From Beta to Stable: Evolution of the NetworkPolicy API

From Beta to Stable: Evolution of the NetworkPolicy API

In this short blog post I want to address a question that has come up a few times about some important recent changes in the Kubernetes Network Policy API.

With the Kubernetes 1.7 release, Network Policy graduated from Beta to Stable status. There were some important changes between the beta (v1beta1) and final (v1) policy versions, and Project Calico has of course been updated to support the final API definition.

The key difference is that in the beta version, if a namespace had network policy enabled, then there was a “default deny” rule applied to all pods. In the final v1 version, only pods that are selected by a podSelector will have deny rules applied.

If you miss the beta behavior, don’t despair! Simply apply the following simple policy to the namespace, and voilà, that “default deny” behavior is restored!


kind: NetworkPolicy
  name: default-deny

Sample NetworkPolicy resource to implement “default-deny” behavior

I hope this is useful – and as always, if you want to chat about all things Kubernetes+Calico, please join us in the Calico Users slack community.

Having cycled through various roles from software engineering to marketing ("fear leads to the dark side" - Yoda), I ended up in management, and am affectionately known by my teammates as the "PHB of Project Calico" (I must look up that acronym sometime). I am grateful to be able to live in beautiful Berkeley, California, where I enjoy the proximity to world-class sailing, skiing and wine - and spending time with my family (wife, 2 kids, 2 cats - neither of them calicos, 1 dog and 1 turtle).