Understanding Network Policy APIs

Introduction

Network security in Kubernetes-style clusters involves controlling which workloads (Pods, namespaces) can communicate and how. At its core are network-policy APIs that enable segmentation (layer 3/4) and traffic control. Over time more advanced API layers have emerged to support cluster-wide guardrails, multi-tenancy enforcement, zero-trust models and application-layer (layer 7) filtering.

This article focuses on the API model v1alpha1: AdminNetworkPolicy (ANP) and BaselineAdminNetworkPolicy (BANP), their place among network policy APIs, how they relate to the standard NetworkPolicy, and how you might use them today while planning for future versions.

Evaluation of network policy by KUBE-OVN

When multiple network policies are applied, they follow a strict priority order: Admin Network Policy takes precedence over Network Policy, which in turn takes precedence over Baseline Admin Network Policy.

The procedure is as follows:

What is the difference between the AdminNetworkPolicy with scope and the NetworkPolicy with namespace scope?

Dimension	Namespace-Scoped NetworkPolicy	Cluster-Scoped AdminNetworkPolicy
Scope	Applies only to a single namespace	Applies across the entire cluster
Audience / Ownership	Application developer or namespace owners	Platform administrators or cluster administrator
Primary Use	Workload-level microsegmentation (L3/L4)	Enforcing global or cross-namespace access rules
Control Target	Pods within a namespace selected by `podSelector`	Namespaces or Pods selected by top-level `subject`
Policy Priority	Medium priority — evaluated after admin-level rules	Higher priority — overrides namespace policies
Typical Use Cases	Allow frontend → backend, restrict DB access, etc.	Restrict inter-tenant traffic, enforce egress restrictions, set global protections
Visibility	Only affects the namespace where it is created	Can impact multiple namespaces simultaneously
Cross-Namespace Rules	Allowed only indirectly (via namespaceSelector)	First-class cross-namespace traffic control
Risk Surface	Misconfiguration affects one namespace	Misconfiguration may affect entire cluster traffic

Understanding Network Policy APIs

Introduction

Evaluation of network policy by KUBE-OVN

The procedure is as follows:

What is the difference between the AdminNetworkPolicy with scope and the NetworkPolicy with namespace scope?

Dimension	Namespace-Scoped NetworkPolicy	Cluster-Scoped AdminNetworkPolicy
Scope	Applies only to a single namespace	Applies across the entire cluster
Audience / Ownership	Application developer or namespace owners	Platform administrators or cluster administrator
Primary Use	Workload-level microsegmentation (L3/L4)	Enforcing global or cross-namespace access rules
Control Target	Pods within a namespace selected by `podSelector`	Namespaces or Pods selected by top-level `subject`
Policy Priority	Medium priority — evaluated after admin-level rules	Higher priority — overrides namespace policies
Typical Use Cases	Allow frontend → backend, restrict DB access, etc.	Restrict inter-tenant traffic, enforce egress restrictions, set global protections
Visibility	Only affects the namespace where it is created	Can impact multiple namespaces simultaneously
Cross-Namespace Rules	Allowed only indirectly (via namespaceSelector)	First-class cross-namespace traffic control
Risk Surface	Misconfiguration affects one namespace	Misconfiguration may affect entire cluster traffic

ACP CLI (ac)

Node Management

Managed Clusters

Import Clusters

Public Cloud Cluster Initialization

Network Initialization

Storage Initialization

How to

How to

Backup Management

Recovery Management

Guides

How To

Kube OVN

alb

Trouble Shooting

Concepts

Guides

How To

Troubleshooting

Object Storage

Guides

How To

Install

Concepts

Guides

How To

Disaster Recovery

Concepts

Guides

How To

Guides

How To

ALB Operator

Compliance

HowTo

API Refiner

User

Guides

Group

Guides

Role

Guides

IDP

Guides

Troubleshooting

User Policy

Guides

Overview

Images

Guides

How To

Virtual Machine

Guides

How To

Troubleshooting

Network

Guides

How To

Storage

Guides

Backup and Recovery

Guides

Concepts

Namespaces

Creating Applications

Operation and Maintaining Applications

Application Rollout

KEDA(Kubernetes Event-driven Autoscaling)

How To

Workloads

Configurations

Application Observability

How To

How To

Install

How To

Overview

Install

Upgrade