Network policy
Writing network policies is how you restrict traffic to pods in your Kubernetes cluster.
Calico Cloud extends the standard NetworkPolicy object to provide advanced network policy features, such as policies that apply to all namespaces.
Getting started​
Policy best practices
Learn policy best practices for security, scalability, and performance.
Enable a default deny policy for Kubernetes pods
Create a default deny network policy so pods that are missing policy are not allowed traffic until appropriate network policy is defined.
Get started with Calico network policy
Create your first Calico network policies. Shows the rich features using sample policies that extend native Kubernetes network policy.
Get started with network sets
Learn the power of network sets and why you should create them.
DNS policy
Use domain names to allow traffic to destinations outside of a cluster by their DNS names instead of by their IP addresses.
Policy rules​
Basic rules
Define network connectivity for Calico endpoints using policy rules and label selectors.
Use namespace rules in policy
Use namespaces and namespace selectors in Calico network policy to group or separate resources. Use network policies to allow or deny traffic to/from pods that belong to specific namespaces.
Use service rules in policy
Use Kubernetes Service names in policy rules.
Use service accounts rules in policy
Use Kubernetes service accounts in policies to validate cryptographic identities and/or manage RBAC controlled high-priority rules across teams.
Use external IPs or networks rules in policy
Limit egress and ingress traffic using IP address either directly within Calico network policy or managed as Calico network sets.
Use ICMP/ping rules in policy
Control where ICMP/ping is used by creating a Calico network policy to allow and deny ICMP/ping messages for workloads and host endpoints.
Policy tiers​
Policy tiers tutorial
Learn about policies, tiers, and policy evaluation.
Change allow-tigera tier behavior
Understand how to change the behavior of the allow-tigera tier.
Network policy tutorial
Covers the basics of Calico Cloud network policy.
Configure RBAC for tiered policies
Configure RBAC to control access to policies and tiers.
Policy for services​
Apply Calico Cloud policy to Kubernetes node ports
Restrict access to Kubernetes node ports using Calico Cloud global network policy. Follow the steps to secure the host, the node ports, and the cluster.
Apply Calico Cloud policy to services exposed externally as cluster IPs
Expose Kubernetes service cluster IPs over BGP using Calico Cloud, and restrict who can access them using Calico Cloud network policy.
Policy for extreme traffic​
Enable extreme high-connection workloads
Create a Calico network policy rule to bypass Linux conntrack for traffic to workloads that experience extremely large number of connections.
Defend against DoS attacks
Define DoS mitigation rules in Calico Cloud policy to quickly drop connections when under attack. Learn how rules use eBPF and XDP, including hardware offload when available.