Creating policy for basic connectivity
When a host endpoint is added, if there is no security policy for that endpoint, Calico will default to denying traffic to/from that endpoint, except for traffic that is allowed by the failsafe rules.
While the failsafe rules provide protection against removing all connectivity to a host:
- They are overly broad in allowing inbound SSH on any interface and allowing traffic out to etcd’s ports on any interface.
- Depending on your network, they may not cover all the ports that are required; for example, your network may rely on allowing ICMP, or DHCP.
Therefore, we recommend creating a failsafe Calico security policy that is tailored to your environment. The example command below shows one example of how you might do that; the command uses calicoctl
to create a single policy resource, which:
- Applies to all known endpoints.
- Allows inbound ssh access from a defined “management” subnet.
- Allows outbound connectivity to etcd on a particular IP; if you have multiple etcd servers you should duplicate the rule for each destination.
- Allows inbound ICMP.
- Allows outbound UDP on port 67, for DHCP.
When running this command, replace the placeholders in angle brackets with appropriate values for your deployment.
cat <<EOF | calicoctl create -f -
- apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: failsafe
spec:
selector: "all()"
order: 0
ingress:
- action: Allow
protocol: TCP
source:
nets:
- "<your management CIDR>"
destination:
ports: [22]
- action: Allow
protocol: ICMP
egress:
- action: Allow
protocol: TCP
destination:
nets: [<your etcd IP>/32]
ports: [<your etcd ports>]
- action: Allow
protocol: TCP
destination:
nets: [<your Kubernetes API server IP]
ports: [<your Kubernetes API server IP ports>]
- action: Allow
protocol: UDP
destination:
ports: [67]
EOF
Once you have such a policy in place, you may want to disable the failsafe rules.
note
Packets that reach the end of the list of rules fall-through to the next policy (sorted by the order
field). The selector in the policy, all()
, will match all endpoints, including any workload endpoints. If you have workload endpoints as well as host endpoints then you may wish to use a more restrictive selector. For example, you could label management interfaces with label endpoint_type = management
and then use selector endpoint_type == "management"
If you are using Calico for networking workloads, you should add inbound and outbound rules to allow BGP: add an ingress and egress rule to allow TCP traffic to destination port 179.