Skip to main content
Calico Cloud documentation

Network policy

Writing network policies is how you restrict traffic to pods in your Kubernetes cluster. Calico Cloud extends the standard NetworkPolicy object to provide advanced network policy features, such as policies that apply to all namespaces.

Getting started

Policy best practices

Best practices for Calico Cloud policy across connected clusters — security posture, scalability with tiers, and performance tuning under load.

Enable a default deny policy for Kubernetes pods

Apply a default-deny network policy in a Calico Cloud connected cluster so unprotected pods are denied traffic until explicit policy is written.

Get started with Calico network policy

Write your first Calico Cloud NetworkPolicy — sample policies that exercise the rich rule features beyond Kubernetes NetworkPolicy.

Get started with network sets

Use Calico Cloud network sets to package frequently reused IP ranges or domains into named selectors that policies can reference across connected clusters.

DNS policy

Allow traffic to external destinations by DNS name using Calico Cloud domain-based policy rules — without maintaining static IP lists.

Policy rules

Basic rules

How to write policy rules in Calico Cloud — label selectors, source and destination match criteria, and rule actions.

Use namespace rules in policy

Group or separate workloads in Calico Cloud policy using namespaces and namespace selectors so policies apply only to specified namespaces.

Use service rules in policy

Match on Kubernetes Service names in Calico Cloud policy rules instead of specific pod selectors.

Use service accounts rules in policy

Match on Kubernetes service accounts in Calico Cloud policy rules to validate workload identity and apply RBAC-controlled rules.

Use external IPs or networks rules in policy

Restrict egress and ingress to specific IP ranges in Calico Cloud policy, either inline or via reusable network sets.

Use ICMP/ping rules in policy

Allow or deny ICMP and ping traffic for Calico Cloud workloads and host endpoints using policy rules.

Policy tiers

Get started with policy tiers

How tiered policy works in Calico Cloud — evaluation order, pass actions, and using tiers to enforce microsegmentation across connected clusters.

Change allow-tigera tier behavior

Customize the behavior of the allow-tigera tier that Calico Cloud installs by default to keep its own components reachable.

Network policy tutorial

Tutorial for the Calico Cloud policy management UI — author, order, and stage policies inside tiers from the web console.

Configure RBAC for tiered policies

Configure Kubernetes RBAC to control which users can edit Calico Cloud policies in each tier across connected clusters.

Policy for services

Apply Calico Cloud policy to Kubernetes node ports

Restrict access to Kubernetes NodePort services using a Calico Cloud GlobalNetworkPolicy at the host endpoint.

Apply Calico Cloud policy to services exposed externally as cluster IPs

Expose Kubernetes Service ClusterIPs over BGP using Calico Cloud and restrict who can reach them with network policy.

Policy for extreme traffic

Enable extreme high-connection workloads

Bypass Linux conntrack with a Calico Cloud policy rule for workloads that handle an extreme number of concurrent connections.

Defend against DoS attacks

Define DoS mitigation rules in Calico Cloud policy that drop connections at the eBPF or XDP layer, with hardware offload when available.