A network set resource (NetworkSet) represents an arbitrary set of IP subnetworks/CIDRs, allowing it to be matched by Calico policy. Network sets are useful for applying policy to traffic coming from (or going to) external, non-Calico, networks.
NetworkSet is a namespaced resource.
NetworkSets in a specific namespace
only applies to network policies
in that namespace. Two resources are in the same namespace if the
value is set the same on both. (See GlobalNetworkSet for non-namespaced network sets.)
The metadata for each network set includes a set of labels. When Calico is calculating the set of IPs that should match a source/destination selector within a network policy rule, it includes the CIDRs from any network sets that match the selector.
Since Calico matches packets based on their source/destination IP addresses,
Calico rules may not behave as expected if there is NAT between the Calico-enabled node and the
networks listed in a network set. For example, in Kubernetes, incoming traffic via a service IP is
typically SNATed by the kube-proxy before reaching the destination host so Calico's workload
policy will see the kube-proxy's host's IP as the source instead of the real source.
calicoctl commands that specify a resource type on the CLI, the following
aliases are supported (all case insensitive):
Network set definition
|name||The name of this network set. Required.||Lower-case alphanumeric with optional ||string|
|namespace||Namespace provides an additional qualification to a resource name.||string||"default"|
|labels||A set of labels to apply to this endpoint.||map|
|nets||The IP networks/CIDRs to include in the set.||Valid IPv4 or IPv6 CIDRs, for example "192.0.2.128/25"||list|