Network policy
Writing network policies is how you restrict traffic to pods in your Kubernetes cluster.
Calico Enterprise extends the standard NetworkPolicy object to provide advanced network policy features, such as policies that apply to all namespaces.
Getting started​
Policy best practices
Learn policy best practices for security, scalability, and performance.
Enable a default deny policy for Kubernetes pods
Create a default deny network policy so pods that are missing policy are not allowed traffic until appropriate network policy is defined.
Get started with Calico network policy
Create your first Calico network policies. Shows the rich features using sample policies that extend native Kubernetes network policy.
Get started with network sets
Learn the power of network sets and why you should create them.
DNS policy
Use domain names to allow traffic to destinations outside of a cluster by their DNS names instead of by their IP addresses.
Enable policy recommendations
Enable continuous policy recommendations to secure unprotected namespaces or workloads.
Policy rules​
Basic rules
Define network connectivity for Calico endpoints using policy rules and label selectors.
Use namespace rules in policy
Use namespaces and namespace selectors in Calico network policy to group or separate resources. Use network policies to allow or deny traffic to/from pods that belong to specific namespaces.
Use service rules in policy
Use Kubernetes Service names in policy rules.
Use service accounts rules in policy
Use Kubernetes service accounts in policies to validate cryptographic identities and/or manage RBAC controlled high-priority rules across teams.
Use external IPs or networks rules in policy
Limit egress and ingress traffic using IP address either directly within Calico network policy or managed as Calico network sets.
Use ICMP/ping rules in policy
Control where ICMP/ping is used by creating a Calico network policy to allow and deny ICMP/ping messages for workloads and host endpoints.
Policy for hosts​
Protect hosts
Create Calico Enterprise network policies to restrict traffic to/from hosts.
Protect Kubernetes nodes
Protect Kubernetes nodes with host endpoints managed by Calico Enterprise.
Protect hosts tutorial
Learn how to secure incoming traffic from outside the cluster using Calico host endpoints with network policy, including allowing controlled access to specific Kubernetes services.
Apply policy to forwarded traffic
Apply Calico Enterprise network policy to traffic being forward by hosts acting as routers or NAT gateways.
Policy tiers​
Get started with policy tiers
Understand how tiered policy works and supports microsegmentation.
Change allow-tigera tier behavior
Understand how to change the behavior of the allow-tigera tier.
Network policy tutorial
Covers the basics of Calico Cloud network policy.
Configure RBAC for tiered policies
Configure RBAC to control access to policies and tiers.
Policy for services​
Apply Calico Enterprise policy to Kubernetes node ports
Restrict access to Kubernetes node ports using Calico Enterprise global network policy. Follow the steps to secure the host, the node ports, and the cluster.
Apply Calico Enterprise policy to services exposed externally as cluster IPs
Expose Kubernetes service cluster IPs over BGP using Calico Enterprise, and restrict who can access them using Calico Enterprise network policy.
Policy for extreme traffic​
Enable extreme high-connection workloads
Create a Calico network policy rule to bypass Linux conntrack for traffic to workloads that experience extremely large number of connections.
Defend against DoS attacks
Define DoS mitigation rules in Calico Enterprise policy to quickly drop connections when under attack. Learn how rules use eBPF and XDP, including hardware offload when available.