Also, one good thing about K8s network policies is that we can apply a default deny all policy for any unknown workload inside a namespace which would effectively block malicious workloads from badly exploiting the network. I wonder how this same functionality can be achieved using NeuVector network rules as they are effectively defined per workload groups.