GKE deny statement with network policy + calico

0
votes

I'm running managed cluster with Google Cloud, so it has option to enable NetworkPolicy, and on the backend it uses calico. Problem I have, it looks like I can use only api version networking.k8s.io/v1.

I'm trying to create policy that will disable any internal egress traefik from pod, and allow any ingress + egress to/from external network.

With calico API it will look something like this:

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: policy-name
  namespace: namespace-name
spec:
  selector: label == value
  types:
  - Ingress
  - Egress
ingress:
  - action: Allow
    notProtocol: UDP
    destination:
      ports:
      - 53
  - action: Allow
    notProtocol: TCP
    destination:
      ports:
      - 53
  egress:
  - action: Deny
    protocol: UDP
    destination:
      ports:
      - 53
  - action: Deny
    protocol: TCP
    destination:
      ports:
      - 53

Or negative version of the following policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: policy-name
  namespace: namespace-name
spec:
  podSelector:
    matchLabels:
      label: value
  policyTypes:
  - Egress
  egress:
  - ports:
    - port: 53
      protocol: UDP
    - port: 53
      protocol: TCP
  - to:
    - namespaceSelector: {}

So I have 2 questions: 1. is it possible to reproduce rule above with networking.k8s.io/v1 API? 2. Can I somehow enable projectcalico.org/v3 API on a managed GKE cluster?

1
networkingkubernetescalicogke-networking
If in backend it uses calico is there a reason why you want to explicitly specify calico in apiVersion field?Prashant
I can’t say for sure but this seems unlikely. The CNI implementation on GKE is entirely controlled by Google.coderanger
@Prashant different syntax. With networking.k8s.io/v1 api, I can't use negative or deny statements but it is possible with projectcalico.org/v3Sarkis Arutiunian
Syntax is fine. But is there anything that can only be achieved by calico and not by gke API?Prashant
@Prashant that’s the question I’m asking)Sarkis Arutiunian

1 Answers

2
votes

Finally after 2 days spend. Appears that to apply configs from API 'projectcalico.org/v3' you have to first install or deploy to your cluster CLI tool calicoctl. Then you can apply your policy with calicoctl apply -f ./policy.yml or if it's deployed to cluster, with alias alias calicoctl="kubectl exec -i -n kube-system calicoctl /calicoctl -- " + cat ./policy.yml | calicoctl apply -f -.

And bellow is working policy that will disable egress to private network and will allow only public:

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: policy-name
  namespace: namespace-name
spec:
  selector: label == value
  types:
  - Egress
  egress:
  - action: Allow
    protocol: UDP
    destination:
      ports: [53]
  - action: Allow
    protocol: TCP
    destination:
      ports: [53]
  - action: Deny
    destination:
      nets:
      - 10.0.0.0/8
      - 172.16.0.0/12
      - 192.168.0.0/16
  - action: Allow