我的书签
添加书签
移除书签Global network set
A global network set resource (GlobalNetworkSet) represents an arbitrary set of IP subnetworks/CIDRs, allowing it to be matched by Calico policy. Network sets are useful for applying policy to traffic coming from (or going to) external, non-Calico, networks.
The metadata for each network set includes a set of labels. When Calico is calculating the set of IPs that should match a source/destination selector within a global network policy rule, or within a network policy rule whose namespaceSelector includes global(), it includes the CIDRs from any network sets that match the selector.
note
Since Calico matches packets based on their source/destination IP addresses, Calico rules may not behave as expected if there is NAT between the Calico-enabled node and the networks listed in a network set. For example, in Kubernetes, incoming traffic via a service IP is typically SNATed by the kube-proxy before reaching the destination host so Calico’s workload policy will see the kube-proxy’s host’s IP as the source instead of the real source.
Sample YAML
apiVersion: projectcalico.org/v3kind: GlobalNetworkSetmetadata:name: a-name-for-the-setlabels:role: external-databasespec:nets:- 198.51.100.0/28- 203.0.113.0/24
Global network set definition
Metadata
| Field | Description | Accepted Values | Schema |
|---|---|---|---|
| name | The name of this network set. | Lower-case alphanumeric with optional - or -. | string |
| labels | A set of labels to apply to this endpoint. | map |
Spec
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| nets | The IP networks/CIDRs to include in the set. | Valid IPv4 or IPv6 CIDRs, for example “192.0.2.128/25” | list |
