Enable and enforce application layer policies
Application layer policies let you configure access controls based on L7 attributes.
Before you begin
Unsupported
- Calico Enterprise implements application layer policy using Envoy as a DaemonSet. This means you cannot use application layer policy alongside a service mesh like Istio.
- GKE
Limitations
- Application layer policy supports restricting only ingress traffic
- Support for L7 attributes are limited to HTTP method and URL exact/prefix path
- Supported protocols are limited to TCP-based protocols (for example, HTTP, HTTPS, or gRPC)
- You can control application layer policies only at the cluster level (not per namespace)
How to
- Enable application layer policies
- Enforce application layer policies for ingress traffic
- Disable application layer policies
Enable application layer policies (ALP)
In the ApplicationLayer custom resource, set the applicationLayerPolicy field to Enabled.
apiVersion: operator.tigera.io/v1
kind: ApplicationLayer
metadata:
name: tigera-secure
spec:
applicationLayerPolicy: Enabled
Enforce application layer policies for ingress traffic
You can restrict ingress traffic using HTTP match criteria using Global network policy. For a list of all HTTP match parameters, see Global network policy.
In the following example, the trading app is allowed ingress traffic only for HTTP GET requests that match the exact path /projects/calico, or that begins with the prefix, /users.
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: customer
spec:
selector: app == 'tradingapp'
ingress:
- action: Allow
http:
methods: ["GET"]
paths:
- exact: "/projects/calico"
- prefix: "/users"
egress:
- action: Allow
Disable application layer policies
To disable the policies, do one of the following steps:
- Set the
applicationLayerPolicyfield in theApplicationLayercustom resource toDisabled. - Remove the
applicationLayerPolicyfield entirely. - Delete the ApplicationLayer` custom resource.