How calico implements kubernetes network policy

Hi all!
I am interested to know about the design/implementation of Calico for the kubernetes network policy.
How calico notices that a network traffic is going to be sent (/is sending) to a Pod? Where in the code I should look to understand how calico receives the network traffic that is meant to be sent to a pod? Because calico can implement access/deny rules for ingress traffic. So it should somehow know that a traffic is going to be sent/ is sending to a pod. Then I assume it checks the sender IP address against the network policy rules for that pod. I am interested to know about HOW calico implements this?

Could you please shed some light on this topic? Thanks

Can you say more about why you are interested in understanding the implementation details? That might help direct you to the right level of information.

In general Calico programs rules into the kernel that filter traffic to implement network policy (on Linux, using iptables, or using eBPF). These rules act on IP addresses. The component in Calico that programs these rules is Felix.

1 Like