Are Kubernetes NetworkPolicies enough?

NetworkPolicies are the built-in mechanism in Kubernetes for controlling traffic but only operate at Layer 3 and Layer 4. In this blog we'll go over how Cilium gives you networking control to Layer 7 and beyond!

Isovalent

Kubernetes built-in NetworkPolicies are limited to Layer 3 and Layer 4 traffic control, which falls short in dynamic, multi-environment clusters. CiliumNetworkPolicy extends standard policies with matchExpressions that support logical operators (In, NotIn, Exists, DoesNotExist), enabling identity-aware, dynamic workload selection. Three practical scenarios are covered: dynamic workload selection with Layer 7 HTTP method/path enforcement, service-aware selection using toServices with label expressions to target specific database roles, and DNS egress control using toFQDNs combined with conditional label matching to restrict external API access to high-security production workloads only. The result is policy that adapts automatically as labels and workloads change, without manual rule rewrites.

From Static Rules to Dynamic Intent: Network Policy with Cilium matchExpressions