Skip to content

How to block external connectivity with Calico

Article Number: 000020124

Situation

Task

In cases where it is desired to control external connectivity from the cluster, such as to deny or allow specific IP addresses or ports from Pods using the CNI network, a GlobalNetworkPolicy object can be used to control the rules applied to all nodes in the cluster.

The GlobalNetworkPolicy is provided by the Calico CRD deployed on RKE clusters.

Pre-requisites

  • An RKE cluster configured with the Canal or Calico CNI

Steps

Configure a YAML manifest with the desired rules, using the nets and/or ports keys, the Calico documentation provides some more information on each field.

In the below example, the EC2 metadata is being denied to prevent Pods from accessing the IAM profile credentials of the instance.

apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: deny-ec2-metadata
spec:
  types:
  - Egress
  egress:
  - action: Deny
    destination:
      nets:
      - 169.254.169.254/32
  - action: Allow
    destination:
      nets:
      - 0.0.0.0/0

Deny 80/TCP connectivity external to the cluster

apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: deny-http
spec:
  types:
  - Egress
  egress:
  - action: Deny
    protocol: TCP
    destination:
      ports:
      - 80
  - action: Allow
    destination:
      nets:
      - 0.0.0.0/0

Apply the YAML file created and test connectivity from a Pod running within the cluster on the CNI network.

Note: Pods running with hostnetwork: true will not be included in the GlobalNetworkPolicy as these Pods do not use the CNI network.