Network Policy Quiz
Related Document: Network PolicyLast Updated: February 22, 2026
Quiz
- What is a key limitation of Kubernetes standard NetworkPolicy that Calico addresses?
- A) Cannot specify port numbers
- B) No support for egress rules
- C) No deny rules, no global policies, limited selector options
- D) Cannot select pods by labels
Show Answer
Answer: C) No deny rules, no global policies, limited selector options
Explanation: Kubernetes standard NetworkPolicy has several limitations: it only supports Allow rules (no explicit Deny), cannot create cluster-wide global policies, has limited selector options, and doesn't support L7 (application layer) filtering. Calico extends NetworkPolicy with explicit Deny/Allow/Log/Pass actions, GlobalNetworkPolicy, advanced selectors, and L7 policy support.
- What is the syntax for selectors in Calico NetworkPolicy?
- A) YAML key-value pairs like standard Kubernetes
- B) Expression-based syntax like
app == 'frontend' - C) Regular expressions
- D) JSON path expressions
Show Answer
Answer: B) Expression-based syntax like app == 'frontend'
Explanation: Calico uses an expression-based selector syntax that supports operators like ==, !=, in, not in, has(), and !has(). For example: app == 'frontend', environment in {'prod', 'staging'}, has(role). This provides more flexibility than standard Kubernetes label selectors.
- What are the valid action types in Calico NetworkPolicy rules?
- A) Accept, Reject
- B) Allow, Deny, Log, Pass
- C) Permit, Block, Audit
- D) Enable, Disable, Monitor
Show Answer
Answer: B) Allow, Deny, Log, Pass
Explanation: Calico NetworkPolicy supports four action types: Allow (permit the traffic), Deny (drop the traffic), Log (log the traffic and continue evaluation), and Pass (skip to the next tier for evaluation). These actions provide fine-grained control over traffic handling.
- What is the difference between GlobalNetworkPolicy and NetworkPolicy in Calico?
- A) GlobalNetworkPolicy is faster
- B) NetworkPolicy requires a namespace, GlobalNetworkPolicy applies cluster-wide
- C) GlobalNetworkPolicy only works with eBPF mode
- D) NetworkPolicy supports more features
Show Answer
Answer: B) NetworkPolicy requires a namespace, GlobalNetworkPolicy applies cluster-wide
Explanation: Calico NetworkPolicy is namespaced and applies only to pods within that namespace, similar to Kubernetes NetworkPolicy. GlobalNetworkPolicy is cluster-wide and can apply to all pods across all namespaces, making it ideal for security baselines, compliance requirements, and cluster-wide rules like default deny policies.
- What is a NetworkSet used for in Calico?
- A) Grouping network interfaces
- B) Defining reusable sets of IP addresses/CIDRs
- C) Configuring network namespaces
- D) Managing network plugins
Show Answer
Answer: B) Defining reusable sets of IP addresses/CIDRs
Explanation: A NetworkSet is a Calico resource that defines a set of IP addresses or CIDR blocks that can be referenced in network policies. This allows you to define groups of external IPs (like database servers or trusted partners) once and reference them in multiple policies, making policy management easier and more maintainable.
- How are Tiers evaluated in Calico's policy model?
- A) Alphabetically by name
- B) By order field, lower numbers evaluated first
- C) Randomly
- D) By creation timestamp
Show Answer
Answer: B) By order field, lower numbers evaluated first
Explanation: Tiers are evaluated in order based on their order field, with lower numbers evaluated first. Within each tier, policies are also evaluated by their order field. This hierarchical structure allows organizations to separate security policies (low order), platform policies (medium order), and application policies (high order).
- What does the Pass action do in a Calico policy rule?
- A) Allows the traffic immediately
- B) Drops the traffic silently
- C) Skips to the next tier for continued evaluation
- D) Logs the traffic and allows it
Show Answer
Answer: C) Skips to the next tier for continued evaluation
Explanation: The Pass action causes policy evaluation to skip the remaining policies in the current tier and continue to the next tier. This is useful when a higher-priority tier (like security) wants to allow certain traffic to be further evaluated by lower-priority tiers (like application policies) rather than making a final decision.
- How can you implement FQDN-based (domain name) policies in Calico?
- A) Using the
hostsfield in ingress rules - B) Using the
domainsfield in destination specification - C) FQDN policies are not supported
- D) Using DNS NetworkPolicy CRD
- A) Using the
Show Answer
Answer: B) Using the domains field in destination specification
Explanation: Calico supports FQDN-based policies using the domains field in egress rules. You can specify domain patterns like "*.amazonaws.com" or exact domains. Calico resolves these domains to IP addresses and creates the appropriate rules. This feature is available in Calico Enterprise and requires DNS proxy configuration in open-source Calico.
- What does the applyOnForward setting control in a GlobalNetworkPolicy?
- A) Whether the policy applies to forwarded/routed traffic through the host
- B) Whether the policy is applied in forward or reverse order
- C) Whether to forward policy violations to a SIEM
- D) Whether the policy applies to port forwarding
Show Answer
Answer: A) Whether the policy applies to forwarded/routed traffic through the host
Explanation: The applyOnForward setting determines whether the policy applies to traffic being forwarded through the host (not destined to or originating from the host itself). This is important for host endpoint policies and scenarios where the node is acting as a router for traffic between other endpoints.
- What is the purpose of doNotTrack in a Calico policy?
- A) Disables policy logging
- B) Applies the policy before connection tracking (stateless)
- C) Prevents the policy from being tracked in audit logs
- D) Disables endpoint tracking
Show Answer
Answer: B) Applies the policy before connection tracking (stateless)
Explanation: The doNotTrack option applies the policy rules before Linux connection tracking (conntrack). This creates stateless rules that don't track connection state, useful for high-performance scenarios or when you need to apply rules to traffic before it enters the connection tracking system. Both request and response traffic must be explicitly allowed.
- What is the purpose of preDNAT in a Calico policy?
- A) Applies policy before DNS resolution
- B) Applies policy before Destination NAT, seeing original destination
- C) Prevents DNAT from occurring
- D) Applies policy only to DNS traffic
Show Answer
Answer: B) Applies policy before Destination NAT, seeing original destination
Explanation: The preDNAT option applies the policy before Destination NAT occurs, allowing the policy to see the original destination IP/port before it is translated. This is useful for policies on host endpoints where you want to filter traffic based on the original destination (like external IPs) before DNAT translates it to a pod IP.
- How do you implement a default deny policy for all pods in Calico?
- A) Set a cluster-wide flag in FelixConfiguration
- B) Create a GlobalNetworkPolicy with selector
all()and no rules - C) Delete all existing NetworkPolicies
- D) Configure default deny in the IPPool
Show Answer
Answer: B) Create a GlobalNetworkPolicy with selector all() and no rules
Explanation: To implement default deny, create a GlobalNetworkPolicy that selects all pods (selector: all()) with types: [Ingress, Egress] but no allow rules. This policy should have a high order number so it's evaluated last. Any traffic not explicitly allowed by other policies will be denied by this catch-all policy.
- What does the order field in a Calico policy control?
- A) The order in which pods are selected
- B) The evaluation priority within a tier (lower = earlier)
- C) The order of rule application within the policy
- D) The order of IP addresses in NetworkSets
Show Answer
Answer: B) The evaluation priority within a tier (lower = earlier)
Explanation: The order field determines the evaluation priority of policies within a tier. Policies with lower order values are evaluated first. If a policy matches and takes a terminal action (Allow or Deny), evaluation stops. This allows you to create high-priority exceptions before general rules.
- What is a Host Endpoint in Calico?
- A) A pod running on the host network
- B) A representation of a host's network interface for policy enforcement
- C) The API server endpoint
- D) A service endpoint on the host
Show Answer
Answer: B) A representation of a host's network interface for policy enforcement
Explanation: A Host Endpoint represents a network interface on a host node, allowing Calico policies to be applied to traffic entering or leaving the host itself (not just pod traffic). This enables securing the host's network interfaces, controlling what traffic can reach node services, and implementing host-level firewall rules.
- How can you debug why a network policy is not working as expected?
- A) Only by reading the policy YAML
- B) Check workload endpoints, policy evaluation with calicoctl, and Felix logs
- C) Restart all Calico components
- D) Network policy debugging is not supported
Show Answer
Answer: B) Check workload endpoints, policy evaluation with calicoctl, and Felix logs
Explanation: To debug network policies: 1) Use calicoctl get workloadendpoint -n <namespace> to verify the endpoint exists and has correct labels, 2) Use calicoctl get networkpolicy -A and globalnetworkpolicy to list all policies, 3) Check Felix logs for policy-related messages, 4) Verify selector expressions match the endpoint labels, 5) In eBPF mode, use tc filter show to inspect applied rules.