We are setting up a strict default deny policy with calico to disable any traffic except the failsafe rules. Now we have multiple namespaces that are increasing since every application is scoped with several namespaces.
Now the idea is to default allow traffic WITHIN namespaces with an order above the default deny. However i was not succesfull finding a scaleable approach here. It seems that we need to explicitely create a NetworkPolicy for each new Namespace that looks mostly the same.
I am looking for something like this: you define a rule once and it applies to all resources in a namespace with the allow-all-in-ns label.
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: allow-self-policy
spec:
namespaceSelector: 'has(allow-all-in-ns)'
ingress:
- action: Allow
source:
namespaceSelector: has(allow-all-in-ns) && self
egress:
- action: Allow
source:
namespaceSelector: has(allow-all-in-ns) && self
I don't want any communication in between namespaces with the label allow-all-in-ns but i want communication inside each namespace with this label. Is this currently possible with the feature set of calico?
While
Namespacesallow you to isolate objects into specific groups they don`t provide any kind of isolation. It is possible to have crossname space traffic (see here for more details) which means that if a container just uses , it will resolve to the service which is local to a namespace. This is useful for using the same configuration across multiple namespaces such as Development, Staging and Production. If you want to reach across namespaces, you need to use the fully qualified domain name (FQDN).To address this we have
NetworkPolicywhich once applied with appropriate selector can be used to isolate traffic between cluster objects. You can check more about it here.Unfortunately there is no way of having what you described and If I understand it correctly with the policy you want to apply you will deny access to your
kube-systempods, especiallycore-dnswhich are essential for cluster networking.As the
GlobalNetworkPolicyapplies globally you could use that to default-deny all except those withkube-systemand then useNetworkPoliciesfor every pod and restrict theiregressandingresswith some labeling leaving place only for allowed traffic.Calico policy rules can be ordered to be enforced either before or after K8s policies and include many actions such as deny and log. This allows the security / cluster ops team to define basic high level moge general purpose rules while empowering the developer / service / cluster users team to define their own fine-grained rules on the apps and services they are responsible for. Check this doc for more about evaluation order.
As Calico policy rules can be ordered to be enforced either before or after Kubernetes network policies, and can include actions such as deny and log, this allows the security / cluster ops team to define basic higher-level more-general purpose rules, while empowering the developer / service teams to define their own fine-grained constraints on the apps and services they are responsible for.
Due to the flexibility of network policies, there are often multiple different ways of labeling and writing policies that can achieve the same particular goal.
One of the most common approaches is to have a small number of global policies that apply to all pods, and then a single pod specific policy that defines all the ingress and egress rules that are particular to that pod.
You can read more about best practices and
default-denyat calico site.To summarize, after looking at the calico documentation it is not possible to have one single rule that will do what you want to achieve. Another way to achieve it would be to perhaps use helm and its charts to automate this process of extra network policies creation.