How to allow namespace to kube api server

Open Source Calico Help
1

Hi,

I’m trying to configure calico in my k8s on prem cluster. I have defined these rules:

  • Global default deny all except DNS (53) except to namespaces kube-system and calico.
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: default-deny-policy
spec:
  namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name not in {"kube-system", "calico-system", "metallb-system"}
  types:
    - Ingress
    - Egress
  egress:
    # allow all namespaces to communicate to DNS pods
    - action: Allow
      protocol: UDP
      destination:
        selector: 'k8s-app == "kube-dns"'
        ports:
          - 53

Now i’d like to allow access to kube api server (apiserver) from defined namespaces. i’ve tried this without any success:

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: default-allow-apiserver
spec:
  namespaceSelector: projectcalico.org/name == "gitlab-runners"
  types:
    - Egress
  egress:
    - action: Allow
      protocol: TCP
      destination:
        selector: 'component == "apiserver"'
        ports:
          - 443

I think i missed something somewhere. Any help please ?? :hugs:

2

Ok found by using:

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: default-allow-k8sapi
  namespace: "gitlab-system"
spec:
  types:
    - Egress
  egress:
    - action: Allow
      protocol: TCP
      destination:
        nets:
          - 10.0.2.11/32
        ports:
          - 6443

But i’ll try to use a selector instead an ip address

3

Happy to see that you have found the solution to your problem easily.