Hi,
I want to expose some services as ClusterIP.
Currently, Has advertising ClusterIP with calico bgp.
I want to deny all access, except for some services.
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: allow-cluster-internal-ingress-only
spec:
applyOnForward: true
ingress:
- action: Allow
source:
nets:
- 10.16.0.0/20 (Node IP Cidr)
- 172.16.0.0/12 (Pod IP Cidr)
preDNAT: true
selector: has(host-endpoint)
(The host-endpoint is labeled on the node.)
But not working.
02:10:35.926981 IP 172.16.12.192.60393 > 172.19.15.224.6789: Flags [S], seq 2444179478, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
02:10:35.927074 IP 172.19.15.224.6789 > 172.16.12.192.60393: Flags [S.], seq 1303218966, ack 2444179479, win 64390, options [mss 1370,nop,nop,sackOK,nop,wscale 7], length 0
172.16.12.192 is vxlan.calico’s IP.
When accessing ClusterIP from PC, SourceIP is changed to IP of vxlan.calico of Node, so that it is connected.