Use ICMP/ping rules in policy

Big picture

Use Calico network policy to allow and deny ICMP/ping messages.

Value

The Internet Control Message Protocol (ICMP) provides valuable network diagnostic functions, but it can also be used maliciously. Attackers can use it to learn about your network, or for DoS attacks. Using Calico network policy, you can control where ICMP is used. For example, you can:

  • Allow ICMP ping, but only for workloads, host endpoints (or both)
  • Allow ICMP for pods launched by operators for diagnostic purposes, but block other uses
  • Temporarily enable ICMP to diagnose a problem, then disable it after the problem is resolved
  • Deny/allow ICMPv4 and/or ICMPv6

Features

This how-to guide uses the following Calico features:

GlobalNetworkPolicy or NetworkPolicy with:

  • Protocol match for ICMPv4 and ICMPv6
  • icmp/NotICMP match for ICMP type and code

Concepts

ICMP packet type and code

Calico network policy also lets you deny and allow ICMP traffic based on specific types and codes. For example, you can specify ICMP type 5, code 2 to match specific ICMP redirect packets.

For details, see ICMP type and code.

How to

Deny all ICMP, all workloads and host endpoints

In this example, we introduce a “deny all ICMP” GlobalNetworkPolicy.

This policy selects all workloads and host endpoints. It enables a default deny for all workloads and host endpoints, in addition to the explicit ICMP deny rules specified in the policy.

If your ultimate goal is to allow some traffic, have your regular “allow” policies in place before applying a global deny-all ICMP traffic policy.

In this example, all workloads and host endpoints are blocked from sending or receiving ICMPv4 and ICMPv6 messages.

If ICMPv6 messages are not used in your deployment, it is still good practice to deny them specifically as shown below.

In any “deny-all” Calico network policy, be sure to specify a lower order (order:200) than regular policies that might allow traffic.

  1. apiVersion: projectcalico.org/v3
  2. kind: GlobalNetworkPolicy
  3. metadata:
  4. name: block-icmp
  5. spec:
  6. order: 200
  7. selector: all()
  8. types:
  9. - Ingress
  10. - Egress
  11. ingress:
  12. - action: Deny
  13. protocol: ICMP
  14. - action: Deny
  15. protocol: ICMPv6
  16. egress:
  17. - action: Deny
  18. protocol: ICMP
  19. - action: Deny
  20. protocol: ICMPv6

Allow ICMP ping, all workloads and host endpoints

In this example, workloads and host endpoints can receive ICMPv4 type 8 and ICMPv6 type 128 ping requests that come from other workloads and host endpoints.

All other traffic may be allowed by other policies. If traffic is not explicitly allowed, it will be denied by default.

The policy applies only to ingress traffic. (Egress traffic is not affected, and default deny is not enforced for egress.)

  1. apiVersion: projectcalico.org/v3
  2. kind: GlobalNetworkPolicy
  3. metadata:
  4. name: allow-ping-in-cluster
  5. spec:
  6. selector: all()
  7. types:
  8. - Ingress
  9. ingress:
  10. - action: Allow
  11. protocol: ICMP
  12. source:
  13. selector: all()
  14. icmp:
  15. type: 8 Ping request
  16. - action: Allow
  17. protocol: ICMPv6
  18. source:
  19. selector: all()
  20. icmp:
  21. type: 128 Ping request

Allow ICMP matching protocol type and code, all Kubernetes pods

In this example, only Kubernetes pods that match the selector projectcalico.org/orchestrator == ‘kubernetes’ are allowed to receive ICMPv4 code: 1 host unreachable messages.

  1. apiVersion: projectcalico.org/v3
  2. kind: GlobalNetworkPolicy
  3. metadata:
  4. name: allow-host-unreachable
  5. spec:
  6. selector: projectcalico.org/orchestrator == 'kubernetes'
  7. types:
  8. - Ingress
  9. ingress:
  10. - action: Allow
  11. protocol: ICMP
  12. icmp:
  13. type: 3 Destination unreachable
  14. code: 1 Host unreachable

Above and beyond

For more on the ICMP match criteria, see: