Calico network policy in Kubernetes based on Domain name & Wildcard char

solveit

10/25/22, 9:28 AM

I have an application running with kubernetes orchestrator. I want to implement calico network policy based on domain name or wildcard characters so that domain names (FQDN/DNS) can be used to allow access from a pod or set of pods (via label selector).

I came across calico doc which says the same thing, but not sure if this is free or paid ? Can someone confirm this? also where I can get example of this?

1061

1 + 0

kubernetes

calico

Score:1

Server

moonkotte

10/25/22, 1:43 PM

DNS policy is a paid feature since it's a part of Calico Enterprise and Calico Cloud. You can check this here.

Full comparison of features between open source calico, cloud and enterprise

As for examples, it's often very difficult to find working examples for paid products, however I managed to find simple example of how it will look like:

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: security.allow-external-dns-egress
spec:
  tier: security
  selector: 'projectcalico.org/namespace == "dev" && app == "centos"'
  order: 90
  types:
    - Egress
  egress:
  - action: Allow
    protocol: UDP
    source: {}
    destination:
      ports:
      - '53'
      # openshift dns port
      - '5353'
  - action: Allow
    source:
      selector: app == 'centos'
    destination:
      domains:
      - '*.google.com'
      - 'google.com'
  # this rule only necessary if there is no policy that would pass all unmatched traffic to the following tier
  # - action: Pass
  #   source: {}
  #   destination: {}

Link to this example above in Calico github

Idea is to not allow any egress traffic to any domains, but google.com

It's shown how it should work in the example.

0 + 4

solveit

10/28/22, 5:02 AM

will this example work since it is under enterprise package? I want to implement network policy based on domain using CIDR, you think Kubernetes DNSSelector [ https://github.com/kubernetes/kubernetes/issues/50453 ] might help ?

moonkotte

10/28/22, 6:46 AM

This will work if you use calico enterprise, there are no other options to have this work like this. Also for the last state they suggested using `calico cni` for this - see [this comment](https://github.com/kubernetes/kubernetes/issues/50453#issuecomment-368334028)

solveit

10/30/22, 6:37 AM

How about Kubernetes DNS service https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ to control the egress calls ? With some dns server that I can integrate with k3s and use this service ?

moonkotte

10/30/22, 7:53 AM

This is a different question and you should consider asking this separately to comply with StackExchange guidelines. Please refer to [One post with multiple questions or multiple posts?](https://meta.stackexchange.com/questions/39223/one-post-with-multiple-questions-or-multiple-posts)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Calico network policy in Kubernetes based on Domain name & Wildcard char

TH: นโยบายเครือข่าย Calico ใน Kubernetes ตามชื่อโดเมนและ Wildcard char

RO: Politica de rețea Calico în Kubernetes, bazată pe numele domeniului și caracterul Wildcard

RU: Сетевая политика Calico в Kubernetes на основе доменного имени и подстановочного знака

VI: Chính sách mạng Calico trong Kubernetes dựa trên Tên miền & Ký tự đại diện

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.