openapi: 3.1.0 info: title: Kubernetes Services Kubernetes Network Policies API description: >- The Kubernetes NetworkPolicy API controls how groups of Pods communicate with each other and with external network endpoints. Policies define ingress and egress rules based on Pod selectors, namespace selectors, and IP blocks, allowing cluster operators to implement fine-grained network segmentation and zero-trust networking within a Kubernetes cluster. version: v1.32.0 contact: name: Kubernetes Community url: https://kubernetes.io/community/ termsOfService: https://www.apache.org/licenses/LICENSE-2.0 externalDocs: description: Kubernetes NetworkPolicy API Reference url: https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/network-policy-v1/ servers: - url: https://kubernetes.default.svc description: In-cluster Kubernetes API Server tags: - name: NetworkPolicy description: >- NetworkPolicy resources controlling Pod-level traffic ingress and egress based on label selectors, namespace selectors, and IP CIDR blocks. security: - bearerAuth: [] - clientCertificate: [] paths: /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies: get: operationId: listNamespacedNetworkPolicies summary: Kubernetes Services List NetworkPolicies in a namespace description: >- Returns a list of all NetworkPolicy objects in the specified namespace. Network policies are enforced by the CNI plugin and define which pods can send or receive network traffic. tags: - NetworkPolicy parameters: - $ref: '#/components/parameters/NamespaceParam' - $ref: '#/components/parameters/LabelSelector' - $ref: '#/components/parameters/FieldSelector' - $ref: '#/components/parameters/Limit' - $ref: '#/components/parameters/Continue' - $ref: '#/components/parameters/Watch' responses: '200': description: List of NetworkPolicy objects content: application/json: schema: $ref: '#/components/schemas/NetworkPolicyList' '401': $ref: '#/components/responses/Unauthorized' post: operationId: createNamespacedNetworkPolicy summary: Kubernetes Services Create a NetworkPolicy description: >- Creates a new NetworkPolicy in the specified namespace. Once created, the CNI plugin enforces the policy by allowing only the traffic explicitly permitted by ingress and egress rules. tags: - NetworkPolicy parameters: - $ref: '#/components/parameters/NamespaceParam' - $ref: '#/components/parameters/DryRun' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/NetworkPolicy' responses: '201': description: NetworkPolicy created content: application/json: schema: $ref: '#/components/schemas/NetworkPolicy' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}: get: operationId: getNamespacedNetworkPolicy summary: Kubernetes Services Get a NetworkPolicy description: >- Returns the specified NetworkPolicy including its pod selector, ingress rules, egress rules, and policy types (Ingress, Egress, or both). tags: - NetworkPolicy parameters: - $ref: '#/components/parameters/NamespaceParam' - $ref: '#/components/parameters/NameParam' responses: '200': description: NetworkPolicy details content: application/json: schema: $ref: '#/components/schemas/NetworkPolicy' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' put: operationId: replaceNamespacedNetworkPolicy summary: Kubernetes Services Replace a NetworkPolicy description: >- Replaces the full specification of the specified NetworkPolicy. The CNI plugin re-evaluates the updated rules immediately for all pods selected by the policy. tags: - NetworkPolicy parameters: - $ref: '#/components/parameters/NamespaceParam' - $ref: '#/components/parameters/NameParam' - $ref: '#/components/parameters/DryRun' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/NetworkPolicy' responses: '200': description: NetworkPolicy updated content: application/json: schema: $ref: '#/components/schemas/NetworkPolicy' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' patch: operationId: patchNamespacedNetworkPolicy summary: Kubernetes Services Patch a NetworkPolicy description: >- Applies a partial update to the specified NetworkPolicy using strategic merge patch. Useful for adding or removing individual ingress or egress rules. tags: - NetworkPolicy parameters: - $ref: '#/components/parameters/NamespaceParam' - $ref: '#/components/parameters/NameParam' requestBody: required: true content: application/merge-patch+json: schema: type: object responses: '200': description: NetworkPolicy patched content: application/json: schema: $ref: '#/components/schemas/NetworkPolicy' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' delete: operationId: deleteNamespacedNetworkPolicy summary: Kubernetes Services Delete a NetworkPolicy description: >- Deletes the specified NetworkPolicy. Traffic previously restricted by this policy will no longer be affected once the policy is removed. tags: - NetworkPolicy parameters: - $ref: '#/components/parameters/NamespaceParam' - $ref: '#/components/parameters/NameParam' responses: '200': description: NetworkPolicy deleted content: application/json: schema: $ref: '#/components/schemas/NetworkPolicy' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /apis/networking.k8s.io/v1/networkpolicies: get: operationId: listNetworkPoliciesAllNamespaces summary: Kubernetes Services List NetworkPolicies across all namespaces description: >- Returns all NetworkPolicy objects across every namespace in the cluster. Useful for auditing network segmentation, identifying gaps in policy coverage, and reviewing cross-namespace traffic restrictions. tags: - NetworkPolicy parameters: - $ref: '#/components/parameters/LabelSelector' - $ref: '#/components/parameters/FieldSelector' - $ref: '#/components/parameters/Limit' - $ref: '#/components/parameters/Watch' responses: '200': description: List of NetworkPolicies across all namespaces content: application/json: schema: $ref: '#/components/schemas/NetworkPolicyList' '401': $ref: '#/components/responses/Unauthorized' components: securitySchemes: bearerAuth: type: http scheme: bearer bearerFormat: JWT description: Kubernetes service account or user bearer token. clientCertificate: type: mutualTLS description: Client TLS certificate signed by the cluster CA. parameters: NamespaceParam: name: namespace in: path required: true description: Namespace name to scope the request. schema: type: string NameParam: name: name in: path required: true description: Name of the NetworkPolicy resource. schema: type: string LabelSelector: name: labelSelector in: query description: Label selector to filter resources. schema: type: string FieldSelector: name: fieldSelector in: query description: Field selector to filter resources by field values. schema: type: string Limit: name: limit in: query description: Maximum number of items to return. schema: type: integer minimum: 1 Continue: name: continue in: query description: Pagination continuation token. schema: type: string Watch: name: watch in: query description: If true, stream watch events instead of returning a list. schema: type: boolean DryRun: name: dryRun in: query description: If 'All', validates without persisting the change. schema: type: string enum: - All responses: BadRequest: description: Bad request content: application/json: schema: $ref: '#/components/schemas/Status' Unauthorized: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/Status' NotFound: description: Not found content: application/json: schema: $ref: '#/components/schemas/Status' schemas: LabelSelector: type: object description: >- A label selector filtering pods or namespaces by their labels. Combines matchLabels equality requirements with matchExpressions set-based requirements using AND logic. properties: matchLabels: type: object additionalProperties: type: string description: Key-value pairs that must all match on the target resource labels. matchExpressions: type: array description: Set-based requirements combined with AND logic. items: type: object required: - key - operator properties: key: type: string description: Label key the selector applies to. operator: type: string enum: - In - NotIn - Exists - DoesNotExist description: Relationship between the key and values. values: type: array items: type: string description: Values for In/NotIn operators. IPBlock: type: object description: >- An IP block defined by a CIDR range with optional exceptions, used to allow or restrict traffic to or from specific IP ranges. required: - cidr properties: cidr: type: string description: >- CIDR range to match. Examples: 192.168.1.0/24, 0.0.0.0/0, 2001:db8::/32. pattern: '^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$|^[0-9a-fA-F:]+/[0-9]{1,3}$' except: type: array description: >- CIDR ranges to exclude from the ipBlock. Must be within the cidr range. items: type: string NetworkPolicyPeer: type: object description: >- A network policy peer specifying a traffic source (in ingress rules) or destination (in egress rules). Uses AND logic when multiple selector types are combined. properties: podSelector: $ref: '#/components/schemas/LabelSelector' namespaceSelector: $ref: '#/components/schemas/LabelSelector' ipBlock: $ref: '#/components/schemas/IPBlock' NetworkPolicyPort: type: object description: >- A port and protocol combination allowed by a network policy rule. Empty port/protocol fields match all ports and protocols. properties: protocol: type: string enum: - TCP - UDP - SCTP description: Network protocol. Defaults to TCP. default: TCP port: description: >- Port number or named port to match. If empty, all ports are matched. oneOf: - type: integer minimum: 1 maximum: 65535 - type: string endPort: type: integer minimum: 1 maximum: 65535 description: >- End of a port range. If specified with port, allows all ports from port to endPort inclusive. NetworkPolicyIngressRule: type: object description: >- An ingress rule allowing inbound traffic to selected pods from specified sources on specified ports. An empty from list allows traffic from all sources. An empty ports list allows all ports. properties: from: type: array description: >- Allowed traffic sources. Items are OR'd together; within an item, podSelector and namespaceSelector are AND'd. items: $ref: '#/components/schemas/NetworkPolicyPeer' ports: type: array description: Ports on which the ingress traffic is allowed. items: $ref: '#/components/schemas/NetworkPolicyPort' NetworkPolicyEgressRule: type: object description: >- An egress rule allowing outbound traffic from selected pods to specified destinations on specified ports. An empty to list allows traffic to all destinations. properties: to: type: array description: Allowed traffic destinations. items: $ref: '#/components/schemas/NetworkPolicyPeer' ports: type: array description: Ports to which the egress traffic is allowed. items: $ref: '#/components/schemas/NetworkPolicyPort' NetworkPolicySpec: type: object description: >- Specification of a NetworkPolicy defining which pods are selected, what policy types apply, and the ingress and egress rules. required: - podSelector properties: podSelector: $ref: '#/components/schemas/LabelSelector' policyTypes: type: array description: >- Policy types that apply to this NetworkPolicy. If Ingress is specified, only explicitly allowed ingress traffic is permitted. If Egress is specified, only explicitly allowed egress traffic is permitted. Defaults based on presence of ingress/egress fields. items: type: string enum: - Ingress - Egress ingress: type: array description: >- Ingress rules. Each rule allows traffic matching all of its conditions. An empty ingress list denies all ingress traffic. items: $ref: '#/components/schemas/NetworkPolicyIngressRule' egress: type: array description: >- Egress rules. Each rule allows traffic matching all of its conditions. An empty egress list denies all egress traffic. items: $ref: '#/components/schemas/NetworkPolicyEgressRule' NetworkPolicy: type: object description: >- A NetworkPolicy describes how groups of pods are allowed to communicate with each other and other network endpoints. Policies are additive — if multiple policies select a pod, all rules are combined. Requires a CNI plugin that supports NetworkPolicy enforcement. properties: apiVersion: type: string const: networking.k8s.io/v1 kind: type: string const: NetworkPolicy metadata: $ref: '#/components/schemas/ObjectMeta' spec: $ref: '#/components/schemas/NetworkPolicySpec' NetworkPolicyList: type: object description: A list of NetworkPolicy objects. required: - items properties: apiVersion: type: string kind: type: string const: NetworkPolicyList metadata: $ref: '#/components/schemas/ListMeta' items: type: array items: $ref: '#/components/schemas/NetworkPolicy' ObjectMeta: type: object description: Standard Kubernetes object metadata. properties: name: type: string description: Name of the object. namespace: type: string description: Namespace of the object. uid: type: string description: Unique server-assigned identifier. resourceVersion: type: string description: Internal version string. creationTimestamp: type: string format: date-time description: Creation timestamp. labels: type: object additionalProperties: type: string description: Label key-value pairs. annotations: type: object additionalProperties: type: string description: Non-identifying metadata. ListMeta: type: object description: Metadata for list responses. properties: resourceVersion: type: string continue: type: string remainingItemCount: type: integer Status: type: object description: Error or result status. properties: code: type: integer message: type: string reason: type: string status: type: string enum: - Success - Failure