Network policy
Writing network policies is how you restrict traffic to pods in your Kubernetes cluster.
Calico extends the standard NetworkPolicy
object to provide advanced network policy features, such as policies that apply to all namespaces.
Getting started
Adopt a zero trust network model for security
Best practices to adopt a zero trust network model to secure workloads and hosts. Learn 5 key requirements to control network access for cloud-native strategy.
Get started with Calico network policy
Create your first Calico network policies. Shows the rich features using sample policies that extend native Kubernetes network policy.
Calico policy tutorial
Learn how to create more advanced Calico network policies (namespace, allow and deny all ingress and egress).
Get started with Kubernetes network policy
Learn Kubernetes policy syntax, rules, and features for controlling network traffic.
Kubernetes policy, demo
An interactive demo that visually shows how applying Kubernetes policy allows and denies connections.
Kubernetes policy, basic tutorial
Learn how to use basic Kubernetes network policy to securely restrict traffic to/from pods.
Kubernetes policy, advanced tutorial
Learn how to create more advanced Kubernetes network policies (namespace, allow and deny all ingress and egress).
Enable a default deny policy for Kubernetes pods
Create a default deny network policy so pods that are missing policy are not allowed traffic until appropriate network policy is defined.
Policy rules
Basic rules
Define network connectivity for Calico endpoints using policy rules and label selectors.
Use namespace rules in policy
Use namespaces and namespace selectors in Calico network policy to group or separate resources. Use network policies to allow or deny traffic to/from pods that belong to specific namespaces.
Use service rules in policy
Use Kubernetes Service names in policy rules.
Use service accounts rules in policy
Use Kubernetes service accounts in policies to validate cryptographic identities and/or manage RBAC controlled high-priority rules across teams.
Use external IPs or networks rules in policy
Limit egress and ingress traffic using IP address either directly within Calico network policy or managed as Calico network sets.
Use ICMP/ping rules in policy
Control where ICMP/ping is used by creating a Calico network policy to allow and deny ICMP/ping messages for workloads and host endpoints.
Policy for hosts and VMs
Protect hosts and VMs
Calico network policy not only protects workloads, but also hosts. Create a Calico network policies to restrict traffic to/from hosts.
Protect Kubernetes nodes
Protect Kubernetes nodes with host endpoints managed by Calico.
Protect hosts tutorial
Learn how to secure incoming traffic from outside the cluster using Calico host endpoints with network policy, including allowing controlled access to specific Kubernetes services.
Apply policy to forwarded traffic
Apply Calico network policy to traffic being forward by hosts acting as routers or NAT gateways.
Policy for services
Apply Calico policy to Kubernetes node ports
Restrict access to Kubernetes node ports using Calico global network policy. Follow the steps to secure the host, the node ports, and the cluster.
Apply Calico policy to services exposed externally as cluster IPs
Expose Kubernetes service cluster IPs over BGP using Calico, and restrict who can access them using Calico network policy.
Policy for Istio
Enforce network policy for Istio
Enforce network policy for Istio service mesh including matching on HTTP methods and paths.
Use HTTP methods and paths in policy rules
Create a Calico network policy for Istio-enabled apps to restrict ingress traffic matching HTTP methods or paths.
Enforce Calico network policy using Istio (tutorial)
Learn how Calico integrates with Istio to provide fine-grained access control using Calico network policies enforced within the service mesh and network layer.
Securing component communications
Encrypt in-cluster pod traffic
Enable WireGuard for state-of-the-art cryptographic security between pods for Calico clusters.
Configure encryption and authentication to secure Calico components
Enable TLS authentication and encryption for various Calico components.
Schedule Typha for scaling to well-known nodes
Configure the Calico Typha TCP port.
Secure Calico Prometheus endpoints
Limit access to Calico metric endpoints using network policy.
Secure BGP sessions
Configure BGP passwords to prevent attackers from injecting false routing information.