How to block external connectivity with Calico
This document (000020124) is provided subject to the disclaimer at the end of this document.
Situation
Task
In cases where it is desired to control external connectivity from the cluster, such as to deny or allow specific IP addresses or ports from Pods using the CNI network, a GlobalNetworkPolicy
object can be used to control the rules applied to all nodes in the cluster.
The GlobalNetworkPolicy
is provided by the Calico CRD deployed on RKE clusters.
Pre-requisites
- An RKE cluster configured with the Canal or Calico CNI
Steps
Configure a YAML manifest with the desired rules, using the nets
and/or ports
keys, the Calico documentation provides some more information on each field.
In the below example, the EC2 metadata is being denied to prevent Pods from accessing the IAM profile credentials of the instance.
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: deny-ec2-metadata
spec:
types:
- Egress
egress:
- action: Deny
destination:
nets:
- 169.254.169.254/32
- action: Allow
destination:
nets:
- 0.0.0.0/0
Deny 80/TCP connectivity external to the cluster
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: deny-http
spec:
types:
- Egress
egress:
- action: Deny
protocol: TCP
destination:
ports:
- 80
- action: Allow
destination:
nets:
- 0.0.0.0/0
Apply the YAML file created and test connectivity from a Pod running within the cluster on the CNI network.
Note: Pods running with
hostnetwork: true
will not be included in theGlobalNetworkPolicy
as these Pods do not use the CNI network.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020124
- Creation Date: 06-May-2021
- Modified Date:12-Mar-2024
-
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com