Skip to main content
Calico Open Source 3.29 (latest) documentation

Network policy

Writing network policies is how you restrict traffic to pods in your Kubernetes cluster. Calico extends the standard NetworkPolicy object to provide advanced network policy features, such as policies that apply to all namespaces.

Getting started

Adopt a zero trust network model for security

Best practices to adopt a zero trust network model to secure workloads and hosts. Learn 5 key requirements to control network access for cloud-native strategy.

Get started with Calico network policy

Create your first Calico network policies. Shows the rich features using sample policies that extend native Kubernetes network policy.

Calico policy tutorial

Learn how to create more advanced Calico network policies (namespace, allow and deny all ingress and egress).

Get started with Kubernetes network policy

Learn Kubernetes policy syntax, rules, and features for controlling network traffic.

Kubernetes policy, demo

An interactive demo that visually shows how applying Kubernetes policy allows and denies connections.

Kubernetes policy, basic tutorial

Learn how to use basic Kubernetes network policy to securely restrict traffic to/from pods.

Kubernetes policy, advanced tutorial

Learn how to create more advanced Kubernetes network policies (namespace, allow and deny all ingress and egress).

Enable a default deny policy for Kubernetes pods

Create a default deny network policy so pods that are missing policy are not allowed traffic until appropriate network policy is defined.

Policy rules

Basic rules

Define network connectivity for Calico endpoints using policy rules and label selectors.

Use namespace rules in policy

Use namespaces and namespace selectors in Calico network policy to group or separate resources. Use network policies to allow or deny traffic to/from pods that belong to specific namespaces.

Use service rules in policy

Use Kubernetes Service names in policy rules.

Use service accounts rules in policy

Use Kubernetes service accounts in policies to validate cryptographic identities and/or manage RBAC controlled high-priority rules across teams.

Use external IPs or networks rules in policy

Limit egress and ingress traffic using IP address either directly within Calico network policy or managed as Calico network sets.

Use ICMP/ping rules in policy

Control where ICMP/ping is used by creating a Calico network policy to allow and deny ICMP/ping messages for workloads and host endpoints.

Policy for hosts and VMs

Protect hosts and VMs

Calico network policy not only protects workloads, but also hosts. Create a Calico network policies to restrict traffic to/from hosts.

Protect Kubernetes nodes

Protect Kubernetes nodes with host endpoints managed by Calico.

Protect hosts tutorial

Learn how to secure incoming traffic from outside the cluster using Calico host endpoints with network policy, including allowing controlled access to specific Kubernetes services.

Apply policy to forwarded traffic

Apply Calico network policy to traffic being forward by hosts acting as routers or NAT gateways.

Policy for services

Apply Calico policy to Kubernetes node ports

Restrict access to Kubernetes node ports using Calico global network policy. Follow the steps to secure the host, the node ports, and the cluster.

Apply Calico policy to services exposed externally as cluster IPs

Expose Kubernetes service cluster IPs over BGP using Calico, and restrict who can access them using Calico network policy.

Policy for Istio

Enforce network policy for Istio

Enforce network policy for Istio service mesh including matching on HTTP methods and paths.

Use HTTP methods and paths in policy rules

Create a Calico network policy for Istio-enabled apps to restrict ingress traffic matching HTTP methods or paths.

Enforce Calico network policy using Istio (tutorial)

Learn how Calico integrates with Istio to provide fine-grained access control using Calico network policies enforced within the service mesh and network layer.

Securing component communications

Encrypt in-cluster pod traffic

Enable WireGuard for state-of-the-art cryptographic security between pods for Calico clusters.

Configure encryption and authentication to secure Calico components

Enable TLS authentication and encryption for various Calico components.

Schedule Typha for scaling to well-known nodes

Configure the Calico Typha TCP port.

Secure Calico Prometheus endpoints

Limit access to Calico metric endpoints using network policy.

Secure BGP sessions

Configure BGP passwords to prevent attackers from injecting false routing information.

Network policy options with Calico Cloud

Policy recommendations

Enable continuous policy recommendations to secure unprotected namespaces or workloads.