Skip to main content
Version: 3.18 (latest)

Network set

A network set resource (NetworkSet) represents an arbitrary set of IP subnetworks/CIDRs, allowing it to be matched by Calico Enterprise policy. Network sets are useful for applying policy to traffic coming from (or going to) external, non-Calico Enterprise, networks.

NetworkSet is a namespaced resource. NetworkSets in a specific namespace only applies to network policies in that namespace. Two resources are in the same namespace if the namespace value is set the same on both. (See GlobalNetworkSet for non-namespaced network sets.)

The metadata for each network set includes a set of labels. When Calico Enterprise is calculating the set of IPs that should match a source/destination selector within a network policy rule, it includes the CIDRs from any network sets that match the selector.

note

Since Calico Enterprise matches packets based on their source/destination IP addresses, Calico Enterprise rules may not behave as expected if there is NAT between the Calico Enterprise-enabled node and the networks listed in a network set. For example, in Kubernetes, incoming traffic via a service IP is typically SNATed by the kube-proxy before reaching the destination host so Calico Enterprise's workload policy will see the kube-proxy's host's IP as the source instead of the real source.

Sample YAML

apiVersion: projectcalico.org/v3
kind: NetworkSet
metadata:
name: external-database
namespace: staging
labels:
role: db
spec:
nets:
- 198.51.100.0/28
- 203.0.113.0/24
allowedEgressDomains:
- db.com
- '*.db.com'

Network set definition

Metadata

FieldDescriptionAccepted ValuesSchemaDefault
nameThe name of this network set. Required.Lower-case alphanumeric with optional _ or -.string
namespaceNamespace provides an additional qualification to a resource name.string"default"
labelsA set of labels to apply to this endpoint.map

Spec

FieldDescriptionAccepted ValuesSchemaDefault
netsThe IP networks/CIDRs to include in the set.Valid IPv4 or IPv6 CIDRs, for example "192.0.2.128/25"list
allowedEgressDomainsThe list of domain names that belong to this set and are honored in egress allow rules only. Domain names specified here only work to allow egress traffic from the cluster to external destinations. They don't work to deny traffic to destinations specified by domain name, or to allow ingress traffic from sources specified by domain name.List of exact or wildcard domain nameslist

Exact and wildcard domain names

When a configured domain name has no wildcard (*), it matches exactly that domain name. For example:

  • microsoft.com
  • tigera.io

With a single asterisk in any part of the domain name, it matches 1 or more path components at that position. For example:

  • *.google.com matches www.google.com and www.ipv6.google.com, but not google.com
  • www.*.com matches www.sun.com and www.apple.com, but not www.com
  • www.google.* matches www.google.net, www.google.io, and so on
  • update.*.mycompany.com matches update.tools.mycompany.com, update.secure.suite.mycompany.com, and so on

Not supported are:

  • Multiple wildcards in the same domain, for example: *.*.mycompany.com
  • Asterisks that are not the entire component, for example: www.g*.com
  • More general wildcards, such as regular expressions