There are no NetworkPolicies in any namespace. Every pod can reach every other pod and service across the entire cluster without restriction.
A compromised or misbehaving workload can:
- Access the k3s API from within the cluster
- Reach FleetLock and trigger node cordons/reboots
- Query external-dns or the OTel collector
- Access any future workload's internal endpoints
Suggested approach:
- Start with a default-deny ingress policy per namespace
- Explicitly allow required traffic (e.g., Traefik → backend pods, otelcol → k8s API)
- k3s ships with Flannel by default, which does not enforce NetworkPolicies — consider whether to switch the CNI or accept this as a known limitation
There are no NetworkPolicies in any namespace. Every pod can reach every other pod and service across the entire cluster without restriction.
A compromised or misbehaving workload can:
Suggested approach: