Skip to content
CallSphere - AI voice and chat agents for businessCallSphere
Kubernetes Network Policies for AI Agent Security: Isolating Agent Communication
Learn Agentic AI11 min read17 views

Kubernetes Network Policies for AI Agent Security: Isolating Agent Communication

Design Kubernetes Network Policies to secure AI agent communication — including namespace isolation, egress restrictions to LLM APIs, and deny-all defaults with explicit allow rules.

Why Network Policies Matter for AI Agents

AI agents are powerful — they call external APIs, execute tools, and communicate with other agents. This power creates a large attack surface. A compromised agent Pod could exfiltrate training data, call unauthorized APIs, or move laterally to internal services. Kubernetes Network Policies enforce firewall rules at the Pod level, ensuring each agent can only communicate with the services it legitimately needs.

Default Deny: The Foundation

Start by denying all traffic in the AI agents namespace. Then add explicit allow rules for each required communication path:

flowchart LR
    GIT(["Git push"])
    CI["GitHub Actions<br/>build plus test"]
    REG[("Container registry<br/>GHCR or ECR")]
    HELM["Helm chart<br/>values per env"]
    K8S{"Kubernetes cluster"}
    DEP["Deployment<br/>rolling update"]
    SVC["Service plus Ingress"]
    HPA["HPA<br/>CPU and queue depth"]
    POD[("Inference pods<br/>GPU node pool")]
    USERS(["Production traffic"])
    GIT --> CI --> REG --> HELM --> K8S
    K8S --> DEP --> POD
    K8S --> SVC --> POD
    K8S --> HPA --> POD
    SVC --> USERS
    style CI fill:#4f46e5,stroke:#4338ca,color:#fff
    style POD fill:#ede9fe,stroke:#7c3aed,color:#1e1b4b
    style USERS fill:#059669,stroke:#047857,color:#fff

# deny-all.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
  namespace: ai-agents
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

This policy selects all Pods in the namespace (empty podSelector) and blocks both incoming and outgoing traffic. Nothing works until you add explicit allow rules.

Allow Ingress from the API Gateway

Only the API gateway should send requests to your AI agents:

Hear it before you finish reading

Talk to a live CallSphere AI voice agent in your browser — 60 seconds, no signup.

Try Live Demo → 
# allow-gateway-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-gateway-to-agents
  namespace: ai-agents
spec:
  podSelector:
    matchLabels:
      app: ai-agent
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              name: api-gateway
          podSelector:
            matchLabels:
              app: gateway
      ports:
        - protocol: TCP
          port: 8000

This allows traffic only from Pods labeled app: gateway in the api-gateway namespace, and only to port 8000. Any other ingress is denied.

Allow Agent-to-Agent Communication

In a multi-agent system, the triage agent needs to reach specialist agents:

# allow-agent-to-agent.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-triage-to-specialists
  namespace: ai-agents
spec:
  podSelector:
    matchLabels:
      role: specialist-agent
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              role: triage-agent
      ports:
        - protocol: TCP
          port: 8000

Specialist agents accept traffic only from the triage agent, not from each other or from external sources.

Restrict Egress to Approved Services

Control which external services your agents can reach:

# allow-agent-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-agent-egress
  namespace: ai-agents
spec:
  podSelector:
    matchLabels:
      app: ai-agent
  policyTypes:
    - Egress
  egress:
    # Allow DNS resolution
    - to:
        - namespaceSelector: {}
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - protocol: UDP
          port: 53
        - protocol: TCP
          port: 53
    # Allow access to the database
    - to:
        - namespaceSelector:
            matchLabels:
              name: databases
          podSelector:
            matchLabels:
              app: postgresql
      ports:
        - protocol: TCP
          port: 5432
    # Allow HTTPS to external LLM APIs
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0
            except:
              - 10.0.0.0/8
              - 172.16.0.0/12
              - 192.168.0.0/16
      ports:
        - protocol: TCP
          port: 443

This allows DNS resolution, PostgreSQL access within the cluster, and HTTPS calls to external APIs like OpenAI. It blocks access to all internal RFC 1918 addresses that are not explicitly allowed, preventing lateral movement.

Labeling Strategy for Multi-Agent Security

Use consistent labels to build clear network policies:

Still reading? Stop comparing — try CallSphere live.

CallSphere ships complete AI voice agents per industry — 14 tools for healthcare, 10 agents for real estate, 4 specialists for salons. See how it actually handles a call before you book a demo.

Try Live Demo → Book 30-min Walkthrough See Pricing 
# Python script to generate labeled Deployment manifests
AGENT_ROLES = {
    "triage": {"can_reach": ["specialist", "tool-service"]},
    "specialist": {"can_reach": ["tool-service", "database"]},
    "tool-service": {"can_reach": ["database"]},
}

def generate_labels(agent_name: str, role: str) -> dict:
    return {
        "app": agent_name,
        "role": role,
        "tier": "ai-agent",
        "network-policy": "restricted",
    }

Verifying Network Policies

Test that your policies work by attempting blocked connections:

# Deploy a debug Pod
kubectl run nettest --image=busybox --rm -it --namespace=ai-agents -- sh

# Test allowed connection (should succeed)
wget -qO- --timeout=5 http://ai-agent-svc:8000/health

# Test blocked connection (should timeout)
wget -qO- --timeout=5 http://some-other-service:8080/api

FAQ

Do I need a CNI plugin that supports Network Policies?

Yes. The default kubenet CNI in some Kubernetes distributions does not enforce Network Policies. You need a CNI plugin like Calico, Cilium, or Weave Net. Calico is the most widely used for Network Policy enforcement and supports both Kubernetes native policies and its own extended policy format with additional features like DNS-based egress rules.

How do I allow AI agents to reach only specific external API domains?

Kubernetes Network Policies operate at the IP level, not the DNS level. To restrict by domain name, use Cilium Network Policies with DNS-aware filtering or configure an egress proxy like Squid or Envoy that whitelists specific domains. Route all agent egress through the proxy and block direct internet access.

What happens if I apply conflicting Network Policies?

Network Policies are additive. If one policy allows traffic on port 8000 and another allows port 9090, both ports are accessible. There is no deny-override behavior — if any policy allows a connection, it is permitted. This is why starting with a deny-all policy and adding specific allows is the safest approach.

#Kubernetes #NetworkSecurity #NetworkPolicies #AIAgents #ZeroTrust #AgenticAI #LearnAI #AIEngineering

Share

Try CallSphere AI Voice Agents

See how AI voice agents work for your industry. Live demo available -- no signup required.

Try Live DemoBook a Demo

Related Articles You May Like

AI Agents

Personal AI Assistant: How to Pick One for Business in 2026

A founder's guide to the personal AI assistant market: best AI assistant apps, business-grade options, and how CallSphere's voice agent fits in.

AI Agents

Free AI Agents in 2026: When Free Wins and When It Costs You

A founder's guide to free AI agents, low-code AI agent builders, and how to know when you should pay for a real platform like CallSphere.

Agentic AI

Graphiti: How Temporal Knowledge Graphs Give AI Voice Agents Persistent Memory (2026 Guide)

Graphiti is the open-source temporal knowledge graph for AI agents in 2026. Learn how bi-temporal memory beats vector RAG for voice agents and long-running LLMs.

AI Agents

Chatbot App vs ChatGPT: What's the Difference, and Which Do I Need?

Chatbot app vs ChatGPT in 2026: a founder's clear take on the difference, when to use which, and how a real AI chatbot app development works.

HVAC

Building an HVAC After-Hours Emergency Escalation System: A Complete Engineering Guide

How we built a fault-tolerant HVAC emergency triage and tech-dispatch platform on Kubernetes — three-tier CQRS, 11 micro-agents on the OpenAI Agents SDK + LangGraph, NATS JetStream, DTMF/SMS/WebSocket acceptance, circuit breakers, and an evaluation pipeline that catches regressions before they wake a tech at 3 AM.

Enterprise AI

OpenAI Frontier vs Anthropic Managed Agents: 2026 Comparison

Head-to-head: OpenAI Frontier and Anthropic's managed agent stack — strengths, fit, and what each means for enterprise AI voice and chat deployment.