Calico GlobalNetworkPolicy in kubernetes not working as expected

Question

I want to implement a simple global network policy using Calico. This policy should do the following things:

1. Allow all Ingress across the cluster (i.e. No inbound restrictions on any POD)
2. Allow all egress from every pod to any destinations (internal and external) except to destination IPs ["1.1.1.1", "2.2.2.2"]

Below is the YAML I am using, but after applying this YAML, all my outbound access is blocked to any IPs

     apiVersion: projectcalico.org/v3
     kind: GlobalNetworkPolicy
     metadata:
       name: global-deny-gnp
     spec:
       order: 100
     namespaceSelector: ""
     types:
       - Egress
     egress:
       - action: Deny
         protocol: TCP
         destination:
           nets: ["1.1.1.1", "2.2.2.2"]

Need help !!!

Answer 1

You could try this policy:

apiVersion: projectcalico.org/v3
     kind: GlobalNetworkPolicy
     metadata:
       name: global-deny-gnp
     spec:
       order: 100
     namespaceSelector: ""
     types:
       - Egress
     egress:
       - action: Deny
         protocol: TCP
         destination:
           nets: ["1.1.1.1", "2.2.2.2"]
       - action: Allow

The reason I added the extra action is becuase of this: If one or more network policies apply to a pod containing egress rules, then only the egress traffic specifically allowed by those policies is allowed.

Because you haven't added any allow rules, but you have added an egress deny policy, all traffic is denied by default. Adding the allow after the deny means anything that isn't denied by your first rule will be passed to the second rule. You could try an allow notNets, or use selectors, as an entity rule.

Answer 2

You should use CIDR range instead of IPs in the destination nets field. Also the namespace selector is not needed, Global network Policy applies to all namespaces by default. Also check other Global network policies or adjust order of this policy. If there are other such policies with order less than 100, they will take precedence.

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: global-deny-gnp
spec:
  order: 100
  types:
    - Egress
  egress:
    - action: Deny
      protocol: TCP
      destination:
        nets: ["1.1.1.1/32", "2.2.2.2/32"]  # Replace with the appropriate CIDR notation