• caseydavenport title: Using Calico for NetworkPolicy

You can deploy a cluster using Calico for network policy in the default GCE deployment using the following set of commands:

export NETWORK_POLICY_PROVIDER=calico
export KUBE_NODE_OS_DISTRIBUTION=debian
curl -sS https://get.k8s.io | bash

See the Calico documentation for more options to deploy Calico with Kubernetes.

Once your cluster using Calico is running, you should see a collection of pods running in the kube-system Namespace that support Kubernetes NetworkPolicy.

$ kubectl get pods --namespace=kube-system
NAME                                                 READY     STATUS    RESTARTS   AGE
calico-node-kubernetes-minion-group-jck6             1/1       Running   0          46m
calico-node-kubernetes-minion-group-k9jy             1/1       Running   0          46m
calico-node-kubernetes-minion-group-szgr             1/1       Running   0          46m
calico-policy-controller-65rw1                       1/1       Running   0          46m
...

There are two main components to be aware of:

  • One calico-node Pod runs on each node in your cluster, and enforces network policy on the traffic to/from Pods on that machine by configuring iptables.
  • The calico-policy-controller Pod reads policy and label information from the Kubernetes API and configures Calico appropriately.

Once your cluster is running, you can follow the NetworkPolicy getting started guide to try out Kubernetes NetworkPolicy.