Describing the design and function of Weave Network Policy Controller, whichuses iptables and ipsets to govern which Linux containers can talk to whichother containers, under control of Kubernetes. The code is all written in Go,and available on GitHub under Apache Licence. Kubernetes [NetworkPolicy] is an abstractspecification to define which connections are to be allowed within aKubernetes cluster. Weave Network PolicyController (weave-npc) is an implementation of this specification in Go, under the ApacheLicence. This talk will describe the design of weave-npc; how it was builtfrom existing components in Linux, Kubernetes and the wider Go ecosystem, howit integrates with the Linux network stack, and how it can be used to tightensecurity on a typical Cloud application.