Let’s compare the different CNI plugins and their relation to network policies.
Flannel π︎
Flannel is a simple and easy way to configure a layer 3 network fabric designed for Kubernetes and it’s focused on networking. Flannel doesn’t control how containers are networked to the host, only how the traffic is transported between hosts and doesn’t implement network policy controller. For network policy, other projects such as Calico can be used.
More details in Flannel documentation
Canal π︎
If you want to use Flannel for networking but you need to define some network policies, yo can do it with Canal. The Canal means you’re using Calico for policy and flannel for networking.
For more details check Project Calico documentation.
Weave π︎
The Weave Kubernetes Addon includes a network policy controller. Weaveworksβ Network Policy Controller (weave-npc) is an implementation of the Kubernetes Network Policy, which specifies allowed connections within a Kubernetes cluster.
Kubernetes NetworkPolicy example:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
More details in Weave network policy.
Calico π︎
Calico network policy provides a richer set of policy capabilities than Kubernetes including: policy ordering/priority, deny rules, and more flexible match rules. While Kubernetes network policy applies only to pods, Calico network policy can be applied to multiple types of endpoints including pods, VMs, and host interfaces. Finally, when used with Istio service mesh, Calico network policy supports securing applications layers 5-7 match criteria, and cryptographic identity. You can use Calico network policy in addition to Kubernetes network policy, or exclusively.
Calico NetworkPolicy example:
apiVersion: crd.projectcalico.org/v1
kind: NetworkPolicy
metadata:
name: allow-tcp-6379
namespace: production
spec:
selector: color == 'red'
ingress:
- action: Allow
protocol: TCP
source:
selector: color == 'blue'
destination:
ports:
- 6379
More details at Project Calico network policy page.
Global network policy π︎
With Calico you can provide global scoped policies that you can’t with Kubernetes network policy. GlobalNetworkPolicy
is not a namespaced resource. GlobalNetworkPolicy
applies to workload endpoint resources in all namespaces, and to host endpoint resources.
More details in Project Calico global network policy
Calico GlobalNetworkPolicy example:
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: allow-tcp-8080
spec:
selector: role == 'backend'
types:
- Ingress
- Egress
ingress:
- action: Allow
protocol: TCP
source:
selector: role == 'frontend'
destination:
ports:
- 8080
egress:
- action: Allow
Application layer policy is an optional feature of Calico. π︎
Application layer policy for Calico allows you to write policies that enforce against application layer attributes like HTTP methods or paths as well as against cryptographically secure identities. This feature is not enabled by default.
Application layer policy match criteria are supported with the following restrictions.
- Only ingress policy is supported. Egress policy must not contain any application layer policy match clauses.
- Rules must have the action Allow if they contain application layer policy match clauses.
Calico application layer example:
http:
methods: ["GET", "PUT"]
paths:
- exact: "/projects/calico"
- prefix: "/users"
More details in Project Calico application layer policy