Securing Kubernetes clusters while maintaining performance and availability often feels like performing a balancing act on a tightrope. Security teams hesitate to enforce network policies immediately due to the risk of service disruption. But what if there were a way to test policies in real time, without enforcement or performance penalties?
Enter Calico’s Stage Network Policies, introduced in Calico v3.30, a groundbreaking feature that allows teams to test and validate network policies without impacting running workloads.
This blog explores how this capability works, its impact on observability and security, and why it’s a game-changer for Kubernetes administrators and developers alike.
Why policy testing matters in Kubernetes
Kubernetes has revolutionized how applications are deployed and managed, but it also introduces new security challenges. One of the most important tools for securing Kubernetes workloads is the use of network policies. These policies define how pods can communicate with each other and with entities outside the cluster.
However, creating and applying these policies is not always straightforward. A single misconfiguration can lead to unintentional disruptions, such as breaking access to core services like DNS or preventing customer traffic from reaching your app.
Kubernetes introduces an implicit "deny all" rule when a network policy is applied, which means only explicitly allowed connections will be permitted to pass through. This default behavior, while secure, makes live testing risky.
Without a proper mechanism to validate network policies before enforcement, teams often resort to manual monitoring, hoping nothing breaks in production. This gap between policy definition and real-world impact is why policy testing is critical, and Calico’s approach offers an elegant solution.
What are stage network policies?
Stage Network Policies, introduced in Calico v3.30, allow users to define and observe the behavior of network policies without enforcing them. Unlike traditional policies that immediately allow or deny traffic, staged policies monitor the traffic flows that would match their rules and log what would happen if the policy were enforced.
This method allows DevOps and security teams to evaluate whether a policy behaves as intended before risking impact on application availability. It supports both namespace-level and cluster-level applications, making it scalable for both small services and large, distributed systems. Staged policies generate logs that include detailed flow metadata, such as source and destination IPs, ports, and the set of guidelines that would have applied. This provides teams with unmatched visibility into the real-time behavior of their network, without requiring any enforcement.
Importantly, these policies don’t introduce any performance overhead or bottlenecks. They use a streamlined logging mechanism designed to avoid the heavy I/O typically associated with traditional audit logs. As a result, you can safely apply them to production workloads for analysis, without putting application performance or uptime at risk.
Decoding Calico’s approach
Calico's staged network policies work by capturing traffic flow information based on the rules you define, but without making decisions that affect the flow. Staged policies behave similarly to a traditional Kubernetes network policy in structure, but it doesn’t enforce an “allow” or “deny” action. Instead, it acts as a passive observer, logging what would have happened if the policy were live.
Under the hood, these policies utilize a "log-only" action type. When a traffic flow matches a staged policy rule, Calico logs the event with rich metadata: the source and destination pods, namespaces, IPs, ports, protocols, and the verdict that would have been rendered (e.g., "would have been denied"). The logs also include a list of matching policies to help you trace and understand policy interaction.
This approach means that staged policies don’t consume resources in the way that enforced policies do. There’s no packet filtering or network redirection—just smart observation and logging. And if a staged policy performs as intended, you can instantly promote it to an active policy simply by changing the resource kind from StageNetworkPolicy to NetworkPolicy or GlobalNetworkPolicy. This seamless transition removes the need for policy rewrites or redeployment.
Real-time observability: Calico Whisker
Alongside Stage Policies, Calico 3.30 introduces Whisker, a powerful observability dashboard designed to visualize policy behavior.
Features of Whisker:
- Interactive flow logs that correlate with potential policies
- Real-time packet tracing and verdicts
- Integration with Kubernetes metadata (e.g., namespaces, pod names, labels)
- Visibility into dropped packets and denied connections
Together, Stage Network Policies and Whisker enable a test-before-you-deploy model for network policies, first in the Kubernetes ecosystem.
Benefits of microsegmentation
Microsegmentation involves applying granular security controls to individual workloads (e.g., per-pod, per-service). Calico's non-enforcing testing significantly enhances this practice by:
- Reducing human error: Validate access patterns before enforcement
- Enabling continuous improvement: Policies can be refined iteratively
- Improving security posture: Teams can test worst-case and edge scenarios without risking uptime
This makes Calico one of the most practical tools for implementing zero-trust networking in Kubernetes.
No performance trade-offs
One of the standout aspects of Stage Network Policies is performance neutrality. The logging mechanism is designed to avoid heavy I/O. There’s no packet filtering, just passive flow matching. Resources are minimally used, even in high-traffic environments. This ensures that even large-scale clusters with thousands of pods can benefit from policy simulations without experiencing latency or throughput degradation.
Seamless integration with existing workflows
Calico’s staged policy framework fits smoothly into your current DevSecOps pipeline from CI/CD integration, namespace isolation, and security audits. By reducing the risk of unintended consequences, staged policies accelerate security rollouts and compliance efforts.
Going beyond: What’s next for Calico?
Calico’s journey doesn’t end with Stage Network Policies. The roadmap for future releases includes several exciting enhancements designed to simplify and enhance Kubernetes network security. For instance, Calico is expanding its support for the Gateway API, allowing users to gain deeper control over ingress traffic across L3 and L4 layers, along with DNS-based routing.
There are also ongoing efforts to bring improved UI and API-based observability tools, giving DevOps teams even more ways to visualize, interact with, and automate security workflows. As Kubernetes environments continue to evolve, Calico is positioning itself to support VM-level microsegmentation as seamlessly as it supports containers today. With its pluggable data plane and commitment to open source innovation, Calico is ensuring that security keeps pace with the complexity of modern infrastructure.
Final thoughts
In the world of Kubernetes networking, trial and error has traditionally come at a high cost. With the introduction of Stage Network Policies and Whisker in Calico 3.30, teams now have the tools to test confidently, deploy safely, and secure clusters more effectively, without sacrificing performance.
Whether you're a platform engineer, DevSecOps professional, or security architect, this feature is your sandbox for policy validation that removes guesswork from network security.
Test before you trust. With Calico, now you can.
This blog is based on a recent Software Plaza podcast with Reza Ramezanpour, Developer Advocate at Tigera. To watch the full video, click here.
