Profile Resource (profile)

A Profile resource (profile) represents a set of rules which are applied to the individual endpoints to which this profile has been assigned.

Each Calico endpoint or host endpoint can be assigned to zero or more profiles.

Also see the Policy resource which provides an alternate way to select what policy is applied to an endpoint.

For calicoctl commands that specify a resource type on the CLI, the following aliases are supported (all case insensitive): profile, profiles, pro, pros.

Sample YAML

The following sample profile allows all traffic from endpoints that have the profile label set to profile1 (i.e. endpoints that reference this profile), except that all traffic from 10.0.20.0/24 is denied.

apiVersion: v1
kind: profile
metadata:
  name: profile1
  labels:
    profile: profile1 
spec:
  ingress:
  - action: deny
    source:
      nets:
      - 10.0.20.0/24
  - action: allow
    source:
      selector: profile == 'profile1'
  egress:
  - action: allow 

Definition

Metadata

Field Description Accepted Values Schema Default
name The name of the profile.   string  
labels A set of labels to apply to endpoints using this profile.   map of string key to string values  
tags (deprecated) A list of tag names to apply to endpoints using this profile.   list of strings  

Spec

Field Description Accepted Values Schema Default
ingress The ingress rules belonging to this profile.   List of Rule  
egress The egress rules belonging to this profile.   List of Rule  

Rule

Field Description Accepted Values Schema Default
action Action to perform when matching this rule. allow, deny, log string  
protocol Positive protocol match. tcp, udp, icmp, icmpv6, sctp, udplite, integer 1-255. string  
notProtocol Negative protocol match. tcp, udp, icmp, icmpv6, sctp, udplite, integer 1-255. string  
icmp ICMP match criteria.   ICMP  
notICMP Negative match on ICMP.   ICMP  
source Source match parameters.   EntityRule  
destination Destination match parameters.   EntityRule  

ICMP

Field Description Accepted Values Schema Default
type Match on ICMP type. Can be integer 1-255 integer  
code Match on ICMP code. Can be integer 1-255 integer  

EntityRule

Field Description Accepted Values Schema Default
tag (deprecated) Positive match on tag.   string  
notTag (deprecated) Negative match on tag.   string  
nets Match packets with IP in any of the listed CIDRs. List of valid IPv4 or IPv6 CIDRs list of cidrs  
net Deprecated (use “nets” instead): Match on CIDR. Valid IPv4 or IPv6 CIDR cidr  
notNets Negative match on CIDRs. Match packets with IP not in any of the listed CIDRs. List of valid IPv4 or IPv6 CIDRs list of cidrs  
notNet Deprecated (use “notNets” instead): Negative match on CIDR. Valid IPv4 or IPv6 CIDR cidr  
selector Positive match on selected endpoints.   selector  
notSelector Negative match on selected endpoints.   selector  
ports Positive match on the specified ports   list of ports  
notPorts Negative match on the specified ports   list of ports  

Selector

A label selector is an expression which either matches or does not match an endpoint based on its labels.

Calico label selectors support a number of syntactic primitives. Each of the following primitive expressions can be combined using the logical operator &&.

Syntax Meaning
k == ‘v’ Matches any endpoint with the label ‘k’ and value ‘v’.
k != ‘v’ Matches any endpoint with the label ‘k’ and value that is not ‘v’.
has(k) Matches any endpoint with label ‘k’, independent of value.
!has(k) Matches any endpoint that does not have label ‘k’
k in { ‘v1’, ‘v2’ } Matches any endpoint with label ‘k’ and value in the given set
k not in { ‘v1’, ‘v2’ } Matches any endpoint without label ‘k’ or any with label ‘k’ and value not in the given set

Ports

Calico supports the following syntaxes for expressing ports.

Syntax Example Description
int 80 The exact port specified
start:end 6040:6050 All ports within the range start <= x <= end

Supported operations

Datastore type Create/Delete Update Get/List Notes
etcdv2 Yes Yes Yes  
Kubernetes API server No No Yes Calico profiles are pre-assigned for each Namespace.