Skip to main content
Version: 3.28 (latest)

Protect hosts

Big picture​

Use Calico network policy to restrict traffic to/from hosts.


Restricting traffic between hosts and the outside world is not unique to Calico; many solutions provide this capability. However, the advantage of using Calico to protect the host is you can use the same Calico policy configuration as workloads. You only need to learn one tool. Write a cluster-wide policy, and it is immediately applied to every host.


Hosts and workloads​

In the context of Calico configuration, a workload is a virtualized compute instance, like a VM or container. A host is the computer that runs the hypervisor (for VMs), or container runtime (for containers). We say it β€œhosts” the workloads as guests.

Host endpoints​

Each host has one or more network interfaces that it uses to communicate externally. You can use Calico network policy to secure these interfaces (called host endpoints). Calico host endpoints can have labels, and they work the same as labels on workload endpoints. The network policy rules can apply to both workload and host endpoints using label selectors.

Failsafe rules​

It is easy to inadvertently cut all host connectivity because of nonexistent or misconfigured network policy. To avoid this, Calico provides failsafe rules with default/configurable ports that are open on all host endpoints.

Default behavior of workload to host traffic​

By default, Calico blocks all connections from a workload to its local host. You can control whether connections from a workload endpoint to its local host are dropped, returned, or accepted using a simple parameter.

Calico allows all connections from processes running on the host to guest workloads on the host. This allows host processes to run health checks and debug guest workloads.

Default behavior of external traffic to/from host​

If a host endpoint is added and network policy is not in place, the Calico default is to deny traffic to/from that endpoint (except for traffic allowed by failsafe rules). For host endpoints, Calico blocks traffic only to/from interfaces that it’s been explicitly told about in network policy. Traffic to/from other interfaces is ignored.

Other host protection​

In terms of design consistency in Calico, you may wonder about the following use cases.

Does Calico protect a local host from workloads?
Yes. DefaultEndpointToHostAction controls whether or not workloads can access their local host.

Does Calico protect a workload from the host it is running on?
No. Calico allows connections the host makes to the workloads running on that host. Some orchestrators like Kubernetes depend on this connectivity for health checking the workload. Moreover, processes running on the local host are often privileged enough to override local Calico policy. Be very cautious with the processes that you allow to run in the host's root network namespace.

Before you begin...​

If you are already running Calico for Kubernetes, you are good to go. If you want to install Calico on a non-cluster machine for host protection only, see Non-cluster hosts.

How to​

Avoid accidentally cutting all host connectivity​

To avoid inadvertently cutting all host connectivity because of nonexistent or misconfigured network policy, Calico uses failsafe rules that open specific ports and CIDRs on all host endpoints.

Review the following table to determine if the defaults work for your implementation. If not, change the default ports using the parameters, FailsafeInboundHostPorts and FailsafeOutboundHostPorts in Configuring Felix.

22TCP0.0.0.0/0InboundSSH access
53UDP0.0.0.0/0OutboundDNS queries
67UDP0.0.0.0/0OutboundDHCP access
68UDP0.0.0.0/0InboundDHCP access
179TCP0.0.0.0/0Inbound & OutboundBGP access (Calico networking)
2379TCP0.0.0.0/0Inbound & Outboundetcd access
2380TCP0.0.0.0/0Inbound & Outboundetcd access
6443TCP0.0.0.0/0Inbound & OutboundKubernetes API server access
6666TCP0.0.0.0/0Inbound & Outboundetcd self-hosted service access
6667TCP0.0.0.0/0Inbound & Outboundetcd self-hosted service access

Use policy to restrict host traffic​

Step 1: Create policy to restrict host traffic​

Although failsafe rules provide protection from removing all connectivity to a host, you should create a GlobalNetworkPolicy policy that restricts host traffic.

In the following example, we use a GlobalNetworkPolicy that applies to all worker nodes (defined by a label). Ingress SSH access is allowed from a defined "management" subnet.

Ingress traffic is also allowed for ICMP, and on TCP port 10250 (default kubelet port). Egress traffic is allowed to etcd on a particular IP, and UDP on port 53 and 67 for DNS and DHCP.

kind: GlobalNetworkPolicy
name: k8s-worker
selector: "role == 'k8s-worker'"
order: 0
- action: Allow
protocol: TCP
- '<your management CIDR>'
ports: [22]
- action: Allow
protocol: ICMP
- action: Allow
protocol: TCP
ports: [10250]
- action: Allow
protocol: TCP
- '<your etcd IP>/32'
ports: [2379]
- action: Allow
protocol: UDP
ports: [53, 67]

Step 2: Create host endpoints​

For each host point that you want to secure with policy, you must create a HostEndpoint object. To do that, you need the name of the Calico node on the host that owns the interface; in most cases, it is the same as the hostname of the host.

In the following example, we create a HostEndpoint for the host named my-host with the interface named eth0, with IP Note that the value for node: must match the hostname used on the Calico node object.

When the HostEndpoint is created, traffic to or from the interface is dropped unless policy is in place.

kind: HostEndpoint
name: my-host-eth0
role: k8s-worker
environment: production
interfaceName: eth0
node: my-host
expectedIPs: ['']

Control default behavior of workload endpoint to host traffic​

The default Calico behavior blocks all connections from workloads to their local host (after traffic passes any egress policy applied to the workload). You can change this behavior using the DefaultEndpointToHostAction parameter in Felix configuration.

This parameter works at the IP table level, where you can specify packet behavior to Drop (default), Accept, or Return.

To change this parameter for all hosts, edit the FelixConfiguration object named β€œdefault.”

  1. Get a copy of the object to edit.

    calicoctl get felixconfiguration default --export -o yaml > default-felix-config.yaml
  2. Open the file in a text editor and add the parameter, defaultEndpointToHostAction. For example:

    kind: FelixConfiguration
    name: default
    ipipEnabled: true
    logSeverityScreen: Info
    reportingInterval: 0s
    defaultEndpointToHostAction: Accept
  3. Update the FelixConfiguration on the cluster.

    calicoctl apply -f default-felix-config.yaml

Additional resources​