Skip to main content
Calico Open Source 3.29 (latest) documentation

Use service rules in policy

Big picture​

Use Calico network policy to allow/deny traffic for Kubernetes services.

Value​

Using Calico network policy, you can leverage Kubernetes Service names to easily define access to Kubernetes services. Using service names in policy enables you to:

  • Allow or deny access to the Kubernetes API service.
  • Reference port information already declared by the application, making it easier to keep policy up-to-date as application requirements change.

How to​

Allow access to the Kubernetes API for a specific namespace​

In the following example, egress traffic is allowed to the kubernetes service in the default namespace for all pods in the namespace my-app. This service is the typical access point for the Kubernetes API server.

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-api-access
  namespace: my-app
spec:
  selector: all()
  egress:
    - action: Allow
      destination:
        services:
          name: kubernetes
          namespace: default

Endpoint addresses and ports to allow will be automatically detected from the service.

Allow access to Kubernetes DNS for the entire cluster​

In the following example, a GlobalNetworkPolicy is used to select all pods in the cluster to apply a rule which ensures all pods can access the Kubernetes DNS service.

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: allow-kube-dns
spec:
  selector: all()
  egress:
    - action: Allow
      destination:
        services:
          name: kube-dns
          namespace: kube-system
note

This policy also enacts a default-deny behavior for all pods, so make sure any other required application traffic is allowed by a policy.

Allow access from a specified service​

In the following example, ingress traffic is allowed from the frontend-service service in the frontend namespace for all pods in the namespace backend. This allows all pods that back the frontend-service service to send traffic to all pods in the backend namespace.

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-frontend-service-access
  namespace: backend
spec:
  selector: all()
  ingress:
    - action: Allow
      source:
        services:
          name: frontend-service
          namespace: frontend

We can also further specify the ports that the frontend-service service is allowed to access. The following example limits access from the frontend-service service to port 80.

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-frontend-service-access
  namespace: backend
spec:
  selector: all()
  ingress:
    - action: Allow
      protocol: TCP
      source:
        services:
          name: frontend-service
          namespace: frontend
      destination:
        ports: [80]

Additional resources​