A lot of clusters still run “allow-all” east/west because NetworkPolicies aren’t enforced everywhere. I built a small static analyzer that reads rendered manifests (Helm/Argo CD/Kustomize output) and emits baseline NetworkPolicy YAML you can commit + diff in PRs.
Workflow:
PR changes manifests
CI regenerates policies
reviewers see “newly allowed” connections as a normal permission diff
Curious how others handle this: would you rather review generated policy diffs, or a connectivity-graph diff? Any edge cases you’ve seen bite in real clusters (headless services, shared namespaces, DNS/egress, service meshes, etc.)?