Project Calico: Priority between "global policy" and "network policy"
I am testing Project Calico on a small Kubernetes cluster and I try to figure out which one between "global policy" and "network policy" will be applied to the data stream first.
What I understand:
- the data path with Calico is that the pod's host is always the next hop and then filtered with iptables
- policies (network and global) can have priority (the lower priority will be applied before)
I did many tests but sometimes global network policy take precedence over network policy and sometimes it is exactly the opposite.
Can you explain me and tell me if I am wrong somewhere?
Thank you!
Similar Questions
2 Answers
It would be nice to have exact example of your configuration along with expected and real results. Very wide topic that touches huge amount of settings.
In general, Calico Network policy is a namespace related resource, while Calico Global network policy is not.
A network policy resource (NetworkPolicy) represents an ordered set of rules which are applied to a collection of endpoints that match a label selector.
NetworkPolicy is a namespaced resource. NetworkPolicy in a specific namespace only applies to workload endpoint resources in that namespace. Two resources are in the same namespace if the namespace value is set the same on both.
GlobalNetworkPolicy is not a namespaced resource. GlobalNetworkPolicy applies to workload endpoint resources in all namespaces, and to host endpoint resources. Select a namespace in a GlobalNetworkPolicy in the standard selector by using projectcalico.org/namespace as the label name and a namespace name as the value to compare against, e.g., projectcalico.org/namespace == "default".
A Calico global network policy applies to all workloads (VMs and containers) in all namespaces, as well as hosts (computers that run the hypervisor for VMs, or container runtime for containers).
Precedence goes from Selectors, that is very powerful way to manage and sort resources. MOst probably you have an issue with them while testing different options. Look, just like here: globalnetworkpolicy with networkpolicy not allowing expected traffic . Check your labels, selectors and everything related to that.
And also scopes. Issue may be easy there:
Also check official example Enable default deny for Kubernetes pods -- good point to start understand policies with a lot of good advises how to manage that in the best way. ANd they also use both policies(Global/normal) simultaneously.
Global vs non-global is not a factor in deciding the order that policies are applied in. Ordering is determined by the "order" field on Calico NetworkPolicy and GlobalNetworkPolicy resources, with smaller "order" policies being applied first.
If not specified, "order" defaults to infinity, so policies with an unspecified "order" will be applied last.
Calico also implements the Kubernetes NetworkPolicy resource, which doesn't have an explicit "order" field. To order those against the Calico resources, we treat Kubernetes NetworkPolicy resource as though they had an implicit "order" of 1000.
There is a tie-breaker in the code for policies with the same order value, but you shouldn't need to know what that is, or rely on it, because it's better to use an explicit "order" value, whenever ordering matters.