We are trying to establish Calico networking policy on one of our kubernetes cluster (AKS). In K8’s native Network policy, there is no order in place. Means that, we can even have more than one policy pointed to same Pod with both deny and allow policy. (end of the day throw allow policy we can access the pod).
But here in Calico we have something called “order” section. Can someone please explain how it works and can we have more than one policy similar to native network policy.
Policies are executed in order and the first matching rule wins. So, if you have a policy with order=0 and a deny rule in there and a policy with order=10 with an allow rule; the packet will hit the drop rule first and it will be dropped.
Kubernetes policy doesn’t require an ordering because it doesn’t support deny rules. You can use Calico policy exactly the same way: make only allow policies and the order doesn’t matter.