They can certainly coexist, but you’d have to be mindful of managing things in two places. Best practice would be to go with your latter suggestion of letting NeuVector manage rules. It’s more comprehensive and less effort.

Got it, Thanks for the prompt response. In fact, clusters we run are currently heavily equipped with K8s netpols, So I hope planning on a smoother migration from K8s netpols to NeuVector network rules would be a viable option with what you suggested.

If you always keep the mindset of following the lifecycle of any application workloads that you are running, everything becomes pretty easy. What you want to do is have neuvector establish a fingerprint of the appropriate behavior of your applications, and then either alert or deny anything that is not explicitly defined as permissible in the aforementioned fingerprint. 🙂