NetworkPolicy

 2 minute read     page test

Istio can optionally deploy Kubernetes NetworkPolicy resources for its components. This is useful in clusters that enforce a default-deny network policy, which is a common requirement in secured environments.

When enabled, NetworkPolicy resources are created for istiod, istio-cni, ztunnel, and Helm-installed gateways, defining the ingress ports each component needs. All egress is allowed by default, since components like istiod need to connect to user-defined endpoints (e.g. JWKS URLs). The gateway NetworkPolicy automatically includes the service ports configured in the gateway’s Helm values.

Enabling NetworkPolicy

To enable NetworkPolicy, set global.networkPolicy.enabled=true during installation.

With istioctl:

$ istioctl install --set values.global.networkPolicy.enabled=true

With Helm, pass the setting to each chart:

$ helm install istiod istio/istiod -n istio-system --set global.networkPolicy.enabled=true
$ helm install istio-cni istio/cni -n istio-system --set global.networkPolicy.enabled=true
$ helm install ztunnel istio/ztunnel -n istio-system --set global.networkPolicy.enabled=true
$ helm install istio-ingressgateway istio/gateway -n istio-ingress --set global.networkPolicy.enabled=true

Reviewing the generated policies

Each component’s NetworkPolicy allows ingress on the specific ports that component needs, and permits all egress (since components like istiod need to connect to user-defined endpoints such as JWKS URLs).

You can preview the exact NetworkPolicy resources that will be created by using helm template:

$ helm template istiod istio/istiod -n istio-system --set global.networkPolicy.enabled=true -s templates/networkpolicy.yaml
$ helm template istio-cni istio/cni -n istio-system --set global.networkPolicy.enabled=true -s templates/networkpolicy.yaml
$ helm template ztunnel istio/ztunnel -n istio-system --set global.networkPolicy.enabled=true -s templates/networkpolicy.yaml

To inspect the policies after installation:

$ kubectl get networkpolicy -n istio-system

Customizing NetworkPolicy

The NetworkPolicy resources created by Istio are intentionally broad — ingress rules use empty from selectors, meaning traffic is allowed from any source on the listed ports. This is because the source of legitimate traffic (e.g. kube-apiserver, Prometheus, application pods) varies between clusters.

If you need more restrictive policies, you can disable Istio’s built-in NetworkPolicy and create your own, using the output of helm template as a starting point.

Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!