Warning: You're not viewing the latest Calico documentation.

Policy Resource (policy)

A Policy resource (policy) represents an ordered set of rules which are applied to a collection of endpoints which match a label selector.

Policy resources can be used to define network connectivity rules between groups of Calico endpoints and host endpoints, and take precedence over Profile resources if any are defined.

For calicoctl commands that specify a resource type on the CLI, the following aliases are supported (all case insensitive): policy, policies, pol, pols.

Sample YAML

This sample policy allows TCP traffic from frontend endpoints to port 6379 on database endpoints.

apiVersion: v1
kind: policy
metadata:
  name: allow-tcp-6379
spec:
  selector: role == 'database'
  ingress:
  - action: allow 
    protocol: tcp
    source:
      selector: role == 'frontend'
    destination:
      ports:
      - 6379
  egress:
  - action: allow

Definition

Metadata

Field	Description	Accepted Values	Schema
name	The name of the policy.		string

Spec

Field	Description	Schema	Default
order	(Optional) Indicates priority of this policy, with lower order taking precedence. No value indicates highest order (lowest precedence)	float
selector	Selects the endpoints to which this policy applies.	selector	all()
ingress	Ordered list of ingress rules applied by policy.	List of Rule
egress	Ordered list of egress rules applied by this policy.	List of Rule

Rule

Field	Description	Accepted Values	Schema
action	Action to perform when matching this rule.	allow, deny, log, pass	string
protocol	Positive protocol match.	tcp, udp, icmp, icmpv6, sctp, udplite, integer 1-255.	string
notProtocol	Negative protocol match.	tcp, udp, icmp, icmpv6, sctp, udplite, integer 1-255.	string
icmp	ICMP match criteria.		ICMP
notICMP	Negative match on ICMP.		ICMP
source	Source match parameters.		EntityRule
destination	Destination match parameters.		EntityRule

An action of pass will skip over the remaining Policies and jump to the first Profile assigned to the endpoint, applying the policy configured in the Profile; if there are no Profiles configured for the endpoint the default applied action is deny.

ICMP

Field	Description	Accepted Values	Schema	Default
type	Match on ICMP type.	Can be integer 1-255	integer
code	Match on ICMP code.	Can be integer 1-255	integer

EntityRule

Field	Description	Accepted Values	Schema
tag (deprecated)	Match on tag.		string
notTag (deprecated)	Negative match on tag.		string
net	Match on CIDR.	Valid IPv4 or IPv6 CIDR	cidr
notNet	Negative match on CIDR.	Valid IPv4 or IPv6 CIDR	cidr
selector	Positive match on selected endpoints.	Valid selector	selector
notSelector	Negative match on selected endpoints.	Valid selector	selector
ports	Positive match on the specified ports		list of ports
notPorts	Negative match on the specified ports		list of ports

Selector

A label selector is an expression which either matches or does not match an endpoint based on its labels.

Calico label selectors support a number of syntactic primitives. Each of the following primitive expressions can be combined using the logical operator &&.

Syntax	Meaning
k == ‘v’	Matches any endpoint with the label ‘k’ and value ‘v’.
k != ‘v’	Matches any endpoint with the label ‘k’ and value that is not ‘v’.
has(k)	Matches any endpoint with label ‘k’, independent of value.
!has(k)	Matches any endpoint that does not have label ‘k’
k in { ‘v1’, ‘v2’ }	Matches any endpoint with label ‘k’ and value in the given set
k not in { ‘v1’, ‘v2’ }	Matches any endpoint without label ‘k’ or any with label ‘k’ and value not in the given set

Ports

Calico supports the following syntaxes for expressing ports.

Syntax	Example	Description
int	80	The exact port specified
start:end	6040:6050	All ports within the range start <= x <= end

Provide Feedback Get Help via Slack Training