Get started with Calico network policy for OpenStack

Big picture

Use Calico network policy to extend security beyond OpenStack security groups.

Value

For deployment users, OpenStack security groups provides enough features and flexibility. But for deployment administrators, limited labeling in VM security groups makes it difficult to address all security use cases that arise. Calico network policy provides special VM labels so you can identify VMs and impose additional restrictions that cannot be bypassed by users’ security group configuration.

Features

This how-to guide uses the following Calico features:

  • Calico predefined OpenStack VM endpoint labels
  • GlobalNetworkPolicy or NetworkPolicy

Concepts

Multi-region deployments

Using the OpenStack API, it is difficult to apply policy to cross-region network traffic because security groups are local to a single region. In Calico, each region in your OpenStack deployment becomes a separate Calico namespace in a single etcd datastore. With regions mapped to namespaces, you can easily define Calico network policy for communications between VMs in different regions.

Labels: more flexibility, greater security

Calico provides predefined VM endpoint labels (projects, security groups, and namespaces) for OpenStack deployments. You can use these labels in selector fields in Calico network policy to identify the VMs for allow/deny policy.

Policy ordering and enforcement

Calico network policy is always enforced before OpenStack security groups, and cannot be overridden by user-level security group configuration.

Before you begin…

How to

Restrict all ingress traffic between specific security groups

In the following example, we create a GlobalNetworkPolicy that is applied before any OpenStack security group policy. It prevents all ingress communication between the OpenStack superman and lexluthor projects. We use the predefined Calico VM endpoint label, openstack-project-name, to identify projects.

  1. apiVersion: projectcalico.org/v3
  2. kind: GlobalNetworkPolicy
  3. metadata:
  4.   name: deny-lexluthor-to-superman
  5. spec:
  6.   order: 10
  7.   selector: "projectcalico.org/openstack-project-name == 'superman'"
  8.   types:
  9.     - Ingress
  10.   ingress:
  11.     - action: Deny
  12.       source:
  13.         selector: "projectcalico.org/openstack-project-name == 'lexluthor'"
  14. ---
  15. apiVersion: projectcalico.org/v3
  16. kind: GlobalNetworkPolicy
  17. metadata:
  18.   name: deny-superman-to-lexluthor
  19. spec:
  20.   order: 10
  21.   selector: "projectcalico.org/openstack-project-name == 'lexluthor'"
  22.   types:
  23.     - Ingress
  24.   ingress:
  25.     - action: Deny
  26.       source:
  27.         selector: "projectcalico.org/openstack-project-name == 'superman'"

Allow specific traffic between VMs in different regions

In the following example, we use the predefined VM endpoint label, openstack-security_group_ID. Traffic is allowed to VMs with the label, openstack-a773… on port 80, from VMs in any region with the label, openstack-85cc….

  1. apiVersion: projectcalico.org/v3
  2. kind: GlobalNetworkPolicy
  3. metadata:
  4.   name: allow-tcp-80
  5. spec:
  6.   selector: 'has(sg.projectcalico.org/openstack-a7734e61-b545-452d-a3cd-0189cbd9747a)'
  7.   types:
  8.     - Ingress
  9.   ingress:
  10.     - action: Allow
  11.       protocol: TCP
  12.       source:
  13.         selector: 'has(sg.projectcalico.org/openstack-85cc3048-abc3-43cc-89b3-377341426ac5)'
  14.       destination:
  15.         ports:
  16.           - 80

Above and beyond