1

I have an application running with kubernetes orchestrator. I want to implement calico network policy based on domain name or wildcard characters so that domain names (FQDN/DNS) can be used to allow access from a pod or set of pods (via label selector).

I came across calico doc which says the same thing, but not sure if this is free or paid ? Can someone confirm this? also where I can get example of this?

Wytrzymały Wiktor
  • 731
  • 3
  • 10
solveit
  • 255
  • 2
  • 11

1 Answers1

1

DNS policy is a paid feature since it's a part of Calico Enterprise and Calico Cloud. You can check this here.

Full comparison of features between open source calico, cloud and enterprise

As for examples, it's often very difficult to find working examples for paid products, however I managed to find simple example of how it will look like:

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: security.allow-external-dns-egress
spec:
  tier: security
  selector: 'projectcalico.org/namespace == "dev" && app == "centos"'
  order: 90
  types:
    - Egress
  egress:
  - action: Allow
    protocol: UDP
    source: {}
    destination:
      ports:
      - '53'
      # openshift dns port
      - '5353'
  - action: Allow
    source:
      selector: app == 'centos'
    destination:
      domains:
      - '*.google.com'
      - 'google.com'
  # this rule only necessary if there is no policy that would pass all unmatched traffic to the following tier
  # - action: Pass
  #   source: {}
  #   destination: {}

Link to this example above in Calico github

Idea is to not allow any egress traffic to any domains, but google.com

It's shown how it should work in the example.

moonkotte
  • 290
  • 1
  • 8
  • will this example work since it is under enterprise package? I want to implement network policy based on domain using CIDR, you think Kubernetes DNSSelector [ https://github.com/kubernetes/kubernetes/issues/50453 ] might help ? – solveit Jun 28 '21 at 05:02
  • This will work if you use calico enterprise, there are no other options to have this work like this. Also for the last state they suggested using `calico cni` for this - see [this comment](https://github.com/kubernetes/kubernetes/issues/50453#issuecomment-368334028) – moonkotte Jun 28 '21 at 06:46
  • How about Kubernetes DNS service https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ to control the egress calls ? With some dns server that I can integrate with k3s and use this service ? – solveit Jun 30 '21 at 06:37
  • This is a different question and you should consider asking this separately to comply with StackExchange guidelines. Please refer to [One post with multiple questions or multiple posts?](https://meta.stackexchange.com/questions/39223/one-post-with-multiple-questions-or-multiple-posts) – moonkotte Jun 30 '21 at 07:53