Skip to main content
Calico Enterprise 3.19 (latest) documentation

Deep packet inspection

A deep packet inspection resource (DeepPacketInspection) represents live network traffic monitor for malicious activities by analyzing header and payload of the packet using specific rules. Malicious activities are added to the β€œAlerts” page in Calico Enterprise Manager.

For kubectl commands, the following case-insensitive aliases can be used to specify the resource type on the CLI: deeppacketinspection,deeppacketinspections, deeppacketinspection.projectcalico.org, deeppacketinspections.projectcalico.org as well as abbreviations such as deeppacketinspection.p and deeppacketinspections.p.

Sample YAML​

apiVersion: projectcalico.org/v3
kind: DeepPacketInspection
metadata:
name: sample-dpi
namespace: sample-namespace
spec:
selector: k8s-app == "sample-app"

DeepPacketInspection definition​

Metadata​

FieldDescriptionAccepted ValuesSchemaDefault
nameThe name of the deep packet inspection. Required.Alphanumeric string with optional ., _, or -.string
namespaceNamespace provides an additional qualification to a resource name.string"default"

Spec​

FieldDescriptionAccepted ValuesSchemaDefault
selectorSelects the endpoints to which this deep packet inspection applies.selector

Status​

FieldDescription
nodesList of Nodes.

Nodes​

FieldDescription
nodeName of the node that generated this status.
activeActive status.
errorConditionsList of errors.

Active​

FieldDescription
successWhether the deep packet inspection is active on the backend.
lastUpdatedTime when the active field was updated.

Error Conditions​

FieldDescription
messageErrors preventing deep packet inspection from running successfully.
lastUpdatedTime when the error was updated.

Selector​

A label selector is an expression which either matches or does not match a resource based on its labels.

Calico Enterprise label selectors support a number of operators, which can be combined into larger expressions using the boolean operators and parentheses.

ExpressionMeaning
Logical operators
( <expression> )Matches if and only if <expression> matches. (Parentheses are used for grouping expressions.)
! <expression>Matches if and only if <expression> does not match. Tip: ! is a special character at the start of a YAML string, if you need to use ! at the start of a YAML string, enclose the string in quotes.
<expression 1> && <expression 2>"And": matches if and only if both <expression 1>, and, <expression 2> matches
\<expression 1> || \<expression 2>"Or": matches if and only if either <expression 1>, or, <expression 2> matches.
Match operators
all()Match all in-scope resources. To match no resources, combine this operator with ! to form !all().
global()Match all non-namespaced resources. Useful in a namespaceSelector to select global resources such as global network sets.
k == 'v'Matches resources with the label 'k' and value 'v'.
k != 'v'Matches resources without label 'k' or with label 'k' and value not equal to v
has(k)Matches resources with label 'k', independent of value. To match pods that do not have label k, combine this operator with ! to form !has(k)
k in { 'v1', 'v2' }Matches resources with label 'k' and value in the given set
k not in { 'v1', 'v2' }Matches resources without label 'k' or with label 'k' and value not in the given set
k contains 's'Matches resources with label 'k' and value containing the substring 's'
k starts with 's'Matches resources with label 'k' and value starting with the substring 's'
k ends with 's'Matches resources with label 'k' and value ending with the substring 's'

Operators have the following precedence:

  • Highest: all the match operators
  • Parentheses ( ... )
  • Negation with !
  • Conjunction with &&
  • Lowest: Disjunction with ||

For example, the expression

! has(my-label) || my-label starts with 'prod' && role in {'frontend','business'}

Would be "bracketed" like this:

((!(has(my-label)) || ((my-label starts with 'prod') && (role in {'frontend','business'}))

It would match:

  • Any resource that did not have label "my-label".
  • Any resource that both:
    • Has a value for my-label that starts with "prod", and,
    • Has a role label with value either "frontend", or "business".