Use external IPs or networks rules in policy

Big picture

Use Calico network policy to limit traffic to/from external non-Calico workloads or networks.

Value

Modern applications often integrate with third-party APIs and SaaS services that live outside Kubernetes clusters. To securely enable access to those integrations, network security teams must be able to limit IP ranges for egress and ingress traffic to workloads. This includes using IP lists or ranges to deny-list bad actors or embargoed countries.

Using Calico network policy, you can define IP addresses/CIDRs directly in policy to limit traffic to external networks. Or using Calico network sets, you can easily scale out by using the same set of IPs in multiple policies.

Features

This how-to guide uses the following Calico features:

  • GlobalNetworkSet or NetworkSet to specify IPs/CIDRs to use in policy
  • GlobalNetworkPolicy or NetworkPolicy to limit traffic to external networks using IP addresses or network sets

Concepts

IP addresses/CIDRs

IP addresses and CIDRs can be specified directly in both Kubernetes and Calico network policy rules. Calico network policy supports IPV4 and IPV6 CIDRs.

Network sets

A network set resource is an arbitrary set of IP subnetworks/CIDRs that can be matched by standard label selectors in Kubernetes or Calico network policy. This is useful to reference a set of IP addresses using a selector from a namespaced network policy resource. It is typically used when you want to scale/reuse the same set of IP addresses in policy.

A global network set resource is similar, but can be selected only by Calico global network policies.

How to

Limit traffic to or from external networks, IPs in network policy

In the following example, a Calico NetworkPolicy allows egress traffic from pods with the label color: red, if it goes to an IP address in the 192.0.2.0/24 CIDR block.

  1. apiVersion: projectcalico.org/v3
  2. kind: NetworkPolicy
  3. metadata:
  4. name: allow-egress-external
  5. namespace: production
  6. spec:
  7. selector: color == 'red'
  8. types:
  9. - Egress
  10. egress:
  11. - action: Allow
  12. destination:
  13. nets:
  14. - 192.0.2.0/24

Limit traffic to or from external networks, global network set

In this example, we use a Calico GlobalNetworkSet and reference it in a GlobalNetworkPolicy.

In the following example, a Calico GlobalNetworkSet deny-lists the CIDR ranges 192.0.2.55/32 and 203.0.113.0/24:

  1. apiVersion: projectcalico.org/v3
  2. kind: GlobalNetworkSet
  3. metadata:
  4. name: ip-protect
  5. labels:
  6. ip-deny-list: 'true'
  7. spec:
  8. nets:
  9. - 192.0.2.55/32
  10. - 203.0.113.0/24

Next, we create two Calico GlobalNetworkPolicy objects. The first is a high “order” policy that allows traffic as a default for things that don’t match our second policy, which is low “order” and uses the GlobalNetworkSet label as a selector to deny ingress traffic (IP-deny-list in the previous step). In the label selector, we also include the term !has(projectcalico.org/namespace), which prevents this policy from matching pods or NetworkSets that also have this label. To more quickly enforce the denial of forwarded traffic to the host at the packet level, use the doNotTrack and applyOnForward options.

  1. apiVersion: projectcalico.org/v3
  2. kind: GlobalNetworkPolicy
  3. metadata:
  4. name: forward-default-allow
  5. spec:
  6. selector: apply-ip-protect == 'true'
  7. order: 1000
  8. doNotTrack: true
  9. applyOnForward: true
  10. types:
  11. - Ingress
  12. ingress:
  13. - action: Allow
  14. ---
  15. apiVersion: projectcalico.org/v3
  16. kind: GlobalNetworkPolicy
  17. metadata:
  18. name: ip-protect
  19. spec:
  20. selector: apply-ip-protect == 'true'
  21. order: 0
  22. doNotTrack: true
  23. applyOnForward: true
  24. types:
  25. - Ingress
  26. ingress:
  27. - action: Deny
  28. source:
  29. selector: ip-deny-list == 'true' && !has(projectcalico.org/namespace)

Additional resources