Staged Kubernetes network policy
A staged kubernetes network policy resource (StagedKubernetesNetworkPolicy) represents a staged version
of Kubernetes network policy.
This is used to preview network behavior before actually enforcing the network policy. Once persisted, this
will create a Kubernetes network policy backed by a Calico
network policy.
For kubectl commands, the following case-insensitive aliases
may be used to specify the resource type on the CLI:
stagedkubernetesnetworkpolicy.projectcalico.org, stagedkubernetesnetworkpolicies.projectcalico.org and abbreviations such as
stagedkubernetesnetworkpolicy.p and stagedkubernetesnetworkpolicies.p.
Sample YAML​
Below is a sample policy created from the example policy from the
Kubernetes NetworkPolicy documentation.
The only difference between this policy and the example Kubernetes version is that the apiVersion and kind are changed
to properly specify a staged Kubernetes network policy.
apiVersion: projectcalico.org/v3
kind: StagedKubernetesNetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - ipBlock:
            cidr: 172.17.0.0/16
            except:
              - 172.17.1.0/24
        - namespaceSelector:
            matchLabels:
              project: myproject
        - podSelector:
            matchLabels:
              role: frontend
      ports:
        - protocol: TCP
          port: 6379
  egress:
    - to:
        - ipBlock:
            cidr: 10.0.0.0/24
      ports:
        - protocol: TCP
          port: 5978
Definition​
See the Kubernetes NetworkPolicy documentation for more information.