Recently started with Calico network policies on a AKS cluster. The plan is to block all traffic for new namespaces with the exception of traffic destined for the coredeDNS pod labeled "kube-dns". The policy should not be applied to the namespaces: default, kubesystem and calico-system.
Labeled the default namespace with: name=default
I've picked up an example from the Calico website and added the default namespace, link: https://docs.projectcalico.org/security/kubernetes-default-deny. But somehow the policy is also applied to the default namespace which shouldn't be the case? I've labeled the default namespace.
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: deny-app-policy
spec:
namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name not in {"kube-system", "calico-system","default"}
types:
- Ingress
- Egress
egress:
# allow all namespaces to communicate to DNS pods
- action: Allow
protocol: UDP
destination:
selector: 'k8s-app == "kube-dns"'
ports:
- 53
Also checked the documentation: https://docs.projectcalico.org/reference/resources/globalnetworkpolicy
has(projectcalico.org/name) --> Matches resources with label projectcalico.org/name, independent of value
&& projectcalico.org/name not in {"kube-system", "calico-system", "default"} --> Matches resources without label projectcalico.org/name or with label projectcalico.org/name and value not in the given set {"kube-system", "calico-system"}
Meaning (?): it will apply to any namespace, except for the namespaces with a label and the value set to kube-system or calico-system. But if that’s the case, why doesn’t it work? I’ve added a label to the default namespace: name=default
AKS clusters currently deploy with Calico v3.8.9 which does not support
spec.namespaceSelector
(this is added in v3.10).You may be able to emulate such a policy by explicitly allowing (in ingress and egress) traffic within the kube-system namespace using the
namespaceSelector
field withinsource
anddestination
fields (see https://docs.projectcalico.org/archive/v3.8/reference/resources/globalnetworkpolicy#entityrule)