How to block external connectivity with Calico

This document (000020124) is provided subject to the disclaimer at the end of this document.

Situation

Task

In cases where it is desired to control external connectivity from the cluster, such as to deny or allow specific IP addresses or ports from Pods using the CNI network, a GlobalNetworkPolicy object can be used to control the rules applied to all nodes in the cluster.

The GlobalNetworkPolicy is provided by the Calico CRD deployed on RKE clusters.

Pre-requisites

  • An RKE cluster configured with the Canal or Calico CNI

Steps

Configure a YAML manifest the desired rules, using the nets and/or ports keys, the Calico documentation provides some more information on each field.

In the below example the EC2 metadata is being denied to prevent Pods from accessing the IAM profile credentials of the instance.

apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: deny-ec2-metadata
spec:
  types:
  - Egress
  egress:
  - action: Deny
    destination:
      nets:
      - 169.254.169.254/32
  - action: Allow
    destination:
      nets:
      - 0.0.0.0/0

Deny 80/TCP connectivity external to the cluster

apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: deny-http
spec:
  types:
  - Egress
  egress:
  - action: Deny
    protocol: TCP
    destination:
      ports:
      - 80
  - action: Allow
    destination:
      nets:
      - 0.0.0.0/0

Apply the YAML file created and test connectivity from a Pod running within the cluster on the CNI network.

Note: Pods running with hostnetwork: true will not be effected by the GlobalNetworkPolicy as these Pods do not use the CNI network.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020124
  • Creation Date: 06-May-2021
  • Modified Date:06-May-2021
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center