Skip to main content

Network policy

Writing network policies is how you restrict traffic to pods in your Kubernetes cluster. Calico Cloud extends the standard NetworkPolicy object to provide advanced network policy features, such as policies that apply to all namespaces.

Getting started

Policy best practices

Learn policy best practices for security, scalability, and performance.

Enable a default deny policy for Kubernetes pods

Create a default deny network policy so pods that are missing policy are not allowed traffic until appropriate network policy is defined.

Get started with Calico network policy

Create your first Calico network policies. Shows the rich features using sample policies that extend native Kubernetes network policy.

Get started with network sets

Learn the power of network sets and why you should create them.

DNS policy

Use domain names to allow traffic to destinations outside of a cluster by their DNS names instead of by their IP addresses.

Policy rules

Basic rules

Define network connectivity for Calico endpoints using policy rules and label selectors.

Use namespace rules in policy

Use namespaces and namespace selectors in Calico network policy to group or separate resources. Use network policies to allow or deny traffic to/from pods that belong to specific namespaces.

Use service rules in policy

Use Kubernetes Service names in policy rules.

Use service accounts rules in policy

Use Kubernetes service accounts in policies to validate cryptographic identities and/or manage RBAC controlled high-priority rules across teams.

Use external IPs or networks rules in policy

Limit egress and ingress traffic using IP address either directly within Calico network policy or managed as Calico network sets.

Use ICMP/ping rules in policy

Control where ICMP/ping is used by creating a Calico network policy to allow and deny ICMP/ping messages for workloads and host endpoints.

Policy tiers

Policy tiers tutorial

Learn about policies, tiers, and policy evaluation.

Change allow-tigera tier behavior

Understand how to change the behavior of the allow-tigera tier.

Network policy tutorial

Covers the basics of Calico Cloud network policy.

Configure RBAC for tiered policies

Configure RBAC to control access to policies and tiers.

Policy for services

Apply Calico Cloud policy to Kubernetes node ports

Restrict access to Kubernetes node ports using Calico Cloud global network policy. Follow the steps to secure the host, the node ports, and the cluster.

Apply Calico Cloud policy to services exposed externally as cluster IPs

Expose Kubernetes service cluster IPs over BGP using Calico Cloud, and restrict who can access them using Calico Cloud network policy.

Policy for extreme traffic

Enable extreme high-connection workloads

Create a Calico network policy rule to bypass Linux conntrack for traffic to workloads that experience extremely large number of connections.

Defend against DoS attacks

Define DoS mitigation rules in Calico Cloud policy to quickly drop connections when under attack. Learn how rules use eBPF and XDP, including hardware offload when available.