Policy Resource (policy)

A Policy resource (policy) represents an ordered set of rules which are applied to a collection of endpoints which match a label selector.

Policy resources can be used to define network connectivity rules between groups of Calico endpoints and host endpoints, and take precedence over Profile resources if any are defined.

For calicoctl commands that specify a resource type on the CLI, the following aliases are supported (all case insensitive): policy, policies, pol, pols.

Sample YAML

This sample policy allows TCP traffic from frontend endpoints to port 6379 on database endpoints.

apiVersion: v1
kind: policy
metadata:
  name: allow-tcp-6379
spec:
  selector: role == 'database'
  ingress:
  - action: allow
    protocol: tcp
    source:
      selector: role == 'frontend'
    destination:
      ports:
      - 6379
  egress:
  - action: allow

Definition

Metadata

Field Description Accepted Values Schema
name The name of the policy.   string

Spec

Field Description Accepted Values Schema Default
order (Optional) Indicates priority of this policy, with lower order taking precedence. No value indicates highest order (lowest precedence)   float  
selector Selects the endpoints to which this policy applies.   selector all()
ingress Ordered list of ingress rules applied by policy.   List of Rule  
egress Ordered list of egress rules applied by this policy.   List of Rule  
doNotTrack Indicates that the rules in this policy should be applied before any data plane connection tracking, and that packets allowed by these rules should not be tracked. true, false boolean false

The doNotTrack field is meaningful for host endpoints only. It does not apply at all to workload endpoints; connection tracking is always used for flows to and from those.

Untracked policy explains more about how doNotTrack can be useful for host endpoints.

Rule

Field Description Accepted Values Schema Default
action Action to perform when matching this rule. allow, deny, log, pass string  
protocol Positive protocol match. tcp, udp, icmp, icmpv6, sctp, udplite, integer 1-255. string  
notProtocol Negative protocol match. tcp, udp, icmp, icmpv6, sctp, udplite, integer 1-255. string  
icmp ICMP match criteria.   ICMP  
notICMP Negative match on ICMP.   ICMP  
source Source match parameters.   EntityRule  
destination Destination match parameters.   EntityRule  

An action of pass will skip over the remaining Policies and jump to the first Profile assigned to the endpoint, applying the policy configured in the Profile; if there are no Profiles configured for the endpoint the default applied action is deny.

ICMP

Field Description Accepted Values Schema Default
type Match on ICMP type. Can be integer 1-255 integer  
code Match on ICMP code. Can be integer 1-255 integer  

EntityRule

Field Description Accepted Values Schema Default
tag (deprecated) Match on tag.   string  
notTag (deprecated) Negative match on tag.   string  
net Match on CIDR. Valid IPv4 or IPv6 CIDR cidr  
notNet Negative match on CIDR. Valid IPv4 or IPv6 CIDR cidr  
selector Positive match on selected endpoints. Valid selector selector  
notSelector Negative match on selected endpoints. Valid selector selector  
ports Positive match on the specified ports   list of ports  
notPorts Negative match on the specified ports   list of ports  

Selector

A label selector is an expression which either matches or does not match an endpoint based on its labels.

Calico label selectors support a number of syntactic primitives. Each of the following primitive expressions can be combined using the logical operator &&.

Syntax Meaning
k == ‘v’ Matches any endpoint with the label ‘k’ and value ‘v’.
k != ‘v’ Matches any endpoint with the label ‘k’ and value that is not ‘v’.
has(k) Matches any endpoint with label ‘k’, independent of value.
!has(k) Matches any endpoint that does not have label ‘k’
k in { ‘v1’, ‘v2’ } Matches any endpoint with label ‘k’ and value in the given set
k not in { ‘v1’, ‘v2’ } Matches any endpoint without label ‘k’ or any with label ‘k’ and value not in the given set

Ports

Calico supports the following syntaxes for expressing ports.

Syntax Example Description
int 80 The exact port specified
start:end 6040:6050 All ports within the range start <= x <= end