Skip to main content
Calico Enterprise 3.22 (latest) documentation

Network policy

Writing network policies is how you restrict traffic to pods in your Kubernetes cluster. Calico Enterprise extends the standard NetworkPolicy object to provide advanced network policy features, such as policies that apply to all namespaces.

Getting started

Policy best practices

Best practices for Calico Enterprise policy — security posture, scalability with tiers, and performance tuning under load.

Enable a default deny policy for Kubernetes pods

Apply a default-deny network policy in a Calico Enterprise cluster so unprotected pods are denied traffic until explicit policy is written.

Get started with Calico network policy

Write your first Calico Enterprise NetworkPolicy — sample policies that exercise the rich rule features beyond Kubernetes NetworkPolicy.

Get started with network sets

Use Calico Enterprise network sets to package frequently reused IP ranges or domains into named selectors that policies can reference.

DNS policy

Allow traffic to external destinations by DNS name using Calico Enterprise domain-based policy rules — without maintaining static IP lists.

Enable policy recommendations

Run continuous Calico Enterprise policy recommendations so unprotected namespaces and workloads pick up baseline policy automatically.

Policy rules

Basic rules

How to write policy rules in Calico Enterprise — label selectors, source and destination match criteria, and rule actions.

Use namespace rules in policy

Group or separate workloads in Calico Enterprise policy using namespaces and namespace selectors so policies apply only to specified namespaces.

Use service rules in policy

Match on Kubernetes Service names in Calico Enterprise policy rules instead of specific pod selectors.

Use service accounts rules in policy

Match on Kubernetes service accounts in Calico Enterprise policy rules to validate workload identity and apply RBAC-controlled rules.

Use external IPs or networks rules in policy

Restrict egress and ingress to specific IP ranges in Calico Enterprise policy, either inline or via reusable network sets.

Use ICMP/ping rules in policy

Allow or deny ICMP and ping traffic for Calico Enterprise workloads and host endpoints using policy rules.

Policy for hosts and VMs

Protect hosts and VMs

Protect Kubernetes hosts and bare-metal nodes with Calico Enterprise policy by writing rules that target host endpoints.

Protect Kubernetes nodes

Protect Kubernetes node interfaces with Calico Enterprise host endpoints to extend network policy to the node itself.

Protect hosts tutorial

Tutorial for protecting hosts in a Calico Enterprise cluster — register host endpoints, write rules, and allow controlled access to specific Kubernetes services.

Apply policy to forwarded traffic

Apply Calico Enterprise network policy to traffic forwarded through hosts acting as routers or NAT gateways.

Policy tiers

Get started with policy tiers

How tiered policy works in Calico Enterprise — evaluation order, pass actions, and using tiers to enforce microsegmentation across teams.

Change allow-tigera tier behavior

Customize the behavior of the allow-tigera tier that Calico Enterprise installs by default to keep its own components reachable.

Network policy tutorial

Tutorial for the Calico Enterprise policy management UI — author, order, and stage policies inside tiers from the web console.

Configure RBAC for tiered policies

Configure Kubernetes RBAC to control which users can edit Calico Enterprise policies in each tier.

Policy for services

Apply Calico Enterprise policy to Kubernetes node ports

Restrict access to Kubernetes NodePort services using a Calico Enterprise GlobalNetworkPolicy at the host endpoint.

Apply Calico Enterprise policy to services exposed externally as cluster IPs

Expose Kubernetes Service ClusterIPs over BGP using Calico Enterprise and restrict who can reach them with network policy.

Policy for extreme traffic

Enable extreme high-connection workloads

Bypass Linux conntrack with a Calico Enterprise policy rule for workloads that handle an extreme number of concurrent connections.

Defend against DoS attacks

Define DoS mitigation rules in Calico Enterprise policy that drop connections at the eBPF or XDP layer, with hardware offload when available.