In this short blog post I want to address a question that has come up a few times about some important recent changes in the Kubernetes Network Policy API.
With the Kubernetes 1.7 release, Network Policy graduated from Beta to Stable status. There were some important changes between the beta (v1beta1) and final (v1) policy versions, and Project Calico has of course been updated to support the final API definition.
The key difference is that in the beta version, if a namespace had network policy enabled, then there was a “default deny” rule applied to all pods. In the final v1 version, only pods that are selected by a podSelector will have deny rules applied.
If you miss the beta behavior, don’t despair! Simply apply the following simple policy to the namespace, and voilà, that “default deny” behavior is restored!
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny spec: podSelector:
Sample NetworkPolicy resource to implement “default-deny” behavior
I hope this is useful – and as always, if you want to chat about all things Kubernetes+Calico, please join us in the Calico Users slack community.