Let’s compare the different CNI plugins and their relation to network policies.

Flannel

Flannel is a simple and easy way to configure a layer 3 network fabric designed for Kubernetes and it’s focused on networking. Flannel doesn’t control how containers are networked to the host, only how the traffic is transported between hosts and doesn’t implement network policy controller. For network policy, other projects such as Calico can be used.

More details in Flannel documentation

Canal

If you want to use Flannel for networking but you need to define some network policies, yo can do it with Canal. The Canal means you’re using Calico for policy and flannel for networking.

For more details check Project Calico documentation.

Weave

The Weave Kubernetes Addon includes a network policy controller. Weaveworks’ Network Policy Controller (weave-npc) is an implementation of the Kubernetes Network Policy, which specifies allowed connections within a Kubernetes cluster.

Kubernetes NetworkPolicy example:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

More details in Weave network policy.

Calico

Calico network policy provides a richer set of policy capabilities than Kubernetes including: policy ordering/priority, deny rules, and more flexible match rules. While Kubernetes network policy applies only to pods, Calico network policy can be applied to multiple types of endpoints including pods, VMs, and host interfaces. Finally, when used with Istio service mesh, Calico network policy supports securing applications layers 5-7 match criteria, and cryptographic identity. You can use Calico network policy in addition to Kubernetes network policy, or exclusively.

Calico NetworkPolicy example:

apiVersion: crd.projectcalico.org/v1
kind: NetworkPolicy
metadata:
  name: allow-tcp-6379
  namespace: production
spec:
  selector: color == 'red'
  ingress:
  - action: Allow
    protocol: TCP
    source:
      selector: color == 'blue'
    destination:
      ports:
        - 6379

More details at Project Calico network policy page.

Global network policy

With Calico you can provide global scoped policies that you can’t with Kubernetes network policy. GlobalNetworkPolicy is not a namespaced resource. GlobalNetworkPolicy applies to workload endpoint resources in all namespaces, and to host endpoint resources.

More details in Project Calico global network policy

Calico GlobalNetworkPolicy example:

apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: allow-tcp-8080
spec:
  selector: role == 'backend'
  types:
  - Ingress
  - Egress
  ingress:
  - action: Allow
    protocol: TCP
    source:
      selector: role == 'frontend'
    destination:
      ports:
      - 8080
  egress:
  - action: Allow

Application layer policy is an optional feature of Calico.

Application layer policy for Calico allows you to write policies that enforce against application layer attributes like HTTP methods or paths as well as against cryptographically secure identities. This feature is not enabled by default.

Application layer policy match criteria are supported with the following restrictions. - Only ingress policy is supported. Egress policy must not contain any application layer policy match clauses. - Rules must have the action Allow if they contain application layer policy match clauses.

Calico application layer example:

http:
  methods: ["GET", "PUT"]
  paths:
    - exact: "/projects/calico"
    - prefix: "/users"

More details in Project Calico application layer policy