calicoq policy
calicoq policy <policy-name> shows the endpoints that are relevant to the
named policy, comprising:
-
the endpoints that the policy applies to (for which ingress or egress traffic is policed according to the rules in that policy)
-
the endpoints that match the policy's rule selectors (that are allowed or disallowed as data sources or destinations).
(For example, if you have a database and a webserver, you might have a policy
that says policy selector: role=='db'; rule: allow from role == 'webserver'.
Then the "policy applies to" selector is role == 'db' and the "policy's rule
selector" is role == 'webserver'.)
It shows output that is equivalent to running calicoq eval <selector> for the
policy's spec.selector and for any selector or notSelector expressions in
the source or destination of the policy's rules.
Options
-r --hide-rule-matches Don't show the list of endpoints that match the
policy's rules as allowed or disallowed sources or
destinations.
-s --hide-selectors Don't show the detailed selector expressions involved
(that cause the policy to apply to or match various
endpoints).
-o <OUTPUT> --output=<OUTPUT> Set the output format. Should be one of yaml, json, or
ps. If nothing is set, defaults to ps.
Examples
In this example there are three endpoints in one namespace "namespace1". Policy "policy1" applies to all of the endpoints in the namespace, and its rules reference them as possible (allowed or denied) sources or destinations:
calicoq policy namespace1/policy1
Sample output follows.
Policy "namespace1/policy1" applies to these endpoints:
Workload endpoint host1/k8s/namespace1.ns1wep1/eth0; selector "(projectcalico.org/namespace == 'namespace1') && projectcalico.org/namespace == 'namespace1'"
Workload endpoint host1/k8s/namespace1.ns1wep2/eth0; selector "(projectcalico.org/namespace == 'namespace1') && projectcalico.org/namespace == 'namespace1'"
Workload endpoint host1/k8s/namespace1.ns1wep3/eth0; selector "(projectcalico.org/namespace == 'namespace1') && projectcalico.org/namespace == 'namespace1'"
Endpoints matching Policy "namespace1/policy1" rules:
Workload endpoint host1/k8s/namespace1.ns1wep1/eth0
outbound rule 1 destination match; selector "(projectcalico.org/namespace == 'namespace1') && (projectcalico.org/namespace == 'namespace1')"
Workload endpoint host1/k8s/namespace1.ns1wep2/eth0
outbound rule 1 destination match; selector "(projectcalico.org/namespace == 'namespace1') && (projectcalico.org/namespace == 'namespace1')"
Workload endpoint host1/k8s/namespace1.ns1wep3/eth0
outbound rule 1 destination match; selector "(projectcalico.org/namespace == 'namespace1') && (projectcalico.org/namespace == 'namespace1')"
You can simplify that output by specifying --hide-selectors:
calicoq policy namespace1/policy1 --hide-selectors
Sample output follows.
Policy "namespace1/policy1" applies to these endpoints:
Workload endpoint host1/k8s/namespace1.ns1wep1/eth0
Workload endpoint host1/k8s/namespace1.ns1wep2/eth0
Workload endpoint host1/k8s/namespace1.ns1wep3/eth0
Endpoints matching Policy "namespace1/policy1" rules:
Workload endpoint host1/k8s/namespace1.ns1wep1/eth0
outbound rule 1 destination match
Workload endpoint host1/k8s/namespace1.ns1wep2/eth0
outbound rule 1 destination match
Workload endpoint host1/k8s/namespace1.ns1wep3/eth0
outbound rule 1 destination match
If you only wanted to know the endpoints whose ingress or egress traffic is
policed according to that policy, you could simplify the output further by
adding --hide-rule-matches:
calicoq policy namespace1/policy1 --hide-rule-matches --hide-selectors
Sample output follows.
Policy "namespace1/policy1" applies to these endpoints:
Workload endpoint host1/k8s/namespace1.ns1wep1/eth0
Workload endpoint host1/k8s/namespace1.ns1wep2/eth0
Workload endpoint host1/k8s/namespace1.ns1wep3/eth0
See also
- calicoq eval for
more detail about the related
calico evalcommand. - NetworkPolicy and GlobalNetworkPolicy for more information about the Calico Enterprise selector-based policy model.