I'm trying to allow traffic from only some ip ranges to an loadbalancer in an AKS, so I am trying with calico using a GlobalNetworkPolicy but its not working, what i'm doing wrong?
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: deny-lb-port-80
spec:
applyOnForward: true
preDNAT: true
ingress:
- action: Log
- action: Deny
destination:
nets:
- balancerIP
ports:
- 80
protocol: TCP
source: {}
order: 800
types:
- Ingress
---
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: allowlist
spec:
applyOnForward: true
preDNAT: true
ingress:
- action: Log
- action: Allow
destination:
nets:
- balancerip
ports:
- 80
protocol: TCP
source:
nets:
- allowedipranges
order: 500
types:
- Ingress
Normally i use GlobalNetworkPolicy to deny ingress globally and then use an Kubernetes Network Policy to overwrite the GlobalNetworkPolicy inside the Namespace:
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: default-global-deny-all-ingress
spec:
namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name not in {"kube-system", "calico-system", "tigera-operator"}
order: 3000 # normal NPs (order: 1000) should have higher order
types:
- Ingress
ingress:
# allow collect metrics from Kubernetes Metrics Server
- action: Allow
protocol: TCP
destination:
selector: 'k8s-app == "metrics-server"'
ports:
- 443
# Deny all ingress
- action: Deny
source:
nets:
- 0.0.0.0/0
Kubernetes Network Policy, for example allow internet for the nginx ingress controller:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-allow-internet
namespace: ingress-nginx
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
ingress:
# Allow ingress from the internet
- from:
- ipBlock:
cidr: 0.0.0.0/0