How to design scalable Kubernetes network policies for namespaces and services?

[SavannahIR]

I'm leading a migration of our legacy monolithic application to a microservices architecture on Kubernetes, and while the basic deployments are running, I'm struggling with designing an efficient and maintainable network policy model to enforce security between our dozens of namespaces and services. The default allow-all traffic within the cluster feels like a major risk. For DevOps engineers who have implemented production-grade Kubernetes security, what strategies or tools do you recommend for defining and managing these network policies at scale, and how do you balance security granularity with operational complexity and the need for developers to still debug service communication?