Score:1

Calico network policy in Kubernetes based on Domain name & Wildcard char

ar flag

I have an application running with kubernetes orchestrator. I want to implement calico network policy based on domain name or wildcard characters so that domain names (FQDN/DNS) can be used to allow access from a pod or set of pods (via label selector).

I came across calico doc which says the same thing, but not sure if this is free or paid ? Can someone confirm this? also where I can get example of this?

Score:1
in flag

DNS policy is a paid feature since it's a part of Calico Enterprise and Calico Cloud. You can check this here.

Full comparison of features between open source calico, cloud and enterprise

As for examples, it's often very difficult to find working examples for paid products, however I managed to find simple example of how it will look like:

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: security.allow-external-dns-egress
spec:
  tier: security
  selector: 'projectcalico.org/namespace == "dev" && app == "centos"'
  order: 90
  types:
    - Egress
  egress:
  - action: Allow
    protocol: UDP
    source: {}
    destination:
      ports:
      - '53'
      # openshift dns port
      - '5353'
  - action: Allow
    source:
      selector: app == 'centos'
    destination:
      domains:
      - '*.google.com'
      - 'google.com'
  # this rule only necessary if there is no policy that would pass all unmatched traffic to the following tier
  # - action: Pass
  #   source: {}
  #   destination: {}

Link to this example above in Calico github

Idea is to not allow any egress traffic to any domains, but google.com

It's shown how it should work in the example.

solveit avatar
ar flag
will this example work since it is under enterprise package? I want to implement network policy based on domain using CIDR, you think Kubernetes DNSSelector [ https://github.com/kubernetes/kubernetes/issues/50453 ] might help ?
moonkotte avatar
in flag
This will work if you use calico enterprise, there are no other options to have this work like this. Also for the last state they suggested using `calico cni` for this - see [this comment](https://github.com/kubernetes/kubernetes/issues/50453#issuecomment-368334028)
solveit avatar
ar flag
How about Kubernetes DNS service https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ to control the egress calls ? With some dns server that I can integrate with k3s and use this service ?
moonkotte avatar
in flag
This is a different question and you should consider asking this separately to comply with StackExchange guidelines. Please refer to [One post with multiple questions or multiple posts?](https://meta.stackexchange.com/questions/39223/one-post-with-multiple-questions-or-multiple-posts)
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.