npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin network-policy-managerWant just this skill?
Then install: npx claudepluginhub u/[userId]/[slug]
Execute use when managing Kubernetes network policies and firewall rules. Trigger with phrases like "create network policy", "configure firewall rules", "restrict pod communication", or "setup ingress/egress rules". Generates Kubernetes NetworkPolicy manifests following least privilege and zero-trust principles.
This skill is limited to using the following tools:
assets/README.mdassets/network_policy_template.yamlreferences/README.mdscripts/README.mdscripts/generate_network_policy.pyManaging Network Policies
Overview
Create and manage Kubernetes NetworkPolicy manifests to enforce zero-trust networking between pods, namespaces, and external endpoints. Generate ingress and egress rules with label selectors, namespace selectors, CIDR blocks, and port specifications following the principle of least privilege.
Prerequisites
- Kubernetes cluster with a CNI plugin that supports NetworkPolicy (Calico, Cilium, Weave Net)
kubectlconfigured with permissions to create and manage NetworkPolicy resources- Pod labels consistently defined across deployments for accurate selector targeting
- Service communication map documenting which pods need to talk to which pods on which ports
- Understanding of DNS requirements (pods need egress to kube-dns on port 53 for name resolution)
Instructions
- Map the application communication patterns: identify all service-to-service, service-to-database, and service-to-external connections
- Start with a default-deny policy for both ingress and egress in each namespace to establish zero-trust baseline
- Add explicit allow rules for each legitimate communication path: specify source pod labels, destination pod labels, and ports
- Always include a DNS egress rule allowing traffic to
kube-systemnamespace on UDP/TCP port 53 for CoreDNS - Define egress rules for external API access: use CIDR blocks or namespaceSelector for known external services
- Apply policies to a test namespace first and verify connectivity with
kubectl execcurl/wget commands - Monitor for blocked traffic in the CNI plugin logs (Calico:
calicoctl node status, Cilium:cilium monitor) - Iterate on policies: add missing allow rules for any legitimate traffic that gets blocked
- Document each policy with annotations explaining the business reason for the allowed communication
Output
- Default-deny NetworkPolicy manifests for ingress and egress per namespace
- Allow-list NetworkPolicy manifests for each service communication path
- DNS egress policy allowing pod name resolution
- External access egress policies with CIDR blocks
- Connectivity test commands for validation
Error Handling
| Error | Cause | Solution |
|---|---|---|
All traffic blocked after applying policy | Default-deny applied without corresponding allow rules | Apply allow rules before or simultaneously with deny policies; verify with kubectl exec tests |
DNS resolution fails after network policy | Missing egress rule for kube-dns/CoreDNS | Add egress policy allowing UDP and TCP port 53 to kube-system namespace |
Policy not targeting intended pods | Label mismatch between policy selector and pod labels | Verify labels with kubectl get pods --show-labels; match selectors exactly |
Traffic still allowed despite deny policy | CNI plugin does not support NetworkPolicy or policy in wrong namespace | Verify CNI support with kubectl get networkpolicy -A; ensure policy is in the correct namespace |
Intermittent connection failures | Policy allows traffic but connection pool or timeout settings too aggressive | Check if the issue is network policy or application-level; test with kubectl exec during failures |
Examples
- "Create a default-deny policy for the
productionnamespace, then add allow rules so only the ingress controller can reach web pods on port 443." - "Generate egress policies that restrict the API pods to communicate only with PostgreSQL (port 5432), Redis (port 6379), and external HTTPS APIs."
- "Build a complete set of network policies for a 3-tier app: frontend -> API (8080), API -> database (5432), API -> cache (6379), all pods -> DNS (53)."
Resources
- Kubernetes NetworkPolicy: https://kubernetes.io/docs/concepts/services-networking/network-policies/
- Calico network policy: https://docs.tigera.io/calico/latest/network-policy/
- Cilium network policy: https://docs.cilium.io/en/stable/security/policy/
- Network policy editor (visual): https://editor.networkpolicy.io/
Similar Skills
Activates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.
Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.