Search code examples
network-programmingkubernetescalicogke-networking

GKE deny statement with network policy + calico

I'm running managed cluster with Google Cloud, so it has option to enable NetworkPolicy, and on the backend it uses calico. Problem I have, it looks like I can use only api version networking.k8s.io/v1.

I'm trying to create policy that will disable any internal egress traefik from pod, and allow any ingress + egress to/from external network.

With calico API it will look something like this:

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: policy-name
  namespace: namespace-name
spec:
  selector: label == value
  types:
  - Ingress
  - Egress
ingress:
  - action: Allow
    notProtocol: UDP
    destination:
      ports:
      - 53
  - action: Allow
    notProtocol: TCP
    destination:
      ports:
      - 53
  egress:
  - action: Deny
    protocol: UDP
    destination:
      ports:
      - 53
  - action: Deny
    protocol: TCP
    destination:
      ports:
      - 53

Or negative version of the following policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: policy-name
  namespace: namespace-name
spec:
  podSelector:
    matchLabels:
      label: value
  policyTypes:
  - Egress
  egress:
  - ports:
    - port: 53
      protocol: UDP
    - port: 53
      protocol: TCP
  - to:
    - namespaceSelector: {}

So I have 2 questions: 1. is it possible to reproduce rule above with networking.k8s.io/v1 API? 2. Can I somehow enable projectcalico.org/v3 API on a managed GKE cluster?

Solution

  • Finally after 2 days spend. Appears that to apply configs from API 'projectcalico.org/v3' you have to first install or deploy to your cluster CLI tool calicoctl. Then you can apply your policy with calicoctl apply -f ./policy.yml or if it's deployed to cluster, with alias alias calicoctl="kubectl exec -i -n kube-system calicoctl /calicoctl -- " + cat ./policy.yml | calicoctl apply -f -.

    And bellow is working policy that will disable egress to private network and will allow only public:

    apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: policy-name
  namespace: namespace-name
spec:
  selector: label == value
  types:
  - Egress
  egress:
  - action: Allow
    protocol: UDP
    destination:
      ports: [53]
  - action: Allow
    protocol: TCP
    destination:
      ports: [53]
  - action: Deny
    destination:
      nets:
      - 10.0.0.0/8
      - 172.16.0.0/12
      - 192.168.0.0/16
  - action: Allow