Calico GlobalNetworkPolicy exclusion not working

1.1k views Asked by At

Recently started with Calico network policies on a AKS cluster. The plan is to block all traffic for new namespaces with the exception of traffic destined for the coredeDNS pod labeled "kube-dns". The policy should not be applied to the namespaces: default, kubesystem and calico-system.

Labeled the default namespace with: name=default

I've picked up an example from the Calico website and added the default namespace, link: https://docs.projectcalico.org/security/kubernetes-default-deny. But somehow the policy is also applied to the default namespace which shouldn't be the case? I've labeled the default namespace.

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: deny-app-policy
spec:
  namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name not in {"kube-system", "calico-system","default"}
  types:
  - Ingress
  - Egress
  egress:
  # allow all namespaces to communicate to DNS pods
  - action: Allow
    protocol: UDP
    destination:
      selector: 'k8s-app == "kube-dns"'
      ports:
      - 53

Also checked the documentation: https://docs.projectcalico.org/reference/resources/globalnetworkpolicy

has(projectcalico.org/name) --> Matches resources with label projectcalico.org/name, independent of value

&& projectcalico.org/name not in {"kube-system", "calico-system", "default"} --> Matches resources without label projectcalico.org/name or with label projectcalico.org/name and value not in the given set {"kube-system", "calico-system"}

Meaning (?): it will apply to any namespace, except for the namespaces with a label and the value set to kube-system or calico-system. But if that’s the case, why doesn’t it work? I’ve added a label to the default namespace: name=default

1

There are 1 answers

0
Benjamin George Roberts On

AKS clusters currently deploy with Calico v3.8.9 which does not support spec.namespaceSelector (this is added in v3.10).

You may be able to emulate such a policy by explicitly allowing (in ingress and egress) traffic within the kube-system namespace using the namespaceSelector field within source and destination fields (see https://docs.projectcalico.org/archive/v3.8/reference/resources/globalnetworkpolicy#entityrule)