Installing and using Calico network policies
By default, all Pods in all namespaces in a cluster can communicate with each other. This might be desirable, but, in many cases, you want to take a least privilege approach to network access. Fortunately, Kubernetes provides network policies to restrict access between Pods (west-to-east communication). A network policy operates at Layer 3 and Layer 4 of the OSI model and, as such, is equivalent to a traditional on-premises firewall or AWS security group. More details can be found at https://kubernetes.io/docs/concepts/services-networking/network-policies/.
The EKS VPC CNI doesn’t support network policies, so a network plugin or different CNI is required. In this section, we use the Calico (https://www.projectcalico.org/) policy engine, which is the simplest way to add network policies while still using the AWS VPC CNI. We will create a new IPv4 cluster using eksctl with the following configuration file, myipv4cluster.yaml:
