Network set
A network set resource (NetworkSet) represents an arbitrary set of IP subnetworks/CIDRs, allowing it to be matched by Calico Enterprise policy. Network sets are useful for applying policy to traffic coming from (or going to) external, non-Calico Enterprise, networks.
NetworkSet is a namespaced resource. NetworkSets in a specific namespace
only applies to network policies
in that namespace. Two resources are in the same namespace if the namespace
value is set the same on both. (See GlobalNetworkSet for non-namespaced network sets.)
The metadata for each network set includes a set of labels. When Calico Enterprise is calculating the set of IPs that should match a source/destination selector within a network policy rule, it includes the CIDRs from any network sets that match the selector.
Since Calico Enterprise matches packets based on their source/destination IP addresses, Calico Enterprise rules may not behave as expected if there is NAT between the Calico Enterprise-enabled node and the networks listed in a network set. For example, in Kubernetes, incoming traffic via a service IP is typically SNATed by the kube-proxy before reaching the destination host so Calico Enterprise's workload policy will see the kube-proxy's host's IP as the source instead of the real source.
Sample YAML
apiVersion: projectcalico.org/v3
kind: NetworkSet
metadata:
name: external-database
namespace: staging
labels:
role: db
spec:
nets:
- 198.51.100.0/28
- 203.0.113.0/24
allowedEgressDomains:
- db.com
- '*.db.com'
Network set definition
Metadata
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| name | The name of this network set. Required. | Lower-case alphanumeric with optional _ or -. | string | |
| namespace | Namespace provides an additional qualification to a resource name. | string | "default" | |
| labels | A set of labels to apply to this endpoint. | map |
Spec
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| nets | The IP networks/CIDRs to include in the set. | Valid IPv4 or IPv6 CIDRs, for example "192.0.2.128/25" | list | |
| allowedEgressDomains | The list of domain names that belong to this set and are honored in egress allow rules only. Domain names specified here only work to allow egress traffic from the cluster to external destinations. They don't work to deny traffic to destinations specified by domain name, or to allow ingress traffic from sources specified by domain name. | List of exact or wildcard domain names | list |
Exact and wildcard domain names
When a configured domain name has no wildcard (*), it matches exactly that domain name. For example:
microsoft.comtigera.io
With a single asterisk in any part of the domain name, it matches 1 or more path components at that position. For example:
*.google.commatcheswww.google.comandwww.ipv6.google.com, but notgoogle.comwww.*.commatcheswww.sun.comandwww.apple.com, but notwww.comupdate.*.mycompany.commatchesupdate.tools.mycompany.com,update.secure.suite.mycompany.com, and so on
Not supported are:
- Multiple wildcards in the same domain, for example:
*.*.mycompany.com - Asterisks that are not the entire component, for example:
www.g*.com - More general wildcards, such as regular expressions