A lot of clusters still run “allow-all” east/west because NetworkPolicies aren’t enforced everywhere. I built a small static analyzer that reads rendered manifests (Helm/Argo CD/Kustomize output) and emits baseline NetworkPolicy YAML you can commit + diff in PRs.

Workflow:

PR changes manifests

CI regenerates policies

reviewers see “newly allowed” connections as a normal permission diff

Curious how others handle this: would you rather review generated policy diffs, or a connectivity-graph diff? Any edge cases you’ve seen bite in real clusters (headless services, shared namespaces, DNS/egress, service meshes, etc.)?