How to associate GlobalNetworkSet with GlobalNetworkPolicy

akantek · March 29, 2023, 6:43pm

Hello

I have been trying to use a GlobalNetworkSet (GNS) inside my GlobalNetworkPolicy (GNP) but so far it is not creating iptables rules with the network used in my GNS

apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkSet
metadata:
  name: subcloud-list
  labels:
    role: systemcontroller
spec:
  nets:
    - 40.40.40.1/32
##########################################################
---
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: controller-data0-if-gnp
spec:
  applyOnForward: false
  #######################
  egress:
  # rule
  - action: Allow
    ipVersion: 4
    protocol: TCP
  # rule
  - action: Allow
    ipVersion: 4
    protocol: UDP
  # rule
  - action: Allow
    protocol: ICMP
  #######################
  ingress:
  #--------------------------------
  # rule
  - metadata:
      annotations:
        network: mgmt-tcp
    action: Allow
    destination:
      ports:
      - 52010
      - 52011
      - 52012
    ipVersion: 4
    protocol: TCP
    source:
      namespaceSelector: global()
      selector: has(role) && role == 'systemcontroller'
      nets:
      - 20.20.20.0/24
  #######################
  order: 100
  selector: has(iftype) && iftype == 'data0'
  types:
  - Ingress
  - Egress
##########################################################
---
apiVersion: crd.projectcalico.org/v1
kind: HostEndpoint
metadata:
  labels:
    iftype: data0
    notetype: controller
  name: controller-1-data0-if-hep
spec:
  expectedIPs:
  - 20.20.20.2
  - 30.30.30.2
  interfaceName: enp0s9
  node: controller-1

I did set my source entity-rule in “mgmt-tcp” rule to

      namespaceSelector: global()
      selector: has(role) && role == 'systemcontroller'

But from the documentation, “selector” is to be used for endpoints so it is not clear to me how my GNP will use my GNS

After applying I can see in iptables that the rule was created for the nets config (20.20.20.0/24), but I was expecting an extra rule with the CIDR address in my GNS (40.40.40.1/32):

root@controller-1:/var/home/sysadmin# iptables-save | grep 52010
-A cali-pi-_NpOZJkjKTGRsb1G_x3r -s 20.20.20.0/24 -p tcp -m comment --comment "cali:6FT5azne4JD29_pg" -m comment --comment "network=mgmt-tcp" -m comment --comment "Policy controller-data0-if-gnp ingress" -m set --match-set cali40s:EMwO7olUhuRXLsHyJpTbVqA src -m multiport --dports 52010,52011,52012 -j MARK --set-xmark 0x10000/0x10000

root@controller-1:/var/home/sysadmin# iptables-save | grep "40\.40\.40"
root@controller-1:/var/home/sysadmin#

I could not find an example of how to use GNP with GNS, if someone can give a help I appreciate it.

Topic		Replies	Views
What is the difference between GlobalNetworkPolicy and GlobalNetworkset in Calico? EKS-AKS-GKE-IKS	3	767	August 17, 2021
Why GlobalNetworkPolicy was not applied? Networking	3	493	May 21, 2022
GlobalNetworkPolicy exclude default namespace Open Source Calico Help	6	1770	November 28, 2020
Trying to understand network policies for host network <-> pod network Networking	18	3961	July 18, 2022
AKS -Action Log EKS-AKS-GKE-IKS aks	4	1523	December 23, 2020

How to associate GlobalNetworkSet with GlobalNetworkPolicy

Related Topics