Skip to main content
Calico Enterprise 3.19 (latest) documentation

Staged Kubernetes Network policy

A staged kubernetes network policy resource (StagedKubernetesNetworkPolicy) represents a staged version of Kubernetes network policy. This is used to preview network behavior before actually enforcing the network policy. Once persisted, this will create a Kubernetes network policy backed by a Calico Enterprise network policy.

For kubectl commands, the following case-insensitive aliases may be used to specify the resource type on the CLI: stagedkubernetesnetworkpolicy.projectcalico.org, stagedkubernetesnetworkpolicies.projectcalico.org and abbreviations such as stagedkubernetesnetworkpolicy.p and stagedkubernetesnetworkpolicies.p.

Sample YAML

Below is a sample policy created from the example policy from the Kubernetes NetworkPolicy documentation. The only difference between this policy and the example Kubernetes version is that the apiVersion and kind are changed to properly specify a staged Kubernetes network policy.

apiVersion: projectcalico.org/v3
kind: StagedKubernetesNetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978

Definition

See the Kubernetes NetworkPolicy documentation for more information.