Skip to main content
Calico Open Source 3.30 (latest) documentation

Stage, preview impacts, and enforce policy

Big picture​

Stage and preview impacts on traffic before enforcing policy.

Value​

Calico staged network policy resources let you test the traffic impact of the policy as if it were enforced, but without changing actual traffic flow. You can also preview the impacts of a staged policy on existing traffic. By verifying that correct flows are allowed and denied before enforcement, you can minimize misconfiguration and potential network disruption.

Concepts​

About staged policies​

Staged policy resources follow the same structure as their enforced counterparts.

Policy resource nameStaged policy resource name
CalicoNetworkPolicyStagedCalicoNetworkPolicy
GlobalNetworkPolicyStagedGlobalNetworkPolicy
NetworkPolicyStagedKubernetesNetworkPolicy

How to​

Stage a policy​

Stage a policy to test it in a near replica of a production environment. A best practice is to stage a policy before enforcing it to avoid unintentionally exposing or blocking other network traffic. You can use custom resources to stage Kubernetes and Calico policies, and apply them using kubectl. Here are sample YAML files.

Example: StagedGlobalNetworkPolicy

apiVersion: projectcalico.org/v3
kind: StagedGlobalNetworkPolicy
metadata:
name: default.allow-tcp-6379
spec:
tier: default
selector: role == 'database'
types:
- Ingress
- Egress
ingress:
- action: Allow
protocol: TCP
source:
selector: role == 'frontend'
destination:
ports:
- 6379
egress:
- action: Allow

Example: StagedNetworkPolicy

apiVersion: projectcalico.org/v3
kind: StagedNetworkPolicy
metadata:
name: default.allow-tcp-6379
namespace: default
spec:
tier: default
selector: role == 'database'
types:
- Ingress
- Egress
ingress:
- action: Allow
protocol: TCP
source:
selector: role == 'frontend'
destination:
ports:
- 6379
egress:
- action: Allow

Example: StagedKubernetesNetworkPolicy

apiVersion: projectcalico.org/v3
kind: StagedKubernetesNetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978

Preview policy impact​

The impact of staged policies are reflected in the policies.pending field of the generated flow logs in the Calico Whisker web console. This field shows what would happen to traffic if a staged policy is enforced.

Enforce a staged policy​

When the result of a staged policy is satisfactory, create an identical policy and apply it.

Additional resources​