# Agent Kubernetes Network Policies and Ingress Rules
Status: public
Confidence: medium (0.725) (verified)
Last verified: 2026-06-02
Generation: ai_structured


## TL;DR

NetworkPolicy, Ingress, and Gateway evidence lets agents debug whether traffic is blocked, routed, exposed, or sent to the wrong service.

## Core Explanation

Kubernetes connectivity failures need both routing and policy context. An agent should inspect selected Pods, namespace labels, NetworkPolicies, Services, Ingress or Gateway resources, controller status, and events before deciding whether an app or platform layer is at fault.

Ingress and Gateway rules describe how external traffic reaches services. NetworkPolicies describe allowed Pod communication when the CNI enforces them. These layers can disagree, so agents should correlate all of them.

## Source-Mapped Facts

- Kubernetes documentation describes NetworkPolicy as a specification for how groups of Pods are allowed to communicate with each other and other network endpoints. ([source](https://kubernetes.io/docs/concepts/services-networking/network-policies/))
- Kubernetes documentation describes Ingress as exposing HTTP and HTTPS routes from outside the cluster to services within the cluster. ([source](https://kubernetes.io/docs/concepts/services-networking/ingress/))
- Kubernetes documentation describes Gateway API as a collection of resources that model service networking in Kubernetes. ([source](https://kubernetes.io/docs/concepts/services-networking/gateway/))

## Further Reading

- [Kubernetes Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
- [Kubernetes Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/)
- [Kubernetes Gateway API](https://kubernetes.io/docs/concepts/services-networking/gateway/)