Profile Resource (profile)
A Profile resource (profile) represents a set of rules which are applied to the individual endpoints to which this profile has been assigned.
Each Calico endpoint or host endpoint can be assigned to zero or more profiles.
Also see the Policy resource which provides an alternate way to select what policy is applied to an endpoint.
For calicoctl commands that specify a resource type on the CLI, the following
aliases are supported (all case insensitive): profile, profiles, pro, pros.
Sample YAML
The following sample profile allows all traffic from endpoints that
have the profile label set to profile1 (i.e. endpoints that reference this profile),
except that all traffic from 10.0.20.0/24 is denied.
apiVersion: v1
kind: profile
metadata:
name: profile1
labels:
profile: profile1
spec:
ingress:
- action: deny
source:
net: 10.0.20.0/24
- action: allow
source:
selector: profile == 'profile1'
egress:
- action: allow
Definition
Metadata
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| name | The name of the profile. | string | ||
| labels | A set of labels to apply to endpoints using this profile. | map of string key to string values | ||
| tags (deprecated) | A list of tag names to apply to endpoints using this profile. | list of strings |
Spec
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| ingress | The ingress rules belonging to this profile. | List of Rule | ||
| egress | The egress rules belonging to this profile. | List of Rule |
Rule
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| action | Action to perform when matching this rule. | allow, deny, log | string | |
| protocol | Positive protocol match. | tcp, udp, icmp, icmpv6, sctp, udplite, integer 1-255. | string | |
| notProtocol | Negative protocol match. | tcp, udp, icmp, icmpv6, sctp, udplite, integer 1-255. | string | |
| icmp | ICMP match criteria. | ICMP | ||
| notICMP | Negative match on ICMP. | ICMP | ||
| source | Source match parameters. | EntityRule | ||
| destination | Destination match parameters. | EntityRule |
ICMP
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| type | Match on ICMP type. | Can be integer 1-255 | integer | |
| code | Match on ICMP code. | Can be integer 1-255 | integer |
EntityRule
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| tag (deprecated) | Positive match on tag. | string | ||
| notTag (deprecated) | Negative match on tag. | string | ||
| net | Match on CIDR. | Valid IPv4 or IPv6 CIDR | cidr | |
| notNet | Negative match on CIDR. | Valid IPv4 or IPv6 CIDR | cidr | |
| selector | Positive match on selected endpoints. | selector | ||
| notSelector | Negative match on selected endpoints. | selector | ||
| ports | Positive match on the specified ports | list of ports | ||
| notPorts | Negative match on the specified ports | list of ports |
Selector
A label selector is an expression which either matches or does not match an endpoint based on its labels.
Calico label selectors support a number of syntactic primitives. Each of the following
primitive expressions can be combined using the logical operator &&.
| Syntax | Meaning |
|---|---|
| k == ‘v’ | Matches any endpoint with the label ‘k’ and value ‘v’. |
| k != ‘v’ | Matches any endpoint with the label ‘k’ and value that is not ‘v’. |
| has(k) | Matches any endpoint with label ‘k’, independent of value. |
| !has(k) | Matches any endpoint that does not have label ‘k’ |
| k in { ‘v1’, ‘v2’ } | Matches any endpoint with label ‘k’ and value in the given set |
| k not in { ‘v1’, ‘v2’ } | Matches any endpoint without label ‘k’ or any with label ‘k’ and value not in the given set |
Ports
Calico supports the following syntaxes for expressing ports.
| Syntax | Example | Description |
|---|---|---|
| int | 80 | The exact port specified |
| start:end | 6040:6050 | All ports within the range start <= x <= end |