我的书签
添加书签
移除书签Use ICMP/ping rules in policy
Value
The Internet Control Message Protocol (ICMP) provides valuable network diagnostic functions, but it can also be used maliciously. Attackers can use it to learn about your network, or for DoS attacks. Using Calico network policy, you can control where ICMP is used. For example, you can:
- Allow ICMP ping, but only for workloads, host endpoints (or both)
- Allow ICMP for pods launched by operators for diagnostic purposes, but block other uses
- Temporarily enable ICMP to diagnose a problem, then disable it after the problem is resolved
This how-to guide uses the following Calico features:
GlobalNetworkPolicy or NetworkPolicy with:
- Protocol match for ICMPv4 and ICMPv6
- icmp/NotICMP match for ICMP type and code
Concepts
Calico network policy also lets you deny and allow ICMP traffic based on specific types and codes. For example, you can specify ICMP type 5, code 2 to match specific ICMP redirect packets.
- Deny all ICMP, all workloads and host endpoints
- Allow ICMP matching protocol type and code, all Kubernetes pods
In this example, we introduce a “deny all ICMP” GlobalNetworkPolicy.
This policy selects all workloads and host endpoints. It enables a default deny for all workloads and host endpoints, in addition to the explicit ICMP deny rules specified in the policy.
If your ultimate goal is to allow some traffic, have your regular “allow” policies in place before applying a global deny-all ICMP traffic policy.
In this example, all workloads and host endpoints are blocked from sending or receiving ICMPv4 and ICMPv6 messages.
In any “deny-all” Calico network policy, be sure to specify a lower order (order:200) than regular policies that might allow traffic.
In this example, workloads and host endpoints can receive ICMPv4 type 8 and ICMPv6 type 128 ping requests that come from other workloads and host endpoints.
All other traffic may be allowed by other policies. If traffic is not explicitly allowed, it will be denied by default.
The policy applies only to ingress traffic. (Egress traffic is not affected, and default deny is not enforced for egress.)
Above and beyond
For more on the ICMP match criteria, see:
