Cisco
Login
Search
Software Secure Workload
Activity Configure

Deploy Software Agents on Workloads Enforce Policies with Agents Enforcement of Kubernetes Pods on Windows Nodes

Last updated: Jun 09, 2025

Enforcement of Kubernetes Pods on Windows Nodes

After you install the Kubernetes DaemonSet agent on the Windows worker nodes, it captures the network flows from the Windows worker nodes and the Kubernetes pods in an AKS environment.

Requirements

  • Enforcement of Kubernetes pods is supported in an AKS environment with Windows nodes.

  • Enforcement mode MUST be WFP with Preserve Rules set to Off.

  • Supported on Microsoft Windows Server 2019 and Windows Server 2022.

The policies are enforced on vSwitch for ports that are connected to pods using VFP. The Virtual Filtering Platform (VFP) is a component of vSwitch used to configure filters for processing network traffic. While enforcing the policies, the Preserve Mode is Off.

Each filter has the following attributes:

  • Id: Filter Name

  • Direction: In or Out

  • RuleType: Switch or Host.

    • Configure the filter on vSwitch when the type is Switch.

    • Create a WFP filter when the type is Host.

  • Action: Allow or Block

  • LocalPorts: This can be a port or range. For example, 80 or 100-200.

  • RemotePorts: Same as LocalPorts.

  • LocalAddresses: It is an address or range. For example, 10.224.0.5, 10.224.1.0/24 (10.224.1.1-10.224.1.10 is not allowed).

  • RemoteAddress: Same as LocalAddresses

  • Protocol: ICMP/TCP/UDP/IGMP Protocol 255 is IPPROTO_RAW and 256 – PROTO_MAX

The ports can only be specified for UDP and TCP, and ports are not allowed in the policy unless a protocol is specified.

Configuring a policy on a virtual port is a transaction-based operation. If one of the filters is invalid, enforcing the entire policy is rendered unsuccessful.

This is the stateful enforcement. Application, user, or service-based policies are currently not supported.

Compatibility with Calico

Pods enforcement works in "preserve rules" off mode. When the Windows agent enforces the rules on pods, it deletes the already configured policies. If the Calico plug-in enforces the network policies after the agent, the agent identifies it as deviation and network policies that are configured by Calico are deleted and agent policies are re-enforced.


 

The enforced policies are deleted when the Windows agent is uninstalled on the Windows nodes.

Visibility of Configured VFP Filters

An option to list the pod filters using Secure Workload is not available. In an AKS environment, you can use the built-in PowerShell script. Run the following PowerShell script: c:\k\debug\collectlogs.ps1. View the output files vfpoutput.txt and hnsdiag.txt for the configured filters.

Delete VFP Filters Configured by Windows Agent

  1. Run cmd.exe with administrative privileges.

  2. Run the command: <installation folder>\tetenf.exe -d -f -pods -token=<yyyymm>.


 

The command deletes VFP filters for all the pods.

Troubleshoot Enforced Policies and Network Flows

  1. Run the command: netsh wfp start capture keywords=19.

  2. Run network traffic.

  3. Stop capturing the flows: netsh wfp stop capture.

  4. Extract wfpdiag.xml from the wfpdiag.cab file. View the dropped flows.

To map the allowed or dropped network flows to Pod policies:

  1. Start ETW session: logman start <session name> -p Microsoft-Windows-Hyper-V-VfpExt -o <output file.etl> -ets

  2. Run network traffic.

  3. Stop capturing flows: logman stop <session name>.

  4. In the command prompt, run: tracerpt <output file.etl>. The command creates the dumpfile.xml file. View the network flows.

Previous topic Policies Based on User Group or User Name Next topic Agent Enforcement on AIX Platform