When you apply a network policy in Kubernetes, the rules are immediately enforced. It not uncommon to hear someone trying to apply a policy and inadvertently disallowing DNS, effectively taking the whole cluster down. While that is a drastic example, Kubernetes does not currently offer a way to test your policies before enforcing them.
Calico Enterprise enables multiple policy modes, including Staged and Committed. Staged policies evaluate traffic and report on what traffic would have been allowed or denied, without enforcing the rules.
Staged policies are run for a period of time and observed for any potentially blocked traffic. If the policy is behaving as expected, you can commit the policy to enforce your security controls.
This approach reduces the risk of security controls causing unexpected connectivity issues between your microservices.
Interested in trying Calico Enterprise Staged Policies?
Sign up for our free trial – we’ll even provide sample workloads to test with.