Set up multi-network network policies

Preview

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

This page explains how you can enhance network security and traffic controlwithin your cluster by configuring multi-network network policies that applyspecifically to a designated Pod network. These multi-network network policiescontrol traffic by using firewall rules at the Pod level, and they controltraffic flow between Pods and Services.

To understand how multi-network network policies work, seehow NetworkPoliciesworkwith Pod networks.

Requirements

To use multi-network network policies, consider the following requirements:

  • Google Cloud CLI version 459 and later.
  • You must have a GKE cluster running one of the following versions:
    • 1.28.5-gke.1293000 or later
    • 1.29.0-gke.1484000 or later
  • Your cluster must useGKE Dataplane V2.

Limitations

FQDN network policy and CiliumClusterWide network policy are not supported:If you use an FQDN network policy and a CiliumClusterWide network policy on aPod that's connected to multiple networks, the policies affect all the Pod'sconnections, including connections where the policies aren't applied.

Configure multi-network network policies

To use multi-network network policies, do the following:

  1. Create a cluster withmulti-network enabled GKE.
  2. Create anode pool and aPod network.
  3. Reference the Pod network.
  4. Create a network policy to be enforced that references the same Pod network utilized by the workload.

Before you begin

Before you start, make sure that you have performed the following tasks:

  • Enable the Google Kubernetes Engine API.
    • Enable Google Kubernetes Engine API
  • If you want to use the Google Cloud CLI for this task,install and theninitialize the gcloud CLI. If you previously installed the gcloud CLI, get the latest version by running thegcloud components update command. Earlier gcloud CLI versions might not support running the commands in this document.Note: For existing gcloud CLI installations, make sure to set thecompute/regionproperty. If you use primarily zonal clusters, set thecompute/zone instead. By setting a default location, you can avoid errors in the gcloud CLI like the following:One of [--zone, --region] must be supplied: Please specify location. You might need to specify the location in certain commands if the location of your cluster differs from the default that you set.

Create network policy

  1. To create a network policy that enforces rules on the same Pod network asyour workload, reference the specific Pod network in the network policydefinition.

  2. To define the selected ingress traffic rules and target Pods based on labelsor other selectors, create a standard Network Policy.

    Save the following sample manifest assample-ingress-network-policy1.yaml:

    apiVersion:networking.k8s.io/v1kind:NetworkPolicymetadata:name:sample-network-policynamespace:defaultannotations:networking.gke.io/network:blue-pod-network# GKE-specific annotation for network selectionspec:podSelector:matchLabels:app:test-app-2# Selects pods with the label "app: test-app-2"policyTypes:-Ingress# Specifies the policy applies only to incoming trafficingress:-from:# Allow incoming traffic only from...-podSelector:matchLabels:app:test-app-1# ...pods with the label "app: test-app-1"

  3. Apply thesample-ingress-network-policy1.yaml manifest:

    kubectlapply-fsample-ingress-network-policy1.yaml

  4. To define the selected egress traffic rules and target Pods based on labelsor other selectors, create a standard network policy.

    Save the following sample manifest assample-egress-network-policy2.yaml:

    apiVersion:networking.k8s.io/v1kind:NetworkPolicymetadata:name:sample-network-policy-2namespace:defaultannotations:networking.gke.io/network:blue-pod-network# GKE-specific annotation (optional)spec:podSelector:matchLabels:app:test-app-2policyTypes:-Egress# Only applies to outgoing trafficegress:-to:-podSelector:matchLabels:app:test-app-3

  5. Apply thesample-egress-network-policy2.yaml manifest:

    kubectlapply-fsample-egress-network-policy2.yaml

Troubleshoot multi-network network policies

If you experience issues with network policies, whether they are applied tospecific Pod networks or not, you can diagnose and troubleshoot the problem byrunning the following commands:

  1. kubectl get networkpolicy: lists all network policy objects andinformation about them.
  2. iptables-save: retrieves and lists all IP address tables chains for aparticular node. You must run this command on the node as root.
  3. cilium bpf policy get <endpoint-id>: retrieves and lists allowed IPaddresses from each endpoint's policy map.
  4. cilium policy selectors: prints out theidentitiesand the associated policies that have selected them.
  5. cilium identity list: shows mappings from identity to IP address.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.