Skip to main content
Version: 3.18 (latest)

Network policy

Writing network policies is how you restrict traffic to pods in your Kubernetes cluster. Calico Enterprise extends the standard NetworkPolicy object to provide advanced network policy features, such as policies that apply to all namespaces.

Getting started

Policy best practices

Learn policy best practices for security, scalability, and performance.

Enable a default deny policy for Kubernetes pods

Create a default deny network policy so pods that are missing policy are not allowed traffic until appropriate network policy is defined.

Get started with Calico network policy

Create your first Calico network policies. Shows the rich features using sample policies that extend native Kubernetes network policy.

Get started with network sets

Learn the power of network sets and why you should create them.

DNS policy

Use domain names to allow traffic to destinations outside of a cluster by their DNS names instead of by their IP addresses.

Policy rules

Basic rules

Define network connectivity for Calico endpoints using policy rules and label selectors.

Use namespace rules in policy

Use namespaces and namespace selectors in Calico network policy to group or separate resources. Use network policies to allow or deny traffic to/from pods that belong to specific namespaces.

Use service rules in policy

Use Kubernetes Service names in policy rules.

Use service accounts rules in policy

Use Kubernetes service accounts in policies to validate cryptographic identities and/or manage RBAC controlled high-priority rules across teams.

Use external IPs or networks rules in policy

Limit egress and ingress traffic using IP address either directly within Calico network policy or managed as Calico network sets.

Use ICMP/ping rules in policy

Control where ICMP/ping is used by creating a Calico network policy to allow and deny ICMP/ping messages for workloads and host endpoints.

Policy for hosts

Protect hosts

Create Calico Enterprise network policies to restrict traffic to/from hosts.

Protect Kubernetes nodes

Protect Kubernetes nodes with host endpoints managed by Calico Enterprise.

Protect hosts tutorial

Learn how to secure incoming traffic from outside the cluster using Calico host endpoints with network policy, including allowing controlled access to specific Kubernetes services.

Apply policy to forwarded traffic

Apply Calico Enterprise network policy to traffic being forward by hosts acting as routers or NAT gateways.

Policy tiers

Get started with policy tiers

Understand how tiered policy works and supports microsegmentation.

Change allow-tigera tier behavior

Understand how to change the behavior of the allow-tigera tier.

Network policy tutorial

Covers the basics of Calico Cloud network policy.

Configure RBAC for tiered policies

Configure RBAC to control access to policies and tiers.

Policy for services

Apply Calico Enterprise policy to Kubernetes node ports

Restrict access to Kubernetes node ports using Calico Enterprise global network policy. Follow the steps to secure the host, the node ports, and the cluster.

Apply Calico Enterprise policy to services exposed externally as cluster IPs

Expose Kubernetes service cluster IPs over BGP using Calico Enterprise, and restrict who can access them using Calico Enterprise network policy.

Policy for extreme traffic

Enable extreme high-connection workloads

Create a Calico network policy rule to bypass Linux conntrack for traffic to workloads that experience extremely large number of connections.

Defend against DoS attacks

Define DoS mitigation rules in Calico Enterprise policy to quickly drop connections when under attack. Learn how rules use eBPF and XDP, including hardware offload when available.