Staged Kubernetes Network policy
A staged kubernetes network policy resource (StagedKubernetesNetworkPolicy
) represents a staged version
of Kubernetes network policy.
This is used to preview network behavior before actually enforcing the network policy. Once persisted, this
will create a Kubernetes network policy backed by a Calico Enterprise
network policy.
For kubectl
commands, the following case-insensitive aliases
may be used to specify the resource type on the CLI:
stagedkubernetesnetworkpolicy.projectcalico.org
, stagedkubernetesnetworkpolicies.projectcalico.org
and abbreviations such as
stagedkubernetesnetworkpolicy.p
and stagedkubernetesnetworkpolicies.p
.
Sample YAML​
Below is a sample policy created from the example policy from the
Kubernetes NetworkPolicy documentation.
The only difference between this policy and the example Kubernetes version is that the apiVersion
and kind
are changed
to properly specify a staged Kubernetes network policy.
apiVersion: projectcalico.org/v3
kind: StagedKubernetesNetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Definition​
See the Kubernetes NetworkPolicy documentation for more information.