Edit This Page

Use Calico for NetworkPolicy

This page shows how to use Calico for NetworkPolicy.

• Before you begin
• Deploying a cluster using Calico
• Understanding Calico components
• What’s next

Before you begin

• Install Calico for Kubernetes.

Deploying a cluster using Calico

You can deploy a cluster using Calico for network policy in the default GCE deployment using the following set of commands:

export NETWORK_POLICY_PROVIDER=calico
export KUBE_NODE_OS_DISTRIBUTION=debian
curl -sS https://get.k8s.io | bash

See the Calico documentation for more options to deploy Calico with Kubernetes.

Understanding Calico components

Deploying a cluster with Calico adds Pods that support Kubernetes NetworkPolicy. These Pods run in the kube-system Namespace.

To see this list of Pods run:

kubectl get pods --namespace=kube-system

You’ll see a list of Pods similar to this:

NAME                                                 READY     STATUS    RESTARTS   AGE
calico-node-kubernetes-minion-group-jck6             1/1       Running   0          46m
calico-node-kubernetes-minion-group-k9jy             1/1       Running   0          46m
calico-node-kubernetes-minion-group-szgr             1/1       Running   0          46m
calico-policy-controller-65rw1                       1/1       Running   0          46m
...

There are two main components to be aware of:

• One calico-node Pod runs on each node in your cluster and enforces network policy on the traffic to/from Pods on that machine by configuring iptables.
• The calico-policy-controller Pod reads the policy and label information from the Kubernetes API and configures Calico appropriately.

What’s next

Once your cluster is running, you can follow the NetworkPolicy getting started guide to try out Kubernetes NetworkPolicy.