Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Managed Service for Kubernetes
  • Comparison with other Yandex Cloud services
  • Getting started
    • All guides
    • Connecting to a node over SSH
    • Connecting to a node via OS Login
    • Updating Kubernetes
    • Configuring autoscaling
      • Granting access to an app running in a Kubernetes cluster
      • Configuring the Calico network policy controller
      • Configuring the Cilium network policy controller
      • Configuring NodeLocal DNS for the Cilium network policy controller
      • Creating a network load balancer using an NGINX Ingress controller
    • Connecting external nodes to the cluster
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes

In this article:

  • Getting started
  • Create an nginx service
  • Isolate pods using network policies
  • Test whether isolation works
  • Create network policies enabling service access
  • Check the network isolation functionality for other pods
  • Delete the resources you created
  1. Step-by-step guides
  2. Network scenarios
  3. Configuring the Calico network policy controller

Configuring the Calico network policy controller

Written by
Yandex Cloud
Updated at May 5, 2025
  • Getting started
  • Create an nginx service
  • Isolate pods using network policies
    • Test whether isolation works
  • Create network policies enabling service access
    • Check the network isolation functionality for other pods
  • Delete the resources you created

Calico is an open-source plugin for Kubernetes that can be used to manage Kubernetes network policies. Calico extends the standard features of Kubernetes network policies, which enables you to:

  • Apply policies to any object: pod, container, virtual machine, or interface.
  • Specify a particular action in the policy rules: prohibit, allow, or log.
  • Specify as a target or a source: port, port range, protocols, HTTP and ICMP attributes, IP address or subnet, and other objects.
  • Regulate traffic using DNAT settings and traffic forwarding policies.

To configure the Calico network policy controller:

  1. Create an nginx service.
  2. Isolate pods using network policies.
  3. Create network policies enabling service access.

If you no longer need the resources you created, delete them.

Getting startedGetting started

  1. Create an infrastructure:

    Manually
    Terraform
    1. Create a cloud network and subnet.

    2. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

      Warning

      The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

    3. Create a Managed Service for Kubernetes cluster and a node group in any suitable configuration. When creating it, specify the network, subnet, and security groups prepared earlier. Also, enable the Calico network policy controller in the cluster:

      • In the management console, by selecting Enable network policy.
      • Using the CLI, by setting the --enable-network-policy flag.
      • Using the create method for the Cluster resource.
    1. If you do not have Terraform yet, install it.

    2. Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.

    3. Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.

    4. Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.

    5. Download the k8s-calico.tf configuration file of the Managed Service for Kubernetes cluster to the same working directory. The file describes:

      • Network.

      • Subnet.

      • Managed Service for Kubernetes cluster.

      • Service account required for the Managed Service for Kubernetes cluster and node group.

      • Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.

        Warning

        The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

    6. Specify the following in the configuration file:

      • Folder ID.
      • Kubernetes version for the Managed Service for Kubernetes cluster and node groups.
      • Managed Service for Kubernetes cluster CIDR.
      • Name of the Managed Service for Kubernetes cluster service account.
    7. Run the terraform init command in the directory with the configuration files. This command initializes the provider specified in the configuration files and enables you to use the provider resources and data sources.

    8. Check that the Terraform configuration files are correct using this command:

      terraform validate
      

      If there are any errors in the configuration files, Terraform will point them out.

    9. Create the required infrastructure:

      1. Run this command to view the planned changes:

        terraform plan
        

        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

      2. If everything looks correct, apply the changes:

        1. Run this command:

          terraform apply
          
        2. Confirm updating the resources.

        3. Wait for the operation to complete.

      All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

  2. Install kubect and configure it to work with the new cluster.

  3. Create the policy-test namespace in your Managed Service for Kubernetes cluster.

Create an nginx serviceCreate an nginx service

  1. Create a pod with the nginx web server in the policy-test namespace. Use the Kubernetes Deployment API object:

    kubectl create deployment --namespace=policy-test nginx --image=nginx
    

    Result:

    deployment.apps/nginx created
    
  2. Run the pod with nginx as a Kubernetes service:

    kubectl expose --namespace=policy-test deployment nginx --port=80
    

    Result:

    service/nginx exposed
    
  3. Make sure the nginx web server is available. Create a pod named access:

    kubectl run --namespace=policy-test access --rm -ti --image busybox /bin/sh
    

    A shell session opens on the access pod:

    If you don't see a command prompt, try pressing enter.
    / #
    
  4. Connect to the nginx web server via the session on the access pod:

    wget -q nginx -O -
    

    The nginx web server is available:

    <!DOCTYPE html>
    <html>
    <head>
    ...
    <p><em>Thank you for using nginx.</em></p>
    </body>
    </html>
    
  5. Exit the pod:

    / # exit
    

    The pod is deleted:

    Session ended, resume using 'kubectl attach access -c access -i -t' command when the pod is running
    pod "access" deleted
    

Isolate pods using network policiesIsolate pods using network policies

Isolate the policy-test namespace. As a result, the Calico network policy controller prevents connections to pods in this namespace:

kubectl create -f - <<EOF
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: deny
  namespace: policy-test
spec:
  podSelector:
    matchLabels: {}
EOF

Network policies are created:

networkpolicy.networking.k8s.io/deny created

Test whether isolation worksTest whether isolation works

  1. Network policies isolated the nginx web server. To check this, create a pod named access:

    kubectl run --namespace=policy-test access --rm -ti --image busybox /bin/sh
    

    A shell session opens on the access pod:

    If you don't see a command prompt, try pressing enter.
    / #
    
  2. Check if the access pod can access the nginx web server:

    wget -q --timeout=5 nginx -O -
    

    No connection is established:

    wget: download timed out
    / #
    
  3. Exit the pod:

    / # exit
    

    The pod is deleted:

    Session ended, resume using 'kubectl attach access -c access -i -t' command when the pod is running
    pod "access" deleted
    

Create network policies enabling service accessCreate network policies enabling service access

Allow access to the nginx web server using network policies. Only the access pod will be allowed to connect by the network policies.

  1. Create access-nginx network policies:

    kubectl create -f - <<EOF
    kind: NetworkPolicy
    apiVersion: networking.k8s.io/v1
    metadata:
      name: access-nginx
      namespace: policy-test
    spec:
      podSelector:
        matchLabels:
          app: nginx
      policyTypes:
      - Ingress
      - Egress
      ingress:
        - from:
          - podSelector:
              matchLabels:
                run: access
      egress:
        - to:
          - podSelector:
              matchLabels:
                app: nginx
    EOF
    

    Note

    Network policies will allow traffic from pods with the run: access Kubernetes label to pods with the app: nginx Kubernetes label. Labels are automatically added by kubectl based on the resource name.

    Network policies are created:

    networkpolicy.networking.k8s.io/access-nginx created
    
  2. Create a pod named access:

    kubectl run --namespace=policy-test access --rm -ti --image busybox /bin/sh
    

    A shell session opens on the access pod:

    If you don't see a command prompt, try pressing enter.
    / #
    
  3. Check if the access pod can access the nginx web server:

    wget -q --timeout=5 nginx -O -
    

    The connection is established:

    <!DOCTYPE html>
    <html>
    <head>
    <title>Welcome to nginx!</title>
    ...
    
  4. Exit the pod:

    / # exit
    

    The pod is deleted:

    Session ended, resume using 'kubectl attach access -c access -i -t' command when the pod is running
    pod "access" deleted
    

Check the network isolation functionality for other podsCheck the network isolation functionality for other pods

The created access-nginx network policies allow connections for pods with the run: access Kubernetes label.

  1. Create a pod with no run: access label:

    kubectl run --namespace=policy-test cant-access --rm -ti --image busybox /bin/sh
    

    A shell session opens on the cant-access pod:

    If you don't see a command prompt, try pressing enter.
    / #
    
  2. Check if the cant-access pod can access the nginx web server:

    wget -q --timeout=5 nginx -O -
    

    No connection is established:

    wget: download timed out
    / #
    
  3. Exit the pod:

    / # exit
    

    The pod is deleted:

    Session ended, resume using 'kubectl attach access -c access -i -t' command when the pod is running
    pod "cant-access" deleted
    
  4. To delete the sample data, delete the namespace:

    kubectl delete ns policy-test
    

    The result will be as follows:

    namespace "policy-test" deleted
    

Delete the resources you createdDelete the resources you created

Delete the resources you no longer need to avoid paying for them:

Manually
Terraform
  1. Delete the Managed Service for Kubernetes cluster.
  2. If you reserved a public static IP address for your Managed Service for Kubernetes cluster, delete it.
  1. In the terminal window, go to the directory containing the infrastructure plan.

    Warning

    Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.

  2. Delete resources:

    1. Run this command:

      terraform destroy
      
    2. Confirm deleting the resources and wait for the operation to complete.

    All the resources described in the Terraform manifests will be deleted.

Was the article helpful?

Previous
Granting access to an app running in a Kubernetes cluster
Next
Configuring the Cilium network policy controller
Yandex project
© 2025 Yandex.Cloud LLC