Home / server / Questions / 1067807
Accepted
solveit
Asked: 2021-06-26 01:28:24 +0800 CST

Calico network policy in Kubernetes based on Domain name & Wildcard char

  • 772

I have an application running with kubernetes orchestrator. I want to implement calico network policy based on domain name or wildcard characters so that domain names (FQDN/DNS) can be used to allow access from a pod or set of pods (via label selector).

I came across calico doc which says the same thing, but not sure if this is free or paid ? Can someone confirm this? also where I can get example of this?

kubernetes calico

1 Answers

  1. Best Answer

    DNS policy is a paid feature since it's a part of Calico Enterprise and Calico Cloud. You can check this here.

    Full comparison of features between open source calico, cloud and enterprise

    As for examples, it's often very difficult to find working examples for paid products, however I managed to find simple example of how it will look like:

    apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: security.allow-external-dns-egress
spec:
  tier: security
  selector: 'projectcalico.org/namespace == "dev" && app == "centos"'
  order: 90
  types:
    - Egress
  egress:
  - action: Allow
    protocol: UDP
    source: {}
    destination:
      ports:
      - '53'
      # openshift dns port
      - '5353'
  - action: Allow
    source:
      selector: app == 'centos'
    destination:
      domains:
      - '*.google.com'
      - 'google.com'
  # this rule only necessary if there is no policy that would pass all unmatched traffic to the following tier
  # - action: Pass
  #   source: {}
  #   destination: {}

    Link to this example above in Calico github

    Idea is to not allow any egress traffic to any domains, but google.com

    It's shown how it should work in the example.

    • 1