Hi,
I’m trying to configure calico in my k8s on prem cluster. I have defined these rules:
- Global default deny all except DNS (53) except to namespaces kube-system and calico.
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: default-deny-policy
spec:
namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name not in {"kube-system", "calico-system", "metallb-system"}
types:
- Ingress
- Egress
egress:
# allow all namespaces to communicate to DNS pods
- action: Allow
protocol: UDP
destination:
selector: 'k8s-app == "kube-dns"'
ports:
- 53
Now i’d like to allow access to kube api server (apiserver) from defined namespaces. i’ve tried this without any success:
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: default-allow-apiserver
spec:
namespaceSelector: projectcalico.org/name == "gitlab-runners"
types:
- Egress
egress:
- action: Allow
protocol: TCP
destination:
selector: 'component == "apiserver"'
ports:
- 443
I think i missed something somewhere. Any help please ??