Staged Kubernetes Network policy

A staged kubernetes network policy resource (StagedKubernetesNetworkPolicy) represents a staged version of Kubernetes network policy. This is used to preview network behavior before actually enforcing the network policy. Once persisted, this will create a Kubernetes network policy backed by a Calico Cloud network policy.

For kubectl commands, the following case-insensitive aliases may be used to specify the resource type on the CLI: stagedkubernetesnetworkpolicy.projectcalico.org, stagedkubernetesnetworkpolicies.projectcalico.org and abbreviations such as stagedkubernetesnetworkpolicy.p and stagedkubernetesnetworkpolicies.p.

Sample YAML

Below is a sample policy created from the example policy from the Kubernetes NetworkPolicy documentation. The only difference between this policy and the example Kubernetes version is that the apiVersion and kind are changed to properly specify a staged Kubernetes network policy.

apiVersion: projectcalico.org/v3
kind: StagedKubernetesNetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - ipBlock:
            cidr: 172.17.0.0/16
            except:
              - 172.17.1.0/24
        - namespaceSelector:
            matchLabels:
              project: myproject
        - podSelector:
            matchLabels:
              role: frontend
      ports:
        - protocol: TCP
          port: 6379
  egress:
    - to:
        - ipBlock:
            cidr: 10.0.0.0/24
      ports:
        - protocol: TCP
          port: 5978

Definition

See the Kubernetes NetworkPolicy documentation for more information.

Staged Kubernetes Network policy

Sample YAML​

Definition​

Sample YAML

Definition