress rules (who can I talk to)
|
+--> Namespace-level cross-namespace rules
|
+--> Tenant isolation policiesNamespace Communication Matrix
| Source Namespace | Target Namespace | Allowed | Mechanism |
|---|---|---|---|
| matih-system | matih-data-plane | Yes | Cross-namespace policy |
| matih-data-plane | matih-system | Limited | Only API Gateway to control plane |
| matih-monitoring | All namespaces | Yes (scrape only) | Prometheus scrape policy |
| matih-ingress | matih-data-plane | Yes | Ingress controller policy |
| tenant-a | tenant-b | No | Tenant isolation |
| tenant-a | matih-data-plane | Limited | Shared service access |
Standard Policy Template
Each MATIH Helm chart includes a NetworkPolicy template that follows this pattern:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: service-name
spec:
podSelector:
matchLabels:
app: service-name
policyTypes:
- Ingress
- Egress
ingress:
# Allow from ingress controller
# Allow from same namespace
# Allow Prometheus scraping
egress:
# Allow DNS
# Allow specific dependenciesPolicy Enforcement
| CNI Plugin | NetworkPolicy Support | Used In |
|---|---|---|
| Azure CNI | Full | AKS (production) |
| Calico | Full | On-premises, multi-cloud |
| Cilium | Full + enhanced | Alternative for eBPF-based policies |
Monitoring
NetworkPolicy effectiveness can be monitored through:
| Metric | Source | Description |
|---|---|---|
| Dropped packets | CNI plugin metrics | Packets blocked by policy |
| Connection failures | Application logs | Connection refused errors |
| Policy audit logs | CNI audit mode | All policy evaluation decisions |
Detailed Sections
| Section | Content |
|---|---|
| Ingress Policies | Rules controlling inbound traffic to services |
| Egress Policies | Rules controlling outbound traffic from services |
| Tenant Isolation | Cross-tenant network boundary enforcement |