The typical failure you see in the field looks small and then cascades: a namespace gets a permissive NetworkPolicy or none at all, a CNI silently ignores an intended rule, a mesh PeerAuthentication / DestinationRule mismatch produces plaintext traffic or request 503s, and observability only shows the symptom (timeouts, 5xxs) without the root cause. Those symptoms — open east‑west traffic, certificates not rotated/accepted, route rules silently overridden — are the sharp signals you should test for, not vague “security posture” metrics. Kubernetes NetworkPolicies are allow-list constructs and only take effect when applied by a CNI that implements them.…