Alauda Container Platform

Understanding Network Policy APIs

TOC

Introduction

Network security in Kubernetes-style clusters involves controlling which workloads (Pods, namespaces) can communicate and how. At its core are network-policy APIs that enable segmentation (layer 3/4) and traffic control. Over time more advanced API layers have emerged to support cluster-wide guardrails, multi-tenancy enforcement, zero-trust models and application-layer (layer 7) filtering.

This article focuses on the API model v1alpha1: AdminNetworkPolicy (ANP) and BaselineAdminNetworkPolicy (BANP), their place among network policy APIs, how they relate to the standard NetworkPolicy, and how you might use them today while planning for future versions.

Evaluation of network policy by KUBE-OVN

When multiple network policies are applied, they follow a strict priority order: Admin Network Policy takes precedence over Network Policy, which in turn takes precedence over Baseline Admin Network Policy.

The procedure is as follows:

What is the difference between the AdminNetworkPolicy with scope and the NetworkPolicy with namespace scope?

DimensionNamespace-Scoped NetworkPolicyCluster-Scoped AdminNetworkPolicy
ScopeApplies only to a single namespaceApplies across the entire cluster
Audience / OwnershipApplication developer or namespace ownersPlatform administrators or cluster administrator
Primary UseWorkload-level microsegmentation (L3/L4)Enforcing global or cross-namespace access rules
Control TargetPods within a namespace selected by podSelectorNamespaces or Pods selected by top-level subject
Policy PriorityMedium priority — evaluated after admin-level rulesHigher priority — overrides namespace policies
Typical Use CasesAllow frontend → backend, restrict DB access, etc.Restrict inter-tenant traffic, enforce egress restrictions, set global protections
VisibilityOnly affects the namespace where it is createdCan impact multiple namespaces simultaneously
Cross-Namespace RulesAllowed only indirectly (via namespaceSelector)First-class cross-namespace traffic control
Risk SurfaceMisconfiguration affects one namespaceMisconfiguration may affect entire cluster traffic