Protect hosts

Big picture

Use Calico network policy to restrict traffic to/from hosts.

Value

Restricting traffic between hosts and the outside world is not unique to Calico; many solutions provide this capability. However, the advantage of using Calico to protect the host is you can use the same Calico policy configuration as workloads. You only need to learn one tool. Write a cluster-wide policy, and it is immediately applied to every host.

Features

This how-to guide uses the following Calico features:

  • HostEndpoint resource
  • GlobalNetworkPolicy
  • FelixConfiguration resource with parameters:
    • FailsafeInboundHostPorts
    • DefaultEndpointToHostAction

Concepts

Hosts and workloads

In the context of Calico configuration, a workload is a virtualized compute instance, like a VM or container. A host is the computer that runs the hypervisor (for VMs), or container runtime (for containers). We say it “hosts” the workloads as guests.

Host endpoints

Each host has one or more network interfaces that it uses to communicate externally. You can use Calico network policy to secure these interfaces (called host endpoints). Calico host endpoints can have labels, and they work the same as labels on workload endpoints. The network policy rules can apply to both workload and host endpoints using label selectors.

Failsafe rules

It is easy to inadvertently cut all host connectivity because of non-existent or misconfigured network policy. To avoid this, Calico provides failsafe rules with default/configurable ports that are open on all host endpoints.

Default behavior of workload to host traffic

By default, Calico blocks all connections from a workload to its local host. You can control whether connections from a workload endpoint to its local host are dropped, returned, or accepted using a simple parameter.

Calico allows all connections from processes running on the host to guest workloads on the host. This allows host processes to run health checks and debug guest workloads.

Default behavior of external traffic to/from host

If a host endpoint is added and network policy is not in place, the Calico default is to deny traffic to/from that endpoint (except for traffic allowed by failsafe rules). For host endpoints, Calico blocks traffic only to/from interfaces that it’s been explicitly told about in network policy. Traffic to/from other interfaces is ignored.

Other host protection

In terms of design consistency in Calico, you may wonder about the following use cases.

Does Calico protect a local host from workloads?
Yes. DefaultEndpointToHostAction controls whether or not workloads can access their local host.

Does Calico protect a workload from the host it is running on?
No. Calico allows connections the host makes to the workloads running on that host. Some orchestrators like Kubernetes depend on this connectivity for health checking the workload. Moreover, processes running on the local host are often privileged enough to override local Calico policy. Be very cautious with the processes that you allow to run in the host’s root network namespace.

Before you begin…

If you are already running Calico for Kubernetes, you are good to go. If you want to install Calico on a non-cluster machine for host protection only, see Non-cluster hosts.

How to

Avoid accidentally cutting all host connectivity

To avoid inadvertently cutting all host connectivity because of non-existent or misconfigured network policy, Calico uses failsafe rules that open specific ports and CIDRs on all host endpoints.

Review the following table to determine if the defaults work for your implementation. If not, change the default ports using the parameters, FailsafeInboundHostPorts and FailsafeOutboundHostPorts in Configuring Felix.

PortProtocolCIDRDirectionPurpose
22TCP0.0.0.0/0InboundSSH access
53UDP0.0.0.0/0OutboundDNS queries
67UDP0.0.0.0/0OutboundDHCP access
68UDP0.0.0.0/0InboundDHCP access
179TCP0.0.0.0/0Inbound & OutboundBGP access (Calico networking)
2379TCP0.0.0.0/0Inbound & Outboundetcd access
2380TCP0.0.0.0/0Inbound & Outboundetcd access
6443TCP0.0.0.0/0Inbound & OutboundKubernetes API server access
6666TCP0.0.0.0/0Inbound & Outboundetcd self-hosted service access
6667TCP0.0.0.0/0Inbound & Outboundetcd self-hosted service access

Use policy to restrict host traffic

Step 1: Create policy to restrict host traffic

Although failsafe rules provide protection from removing all connectivity to a host, you should create a GlobalNetworkPolicy policy that restricts host traffic.

In the following example, we use a GlobalNetworkPolicy that applies to all worker nodes (defined by a label). Ingress SSH access is allowed from a defined “management” subnet.

Ingress traffic is also allowed for ICMP, and on TCP port 10250 (default kubelet port). Egress traffic is allowed to etcd on a particular IP, and UDP on port 53 and 67 for DNS and DHCP.

  1. apiVersion: projectcalico.org/v3
  2. kind: GlobalNetworkPolicy
  3. metadata:
  4. name: k8s-worker
  5. spec:
  6. selector: "role == 'k8s-worker'"
  7. order: 0
  8. ingress:
  9. - action: Allow
  10. protocol: TCP
  11. source:
  12. nets:
  13. - '<your management CIDR>'
  14. destination:
  15. ports: [22]
  16. - action: Allow
  17. protocol: ICMP
  18. - action: Allow
  19. protocol: TCP
  20. destination:
  21. ports: [10250]
  22. egress:
  23. - action: Allow
  24. protocol: TCP
  25. destination:
  26. nets:
  27. - '<your etcd IP>/32'
  28. ports: [2379]
  29. - action: Allow
  30. protocol: UDP
  31. destination:
  32. ports: [53, 67]

Step 2: Create host endpoints

For each host point that you want to secure with policy, you must create a HostEndpoint object. To do that, you need the name of the Calico node on the host that owns the interface; in most cases, it is the same as the hostname of the host.

In the following example, we create a HostEndpoint for the host named my-host with the interface named eth0, with IP 10.0.0.1. Note that the value for node: must match the hostname used on the Calico node object.

When the HostEndpoint is created, traffic to or from the interface is dropped unless policy is in place.

  1. apiVersion: projectcalico.org/v3
  2. kind: HostEndpoint
  3. metadata:
  4. name: my-host-eth0
  5. labels:
  6. role: k8s-worker
  7. environment: production
  8. spec:
  9. interfaceName: eth0
  10. node: my-host
  11. expectedIPs: ['10.0.0.1']

Control default behavior of workload endpoint to host traffic

The default Calico behavior blocks all connections from workloads to their local host (after traffic passes any egress policy applied to the workload). You can change this behavior using the DefaultEndpointToHostAction parameter in Felix configuration.

This parameter works at the IP table level, where you can specify packet behavior to Drop (default), Accept, or Return.

To change this parameter for all hosts, edit the FelixConfiguration object named “default.”

  1. Get a copy of the object to edit.

    1. calicoctl get felixconfiguration default --export -o yaml > default-felix-config.yaml
  2. Open the file in a text editor and add the parameter, defaultEndpointToHostAction. For example:

    1. apiVersion: projectcalico.org/v3
    2. kind: FelixConfiguration
    3. metadata:
    4. name: default
    5. spec:
    6. ipipEnabled: true
    7. logSeverityScreen: Info
    8. reportingInterval: 0s
    9. defaultEndpointToHostAction: Accept
  3. Update the FelixConfiguration on the cluster.

    1. calicoctl apply -f default-felix-config.yaml

Additional resources