Kubernetes built-in NetworkPolicies are limited to Layer 3 and Layer 4 traffic control, which falls short in dynamic, multi-environment clusters. CiliumNetworkPolicy extends standard policies with matchExpressions that support logical operators (In, NotIn, Exists, DoesNotExist), enabling identity-aware, dynamic workload selection. Three practical scenarios are covered: dynamic workload selection with Layer 7 HTTP method/path enforcement, service-aware selection using toServices with label expressions to target specific database roles, and DNS egress control using toFQDNs combined with conditional label matching to restrict external API access to high-security production workloads only. The result is policy that adapts automatically as labels and workloads change, without manual rule rewrites.
Table of contents
Dynamic Workload SelectionService Aware SelectionDNS Egress with ConditionalsSummarySort: