https://ethanzyf.com/tags/cni/Recent content in Cni on Ethan-ZYFHugoen-usTue, 19 May 2026 00:00:00 -0700https://ethanzyf.com/blog/week2-day2-networkpolicy-secrets/Tue, 19 May 2026 00:00:00 -0700https://ethanzyf.com/blog/week2-day2-networkpolicy-secrets/<p>Hands-on with the network and secret-data layers of Kubernetes security: why the default flat network is a lateral-movement risk, the deeply counterintuitive &ldquo;selective activation&rdquo; model of NetworkPolicy (one allow rule silently flips a pod to default-deny), why Ingress and Egress are independent dimensions (and why locking egress breaks DNS), the YAML trap where a single <code>-</code> flips AND into OR, why NetworkPolicy needs a CNI that actually enforces it (kindnet doesn&rsquo;t — another fail-open), and the truth about Secrets: they&rsquo;re base64, not encrypted — RBAC is what protects them — plus the atomic-symlink-swap trick that powers volume-mounted secret rotation.</p>