Network policy
Writing network policies is how you restrict traffic to pods in your Kubernetes cluster.
Calico extends the standard NetworkPolicy object to provide advanced network policy features, such as policies that apply to all namespaces.
Getting started
Adopt a zero trust network model for security
Adopt a zero-trust network model for Kubernetes workloads and hosts using Calico Open Source — five requirements for controlling network access in cloud-native environments.
Get started with Calico network policy
Write your first Calico Open Source NetworkPolicy — sample policies that exercise the rich rule features that extend Kubernetes NetworkPolicy.
Calico policy tutorial
Step-by-step tutorial for advanced Calico Open Source policy patterns — namespace scoping, allow-all, deny-all, and ingress and egress controls.
Get started with Kubernetes network policy
Reference for Kubernetes NetworkPolicy syntax, rules, and features when used with the Calico Open Source enforcement engine.
Kubernetes policy, demo
Interactive demo for a Calico Open Source cluster that visualizes how Kubernetes NetworkPolicy allows and denies connections between pods.
Kubernetes policy, basic tutorial
Apply your first Kubernetes NetworkPolicy in a Calico Open Source cluster to restrict ingress and egress traffic to and from pods.
Kubernetes policy, advanced tutorial
Write more advanced Kubernetes NetworkPolicy resources in a Calico Open Source cluster — namespace scoping, allow-all, and deny-all variants.
Enable a default deny policy for Kubernetes pods
Apply a default-deny network policy in a Calico Open Source cluster so unprotected pods are denied traffic until explicit policy is written.
Policy rules
Basic rules
How to write policy rules in Calico Open Source — label selectors, source and destination match criteria, and rule actions.
Use namespace rules in policy
Group or separate workloads in Calico Open Source policy using namespaces and namespace selectors so policies apply only to specified namespaces.
Use service rules in policy
Match on Kubernetes Service names in Calico Open Source policy rules instead of specific pod selectors.
Use service accounts rules in policy
Match on Kubernetes service accounts in Calico Open Source policy rules to validate workload identity and apply RBAC-controlled rules.
Use external IPs or networks rules in policy
Restrict egress and ingress to specific IP ranges in Calico Open Source policy, either inline or via reusable network sets.
Use ICMP/ping rules in policy
Allow or deny ICMP and ping traffic for Calico Open Source workloads and host endpoints using policy rules.
Policy for hosts and VMs
Protect hosts and VMs
Protect Kubernetes hosts and bare-metal nodes with Calico Open Source policy by writing rules that target host endpoints.
Protect Kubernetes nodes
Protect Kubernetes node interfaces with Calico Open Source host endpoints to extend network policy to the node itself.
Protect hosts tutorial
Tutorial for protecting hosts in a Calico Open Source cluster — register host endpoints, write rules, and allow controlled access to specific Kubernetes services.
Apply policy to forwarded traffic
Apply Calico Open Source network policy to traffic forwarded through hosts acting as routers or NAT gateways.
Policy for services
Apply Calico policy to Kubernetes node ports
Restrict access to Kubernetes NodePort services using Calico Open Source GlobalNetworkPolicy at the host endpoint.
Apply Calico policy to services exposed externally as cluster IPs
Expose Kubernetes Service ClusterIPs over BGP using Calico Open Source and restrict who can reach them with network policy.
Policy for Istio
Enforce Calico network policy for Istio service mesh
Apply Calico Open Source network policy to Istio service-mesh traffic, including matching on HTTP methods and paths.
Use HTTP methods and paths in policy rules
Restrict ingress traffic to Istio-enabled apps by matching HTTP methods or paths in a Calico Open Source network policy.
Enforce Calico network policy using Istio (tutorial)
Use Calico Open Source with Istio to apply fine-grained access control at both the network layer and inside the service mesh.
Securing component communications
Encrypt in-cluster pod traffic
Turn on WireGuard encryption between pods on a Calico Open Source cluster for state-of-the-art cryptographic protection of in-cluster traffic.
Configure encryption and authentication to secure Calico components
Turn on TLS authentication and encryption between Calico Open Source components using a custom certificate authority.
Schedule Typha for scaling to well-known nodes
Configure the TCP port used by Typha in a Calico Open Source cluster to reduce datastore load on large clusters.
Secure Calico Prometheus endpoints
Restrict access to Calico Open Source metric endpoints using network policy.
Secure BGP sessions
Configure BGP authentication passwords for Calico Open Source so attackers cannot inject false routing information.