What is the difference between GlobalNetworkPolicy and GlobalNetworkset in Calico?

Hi all,

We are planning to leverage Calico Network policy to enhance our cluster security. Gone through the Calico official document and got some idea on GlobalNetworkPolicy and NetworkPolicy, but one thing which is still a grey area to us is GlobalNetworkset.

We would really appreciate, if someone could clear this doubt.

Cluster: AKS

Thanks in advance


A global network set resource (GlobalNetworkSet) represents an arbitrary set of IP subnetworks/CIDRs, allowing it to be matched by Calico policy. Network sets are useful for applying policy to traffic coming from (or going to) external, non-Calico, networks.

The metadata for each network set includes a set of labels. When Calico is calculating the set of IPs that should match a source/destination selector within a global network policy rule, it includes the CIDRs from any network sets that match the selector.

A global network policy resource ( GlobalNetworkPolicy ) represents an ordered set of rules which are applied to a collection of endpoints that match a label selector.

GlobalNetworkPolicy is not a namespaced resource. GlobalNetworkPolicy applies to workload endpoint resources in all namespaces, and to host endpoint resources. Select a namespace in a GlobalNetworkPolicy in the standard selector by using projectcalico.org/namespace as the label name and a namespace name as the value to compare against, e.g., projectcalico.org/namespace == "default" . See network policy resource for namespaced network policy.

GlobalNetworkPolicy resources can be used to define network connectivity rules between groups of Calico endpoints and host endpoints, and take precedence over Profile resources if any are defined.

So in a globalnetworkset, you would put a list of CIDRs that you want to talk about in your policies. Those CIDRs might represent internal networks, machines running databases, etc. The GNS has labels.

Those labels can then be used in your calico policies to define traffic policy to/from the IPs in the GNS

1 Like


Thanks a ton, for your explanation. Its clear to me now.