K
Q

GKE deny statement with network policy + calico

11/8/2019

I'm running managed cluster with Google Cloud, so it has option to enable NetworkPolicy, and on the backend it uses calico. Problem I have, it looks like I can use only api version networking.k8s.io/v1.

I'm trying to create policy that will disable any internal egress traefik from pod, and allow any ingress + egress to/from external network.

With calico API it will look something like this:

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: policy-name
  namespace: namespace-name
spec:
  selector: label == value
  types:
  - Ingress
  - Egress
ingress:
  - action: Allow
    notProtocol: UDP
    destination:
      ports:
      - 53
  - action: Allow
    notProtocol: TCP
    destination:
      ports:
      - 53
  egress:
  - action: Deny
    protocol: UDP
    destination:
      ports:
      - 53
  - action: Deny
    protocol: TCP
    destination:
      ports:
      - 53

Or negative version of the following policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: policy-name
  namespace: namespace-name
spec:
  podSelector:
    matchLabels:
      label: value
  policyTypes:
  - Egress
  egress:
  - ports:
    - port: 53
      protocol: UDP
    - port: 53
      protocol: TCP
  - to:
    - namespaceSelector: {}

So I have 2 questions: 1. is it possible to reproduce rule above with networking.k8s.io/v1 API? 2. Can I somehow enable projectcalico.org/v3 API on a managed GKE cluster?

-- Sarkis Arutiunian
calico
gke-networking
kubernetes
networking

Similar Questions

Kubernetes Service Account Created with Terraform causes 'doc is missing path: "/spec/volumes/0"' Error for Replica Set
Istio concepts - inter-service communication and tracing
Routing traffic to PODS with a specific label
Zero downtime deployment Spring Cloud Gateway
React app doesn't receive environment variables defined in Kubernetes pod
caching tekton pipeline using kaniko image
How to establish the New service connection for EKS in AzureDevOps?

1 Answer

11/9/2019

Finally after 2 days spend. Appears that to apply configs from API 'projectcalico.org/v3' you have to first install or deploy to your cluster CLI tool calicoctl. Then you can apply your policy with calicoctl apply -f ./policy.yml or if it's deployed to cluster, with alias alias calicoctl="kubectl exec -i -n kube-system calicoctl /calicoctl -- " + cat ./policy.yml | calicoctl apply -f -.

And bellow is working policy that will disable egress to private network and will allow only public:

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: policy-name
  namespace: namespace-name
spec:
  selector: label == value
  types:
  - Egress
  egress:
  - action: Allow
    protocol: UDP
    destination:
      ports: [53]
  - action: Allow
    protocol: TCP
    destination:
      ports: [53]
  - action: Deny
    destination:
      nets:
      - 10.0.0.0/8
      - 172.16.0.0/12
      - 192.168.0.0/16
  - action: Allow
-- Sarkis Arutiunian
Source: StackOverflow