# Workflow - Implementing Kubernetes Network Policy with Calico ## Phase 1: Discovery and Planning ### Map Application Communication Flows ```bash # Identify all namespaces kubectl get namespaces # List all services per namespace kubectl get svc --all-namespaces -o wide # Identify pod labels kubectl get pods --all-namespaces --show-labels # Check existing network policies kubectl get networkpolicy --all-namespaces ``` ### Document Required Traffic Flows Create a traffic matrix documenting: - Source pod/namespace -> Destination pod/namespace - Protocol and port - Business justification ## Phase 2: Install and Verify Calico ```bash # Install Tigera operator kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/tigera-operator.yaml # Wait for operator kubectl wait --for=condition=Available deployment/tigera-operator -n tigera-operator --timeout=120s # Install Calico custom resources kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/custom-resources.yaml # Verify all Calico pods are running kubectl get pods -n calico-system -w # Install calicoctl as a pod kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calicoctl.yaml # Verify node status kubectl exec -n calico-system calicoctl -- calicoctl node status ``` ## Phase 3: Apply Default Deny Policies ### Step 1 - Create DNS Allow Policy First ```bash kubectl apply -f - <