Hello
I have been trying to use a GlobalNetworkSet (GNS) inside my GlobalNetworkPolicy (GNP) but so far it is not creating iptables rules with the network used in my GNS
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkSet
metadata:
name: subcloud-list
labels:
role: systemcontroller
spec:
nets:
- 40.40.40.1/32
##########################################################
---
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: controller-data0-if-gnp
spec:
applyOnForward: false
#######################
egress:
# rule
- action: Allow
ipVersion: 4
protocol: TCP
# rule
- action: Allow
ipVersion: 4
protocol: UDP
# rule
- action: Allow
protocol: ICMP
#######################
ingress:
#--------------------------------
# rule
- metadata:
annotations:
network: mgmt-tcp
action: Allow
destination:
ports:
- 52010
- 52011
- 52012
ipVersion: 4
protocol: TCP
source:
namespaceSelector: global()
selector: has(role) && role == 'systemcontroller'
nets:
- 20.20.20.0/24
#######################
order: 100
selector: has(iftype) && iftype == 'data0'
types:
- Ingress
- Egress
##########################################################
---
apiVersion: crd.projectcalico.org/v1
kind: HostEndpoint
metadata:
labels:
iftype: data0
notetype: controller
name: controller-1-data0-if-hep
spec:
expectedIPs:
- 20.20.20.2
- 30.30.30.2
interfaceName: enp0s9
node: controller-1
I did set my source entity-rule in “mgmt-tcp” rule to
namespaceSelector: global()
selector: has(role) && role == 'systemcontroller'
But from the documentation, “selector” is to be used for endpoints so it is not clear to me how my GNP will use my GNS
After applying I can see in iptables that the rule was created for the nets config (20.20.20.0/24), but I was expecting an extra rule with the CIDR address in my GNS (40.40.40.1/32):
root@controller-1:/var/home/sysadmin# iptables-save | grep 52010
-A cali-pi-_NpOZJkjKTGRsb1G_x3r -s 20.20.20.0/24 -p tcp -m comment --comment "cali:6FT5azne4JD29_pg" -m comment --comment "network=mgmt-tcp" -m comment --comment "Policy controller-data0-if-gnp ingress" -m set --match-set cali40s:EMwO7olUhuRXLsHyJpTbVqA src -m multiport --dports 52010,52011,52012 -j MARK --set-xmark 0x10000/0x10000
root@controller-1:/var/home/sysadmin# iptables-save | grep "40\.40\.40"
root@controller-1:/var/home/sysadmin#
I could not find an example of how to use GNP with GNS, if someone can give a help I appreciate it.