Can we use more than one option in a single yaml file?

Hi All,

We would like to allow all the traffic from TCP and UDP protocol to the pods in a particular Namespace.
Can we use more than one option at a time in Calico Policy while defining GlobalNetworkPolicy
eg:
Protocol: TCP, UDP
Action: Allow,Log

You can indeed specify these in the same yaml file, but they would need to be separate rules in the same file. For example:

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: k8s-worker
spec:
  selector: "role == 'k8s-worker'"
  order: 100
  ingress:
  - action: Log
    protocol: ICMP
  - action: Log
    protocol: TCP
  - action: Log
    protocol: UDP
  - action: Allow
    protocol: ICMP
  - action: Allow
    protocol: TCP
  - action: Allow
    protocol: UDP
1 Like

@Lance Robson

Its clear to me now. Thanks a ton. Keep up your great work.

If possible could you please look into this as well.

@lwr20

Is it possible to refer more than one Namespace in GlobalNetworkPolicy as mentioned below?

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: k8s-worker
spec:
namespaceSelector: “key1 == ‘value1’”
namespaceSelector: “key2 == ‘value2’”
namespaceSelector: “key3 == ‘value3’”
order: 100
ingress:

  • action: Log
    protocol: ICMP
  • action: Log
    protocol: TCP

Have a look at: Global network policy

You’ll see that the namespaceSelector takes an argument of type Selector. The Selector section of that doc shows that Selector can have multiple, logically combined expressions.

Assuming that what you want here is a rule which ORs the namespaces together, I think your policy should look like:

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: k8s-worker
spec:
  namespaceSelector: "(key1 == 'value1') || (key2 == 'value2') || (key3 == 'value3')"
  order: 100
  ingress:
    - action: Log
      protocol: ICMP
    - action: Log
      protocol: TCP
1 Like

@lwr20

Cool, Its clear to me now.

From the official document I could understand the “PROTOCOL” value can be either String(eg TCP,UDP) or INTEGER 1-255.
Is that mean PROTOCOL value can be 1-255(inorder to select all protocols)?

ingress:
- action: Allow
protocol: 1-255

I think if you want to match all protocols, you can simply omit the protocol field.

1 Like