How to allow ClusterIP by selector?

Calico Help
#1

Hi,

I want to allow external access to ClusterIP of specific services.
I tried as follows, but the Rule is created as Pod IP.

apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: rook-ceph-allow-cluster-ip
spec:
  order: 10
  applyOnForward: true
  ingress:
  - action: Allow
    destination:
      namespaceSelector: namespace.cluster.local.io == 'rook-ceph'
      selector: app == 'rook-ceph-mon'
  preDNAT: true
  selector: has(host-endpoint)

Name: cali40s:wDHQoEWkVYY1xFSxA1sTwvL
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 1048576
Size in memory: 640
References: 1
Number of entries: 3
Members:
172.25.173.219 (Pod IP)
172.19.15.237 (Pod IP)
172.25.173.211 (Pod IP)
#2

It is expected that the rule would be created with Pod IPs. The Cluster IP gets DNATted by a rule installed by kube-proxy (if you’re running in iptables mode) to the Pod IP, so it is correct to use the pod IP in the rule.

Are you seeing an actual problem? What happens when you access the pod IP from outside the cluster? (I’m wondering if you need to advertise the service IP).

#3

Thank you for response.
PodIP cannot be accessed from outside the cluster.
I will open a new discussion for how to PodIP routing.

#4

I want to reopen this discuss.
When access ClusterIP(k8s Service) from outside, has situation need access control.

#5

If you want to match on cluster IP, you need to use host endpoint pre-DNAT policy so you see the packet before the DNAT happens. This doc explains how to do that, with node ports in mind: https://docs.projectcalico.org/security/kubernetes-node-ports

#6

Could you tell me detail a little more?
In the first comment I tried using pre-DNAT.
But it doesn’t work.

#7

Pre-dnat policy has to be based on IP address, we don’t support matching services with selectors