How to block external connectivity with Calico
This document (000020124) is provided subject to the disclaimer at the end of this document.
In cases where it is desired to control external connectivity from the cluster, such as to deny or allow specific IP addresses or ports from Pods using the CNI network, a
GlobalNetworkPolicy object can be used to control the rules applied to all nodes in the cluster.
GlobalNetworkPolicy is provided by the Calico CRD deployed on RKE clusters.
- An RKE cluster configured with the Canal or Calico CNI
Configure a YAML manifest the desired rules, using the
ports keys, the Calico documentation provides some more information on each field.
In the below example the EC2 metadata is being denied to prevent Pods from accessing the IAM profile credentials of the instance.
apiVersion: crd.projectcalico.org/v1 kind: GlobalNetworkPolicy metadata: name: deny-ec2-metadata spec: types: - Egress egress: - action: Deny destination: nets: - 169.254.169.254/32 - action: Allow destination: nets: - 0.0.0.0/0
Deny 80/TCP connectivity external to the cluster
apiVersion: crd.projectcalico.org/v1 kind: GlobalNetworkPolicy metadata: name: deny-http spec: types: - Egress egress: - action: Deny protocol: TCP destination: ports: - 80 - action: Allow destination: nets: - 0.0.0.0/0
Apply the YAML file created and test connectivity from a Pod running within the cluster on the CNI network.
Note: Pods running with
hostnetwork: truewill not be effected by the
GlobalNetworkPolicyas these Pods do not use the CNI network.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020124
- Creation Date: 06-May-2021
- Modified Date:06-May-2021
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com