Hi all,
We are planning to leverage Calico Network policy to enhance our cluster security. Gone through the Calico official document and got some idea on GlobalNetworkPolicy and NetworkPolicy, but one thing which is still a grey area to us is GlobalNetworkset.
We would really appreciate, if someone could clear this doubt.
Cluster: AKS
Thanks in advance
https://docs.projectcalico.org/reference/resources/globalnetworkset:
A global network set resource (GlobalNetworkSet) represents an arbitrary set of IP subnetworks/CIDRs, allowing it to be matched by Calico policy. Network sets are useful for applying policy to traffic coming from (or going to) external, non-Calico, networks.
The metadata for each network set includes a set of labels. When Calico is calculating the set of IPs that should match a source/destination selector within a global network policy rule, it includes the CIDRs from any network sets that match the selector.
A global network policy resource (
GlobalNetworkPolicy) represents an ordered set of rules which are applied to a collection of endpoints that match a label selector.
GlobalNetworkPolicyis not a namespaced resource.GlobalNetworkPolicyapplies to workload endpoint resources in all namespaces, and to host endpoint resources. Select a namespace in aGlobalNetworkPolicyin the standard selector by usingprojectcalico.org/namespaceas the label name and anamespacename as the value to compare against, e.g.,projectcalico.org/namespace == "default". See network policy resource for namespaced network policy.
GlobalNetworkPolicyresources can be used to define network connectivity rules between groups of Calico endpoints and host endpoints, and take precedence over Profile resources if any are defined.
So in a globalnetworkset, you would put a list of CIDRs that you want to talk about in your policies. Those CIDRs might represent internal networks, machines running databases, etc. The GNS has labels.
Those labels can then be used in your calico policies to define traffic policy to/from the IPs in the GNS