Skip to content

Network Policy Quiz

Related Document: Network PolicyLast Updated: February 22, 2026

Quiz

  1. What is a key limitation of Kubernetes standard NetworkPolicy that Calico addresses?
    • A) Cannot specify port numbers
    • B) No support for egress rules
    • C) No deny rules, no global policies, limited selector options
    • D) Cannot select pods by labels
Show Answer

Answer: C) No deny rules, no global policies, limited selector options

Explanation: Kubernetes standard NetworkPolicy has several limitations: it only supports Allow rules (no explicit Deny), cannot create cluster-wide global policies, has limited selector options, and doesn't support L7 (application layer) filtering. Calico extends NetworkPolicy with explicit Deny/Allow/Log/Pass actions, GlobalNetworkPolicy, advanced selectors, and L7 policy support.

  1. What is the syntax for selectors in Calico NetworkPolicy?
    • A) YAML key-value pairs like standard Kubernetes
    • B) Expression-based syntax like app == 'frontend'
    • C) Regular expressions
    • D) JSON path expressions
Show Answer

Answer: B) Expression-based syntax like app == 'frontend'

Explanation: Calico uses an expression-based selector syntax that supports operators like ==, !=, in, not in, has(), and !has(). For example: app == 'frontend', environment in {'prod', 'staging'}, has(role). This provides more flexibility than standard Kubernetes label selectors.

  1. What are the valid action types in Calico NetworkPolicy rules?
    • A) Accept, Reject
    • B) Allow, Deny, Log, Pass
    • C) Permit, Block, Audit
    • D) Enable, Disable, Monitor
Show Answer

Answer: B) Allow, Deny, Log, Pass

Explanation: Calico NetworkPolicy supports four action types: Allow (permit the traffic), Deny (drop the traffic), Log (log the traffic and continue evaluation), and Pass (skip to the next tier for evaluation). These actions provide fine-grained control over traffic handling.

  1. What is the difference between GlobalNetworkPolicy and NetworkPolicy in Calico?
    • A) GlobalNetworkPolicy is faster
    • B) NetworkPolicy requires a namespace, GlobalNetworkPolicy applies cluster-wide
    • C) GlobalNetworkPolicy only works with eBPF mode
    • D) NetworkPolicy supports more features
Show Answer

Answer: B) NetworkPolicy requires a namespace, GlobalNetworkPolicy applies cluster-wide

Explanation: Calico NetworkPolicy is namespaced and applies only to pods within that namespace, similar to Kubernetes NetworkPolicy. GlobalNetworkPolicy is cluster-wide and can apply to all pods across all namespaces, making it ideal for security baselines, compliance requirements, and cluster-wide rules like default deny policies.

  1. What is a NetworkSet used for in Calico?
    • A) Grouping network interfaces
    • B) Defining reusable sets of IP addresses/CIDRs
    • C) Configuring network namespaces
    • D) Managing network plugins
Show Answer

Answer: B) Defining reusable sets of IP addresses/CIDRs

Explanation: A NetworkSet is a Calico resource that defines a set of IP addresses or CIDR blocks that can be referenced in network policies. This allows you to define groups of external IPs (like database servers or trusted partners) once and reference them in multiple policies, making policy management easier and more maintainable.

  1. How are Tiers evaluated in Calico's policy model?
    • A) Alphabetically by name
    • B) By order field, lower numbers evaluated first
    • C) Randomly
    • D) By creation timestamp
Show Answer

Answer: B) By order field, lower numbers evaluated first

Explanation: Tiers are evaluated in order based on their order field, with lower numbers evaluated first. Within each tier, policies are also evaluated by their order field. This hierarchical structure allows organizations to separate security policies (low order), platform policies (medium order), and application policies (high order).

  1. What does the Pass action do in a Calico policy rule?
    • A) Allows the traffic immediately
    • B) Drops the traffic silently
    • C) Skips to the next tier for continued evaluation
    • D) Logs the traffic and allows it
Show Answer

Answer: C) Skips to the next tier for continued evaluation

Explanation: The Pass action causes policy evaluation to skip the remaining policies in the current tier and continue to the next tier. This is useful when a higher-priority tier (like security) wants to allow certain traffic to be further evaluated by lower-priority tiers (like application policies) rather than making a final decision.

  1. How can you implement FQDN-based (domain name) policies in Calico?
    • A) Using the hosts field in ingress rules
    • B) Using the domains field in destination specification
    • C) FQDN policies are not supported
    • D) Using DNS NetworkPolicy CRD
Show Answer

Answer: B) Using the domains field in destination specification

Explanation: Calico supports FQDN-based policies using the domains field in egress rules. You can specify domain patterns like "*.amazonaws.com" or exact domains. Calico resolves these domains to IP addresses and creates the appropriate rules. This feature is available in Calico Enterprise and requires DNS proxy configuration in open-source Calico.

  1. What does the applyOnForward setting control in a GlobalNetworkPolicy?
    • A) Whether the policy applies to forwarded/routed traffic through the host
    • B) Whether the policy is applied in forward or reverse order
    • C) Whether to forward policy violations to a SIEM
    • D) Whether the policy applies to port forwarding
Show Answer

Answer: A) Whether the policy applies to forwarded/routed traffic through the host

Explanation: The applyOnForward setting determines whether the policy applies to traffic being forwarded through the host (not destined to or originating from the host itself). This is important for host endpoint policies and scenarios where the node is acting as a router for traffic between other endpoints.

  1. What is the purpose of doNotTrack in a Calico policy?
    • A) Disables policy logging
    • B) Applies the policy before connection tracking (stateless)
    • C) Prevents the policy from being tracked in audit logs
    • D) Disables endpoint tracking
Show Answer

Answer: B) Applies the policy before connection tracking (stateless)

Explanation: The doNotTrack option applies the policy rules before Linux connection tracking (conntrack). This creates stateless rules that don't track connection state, useful for high-performance scenarios or when you need to apply rules to traffic before it enters the connection tracking system. Both request and response traffic must be explicitly allowed.

  1. What is the purpose of preDNAT in a Calico policy?
    • A) Applies policy before DNS resolution
    • B) Applies policy before Destination NAT, seeing original destination
    • C) Prevents DNAT from occurring
    • D) Applies policy only to DNS traffic
Show Answer

Answer: B) Applies policy before Destination NAT, seeing original destination

Explanation: The preDNAT option applies the policy before Destination NAT occurs, allowing the policy to see the original destination IP/port before it is translated. This is useful for policies on host endpoints where you want to filter traffic based on the original destination (like external IPs) before DNAT translates it to a pod IP.

  1. How do you implement a default deny policy for all pods in Calico?
  • A) Set a cluster-wide flag in FelixConfiguration
  • B) Create a GlobalNetworkPolicy with selector all() and no rules
  • C) Delete all existing NetworkPolicies
  • D) Configure default deny in the IPPool
Show Answer

Answer: B) Create a GlobalNetworkPolicy with selector all() and no rules

Explanation: To implement default deny, create a GlobalNetworkPolicy that selects all pods (selector: all()) with types: [Ingress, Egress] but no allow rules. This policy should have a high order number so it's evaluated last. Any traffic not explicitly allowed by other policies will be denied by this catch-all policy.

  1. What does the order field in a Calico policy control?
    • A) The order in which pods are selected
    • B) The evaluation priority within a tier (lower = earlier)
    • C) The order of rule application within the policy
    • D) The order of IP addresses in NetworkSets
Show Answer

Answer: B) The evaluation priority within a tier (lower = earlier)

Explanation: The order field determines the evaluation priority of policies within a tier. Policies with lower order values are evaluated first. If a policy matches and takes a terminal action (Allow or Deny), evaluation stops. This allows you to create high-priority exceptions before general rules.

  1. What is a Host Endpoint in Calico?
    • A) A pod running on the host network
    • B) A representation of a host's network interface for policy enforcement
    • C) The API server endpoint
    • D) A service endpoint on the host
Show Answer

Answer: B) A representation of a host's network interface for policy enforcement

Explanation: A Host Endpoint represents a network interface on a host node, allowing Calico policies to be applied to traffic entering or leaving the host itself (not just pod traffic). This enables securing the host's network interfaces, controlling what traffic can reach node services, and implementing host-level firewall rules.

  1. How can you debug why a network policy is not working as expected?
    • A) Only by reading the policy YAML
    • B) Check workload endpoints, policy evaluation with calicoctl, and Felix logs
    • C) Restart all Calico components
    • D) Network policy debugging is not supported
Show Answer

Answer: B) Check workload endpoints, policy evaluation with calicoctl, and Felix logs

Explanation: To debug network policies: 1) Use calicoctl get workloadendpoint -n <namespace> to verify the endpoint exists and has correct labels, 2) Use calicoctl get networkpolicy -A and globalnetworkpolicy to list all policies, 3) Check Felix logs for policy-related messages, 4) Verify selector expressions match the endpoint labels, 5) In eBPF mode, use tc filter show to inspect applied rules.


Return to Learning Materials | Previous Quiz: BGP Deep Dive