Use external IPs or networks rules in policy

    Value

    Modern applications often integrate with third-party APIs and SaaS services that live outside Kubernetes clusters. To securely enable access to those integrations, network security teams must be able to limit IP ranges for egress and ingress traffic to workloads. This includes using IP lists or ranges to deny-list bad actors or embargoed countries.

    Using Calico network policy, you can define IP addresses/CIDRs directly in policy to limit traffic to external networks. Or using Calico network sets, you can easily scale out by using the same set of IPs in multiple policies.

    • GlobalNetworkSet or NetworkSet to specify IPs/CIDRs to use in policy

    Concepts

    IP addresses and CIDRs can be specified directly in both Kubernetes and Calico network policy rules. Calico network policy supports IPV4 and IPV6 CIDRs.

    A network set resource is an arbitrary set of IP subnetworks/CIDRs that can be matched by standard label selectors in Kubernetes or Calico network policy. This is useful to reference a set of IP addresses using a selector from a namespaced network policy resource. It is typically used when you want to scale/reuse the same set of IP addresses in policy.

    In the following example, a Calico NetworkPolicy allows egress traffic from pods with the label color: red, if it goes to an IP address in the 192.0.2.0/24 CIDR block.

    In this example, we use a Calico GlobalNetworkSet and reference it in a GlobalNetworkPolicy.

    Next, we create two Calico GlobalNetworkPolicy objects. The first is a high “order” policy that allows traffic as a default for things that don’t match our second policy, which is low “order” and uses the GlobalNetworkSet label as a selector to deny ingress traffic (IP-deny-list in the previous step). In the label selector, we also include the term !has(projectcalico.org/namespace), which prevents this policy from matching pods or NetworkSets that also have this label. To more quickly enforce the denial of forwarded traffic to the host at the packet level, use the doNotTrack and applyOnForward options.

    Above and beyond