我的书签
添加书签
移除书签Network policy
Writing network policies is how you restrict traffic to pods in your Kubernetes cluster. Calico extends the standard NetworkPolicy object to provide advanced network policy features, such as policies that apply to all namespaces.
Getting started
Adopt a zero trust network model for securityBest practices to adopt a zero trust network model to secure workloads and hosts. Learn 5 key requirements to control network access for cloud-native strategy.Get started with Calico network policyCreate your first Calico network policies. Shows the rich features using sample policies that extend native Kubernetes network policy.Calico policy tutorialLearn how to create more advanced Calico network policies (namespace, allow and deny all ingress and egress).Get started with Kubernetes network policyLearn Kubernetes policy syntax, rules, and features for controlling network traffic.Kubernetes policy, demoAn interactive demo that visually shows how applying Kubernetes policy allows and denies connections.Kubernetes policy, basic tutorialLearn how to use basic Kubernetes network policy to securely restrict traffic to/from pods.Kubernetes policy, advanced tutorialLearn how to create more advanced Kubernetes network policies (namespace, allow and deny all ingress and egress).Enable a default deny policy for Kubernetes podsCreate a default deny network policy so pods that are missing policy are not allowed traffic until appropriate network policy is defined.
Policy rules
Basic rulesDefine network connectivity for Calico endpoints using policy rules and label selectors.Use namespace rules in policyUse namespaces and namespace selectors in Calico network policy to group or separate resources. Use network policies to allow or deny traffic to/from pods that belong to specific namespaces.Use service rules in policyUse Kubernetes Service names in policy rules.Use service accounts rules in policyUse Kubernetes service accounts in policies to validate cryptographic identities and/or manage RBAC controlled high-priority rules across teams.Use external IPs or networks rules in policyLimit egress and ingress traffic using IP address either directly within Calico network policy or managed as Calico network sets.Use ICMP/ping rules in policyControl where ICMP/ping is used by creating a Calico network policy to allow and deny ICMP/ping messages for workloads and host endpoints.
Policy for hosts
Protect hostsCalico network policy not only protects workloads, but also hosts. Create a Calico network policies to restrict traffic to/from hosts.Protect Kubernetes nodesProtect Kubernetes nodes with host endpoints managed by Calico.Protect hosts tutorialLearn how to secure incoming traffic from outside the cluster using Calico host endpoints with network policy, including allowing controlled access to specific Kubernetes services.Apply policy to forwarded trafficApply Calico network policy to traffic being forward by hosts acting as routers or NAT gateways.
Policy for services
Apply Calico policy to Kubernetes node portsRestrict access to Kubernetes node ports using Calico global network policy. Follow the steps to secure the host, the node ports, and the cluster.Apply Calico policy to services exposed externally as cluster IPsExpose Kubernetes service cluster IPs over BGP using Calico, and restrict who can access them using Calico network policy.
Policy for Istio
Enforce network policy for IstioEnforce network policy for Istio service mesh including matching on HTTP methods and paths.Use HTTP methods and paths in policy rulesCreate a Calico network policy for Istio-enabled apps to restrict ingress traffic matching HTTP methods or paths.Enforce Calico network policy using Istio (tutorial)Learn how Calico integrates with Istio to provide fine-grained access control using Calico network policies enforced within the service mesh and network layer.
Securing component communications
Encrypt in-cluster pod trafficEnable WireGuard for state-of-the-art cryptographic security between pods for Calico clusters.Configure encryption and authentication to secure Calico componentsEnable TLS authentication and encryption for various Calico components.Schedule Typha for scaling to well-known nodesConfigure the Calico Typha TCP port.Secure Calico Prometheus endpointsLimit access to Calico metric endpoints using network policy.Secure BGP sessionsConfigure BGP passwords to prevent attackers from injecting false routing information.
Network policy options with Calico Cloud
Get started with policy tiersLearn about policies, tiers, and policy evaluation.Cloud
