Profile Resource (Profile)

A profile resource (Profile) represents a set of rules which are applied to the individual endpoints to which this profile has been assigned.

Each Calico endpoint or host endpoint can be assigned to zero or more profiles.

Also see the NetworkPolicy and GlobalNetworkPolicy which provide an alternate way to select what policy is applied to an endpoint.

For calicoctl commands that specify a resource type on the CLI, the following aliases are supported (all case insensitive): profile, profiles, pro, pros.

Sample YAML

The following sample profile allows all traffic from endpoints that have the profile label set to profile1 (i.e. endpoints that reference this profile), except that all traffic from 10.0.20.0/24 is denied.

apiVersion: projectcalico.org/v3
kind: Profile
metadata:
  name: profile1
  labels:
    profile: profile1
spec:
  ingress:
  - action: Deny
    source:
      nets:
      - 10.0.20.0/24
  - action: Allow
    source:
      selector: profile == 'profile1'
  egress:
  - action: Allow

Definition

Metadata

Field Description Accepted Values Schema Default
name The name of the profile. Required. Alphanumeric string with optional ., _, or -. string  
labels A set of labels for this profile.   map of string key to string values  
tags (deprecated) A list of tag names to apply to endpoints using this profile.   list of strings  

Spec

Field Description Accepted Values Schema Default
ingress The ingress rules belonging to this profile.   List of Rule  
egress The egress rules belonging to this profile.   List of Rule  
labelsToApply An optional set of labels to apply to each endpoint in this profile (in addition to the endpoint’s own labels)   map  

Rule

Field Description Accepted Values Schema Default
action Action to perform when matching this rule. Allow, Deny, Log, Pass string  
protocol Positive protocol match. TCP, UDP, ICMP, ICMPv6, SCTP, UDPLite, 1-255 string | integer  
notProtocol Negative protocol match. TCP, UDP, ICMP, ICMPv6, SCTP, UDPLite, 1-255 string | integer  
icmp ICMP match criteria.   ICMP  
notICMP Negative match on ICMP.   ICMP  
ipVersion Positive IP version match. 4, 6 integer  
source Source match parameters.   EntityRule  
destination Destination match parameters.   EntityRule  
http Match HTTP request parameters. Application layer policy must be enabled to use this field.   HTTPMatch  

An action of Pass will skip over the remaining policies and jump to the first profile assigned to the endpoint, applying the policy configured in the profile; if there are no Profiles configured for the endpoint the default applied action is Deny.

ICMP

Field Description Accepted Values Schema Default
type Match on ICMP type. Can be integer 0-254 integer  
code Match on ICMP code. Can be integer 0-255 integer  

EntityRule

Field Description Accepted Values Schema Default
nets Match packets with IP in any of the listed CIDRs. List of valid IPv4 or IPv6 CIDRs list of cidrs  
notNets Negative match on CIDRs. Match packets with IP not in any of the listed CIDRs. List of valid IPv4 or IPv6 CIDRs list of cidrs  
selector Positive match on selected endpoints. If a namespaceSelector is also defined, the set of endpoints this applies to is limited to the endpoints in the selected namespaces. Valid selector selector  
notSelector Negative match on selected endpoints. If a namespaceSelector is also defined, the set of endpoints this applies to is limited to the endpoints in the selected namespaces. Valid selector selector  
namespaceSelector Positive match on selected namespaces. If specified, only workload endpoints in the selected Kubernetes namespaces are matched. Matches namespaces based on the labels that have been applied to the namespaces. Defines the context that selectors will apply to, if not defined then selectors apply to the NetworkPolicy’s namespace. Valid selector selector  
ports Positive match on the specified ports   list of ports  
notPorts Negative match on the specified ports   list of ports  
serviceAccounts Match endpoints running under service accounts. If a namespaceSelector is also defined, the set of service accounts this applies to is limited to the service accounts in the selected namespaces. Application layer policy must be enabled to use this field.   ServiceAccountMatch  

Selector

A label selector is an expression which either matches or does not match a resource based on its labels.

Calico label selectors support a number of syntactic primitives. Each of the following primitive expressions can be combined using the logical operator &&.

Syntax Meaning
all() Match all resources.
k == ‘v’ Matches any resource with the label ‘k’ and value ‘v’.
k != ‘v’ Matches any resource with the label ‘k’ and value that is not ‘v’.
has(k) Matches any resource with label ‘k’, independent of value.
!has(k) Matches any resource that does not have label ‘k’
k in { ‘v1’, ‘v2’ } Matches any resource with label ‘k’ and value in the given set
k not in { ‘v1’, ‘v2’ } Matches any resource without label ‘k’ or any with label ‘k’ and value not in the given set

Ports

Calico supports the following syntaxes for expressing ports.

Syntax Example Description
int 80 The exact (numeric) port specified
start:end 6040:6050 All (numeric) ports within the range start <= x <= end
string named-port A named port, as defined in the ports list of one or more endpoints

An individual numeric port may be specified as a YAML/JSON integer. A port range or named port must be represented as as a string. For example, this would be a valid list of ports:

ports: [8080, "1234:5678", "named-port"]
Named ports

Using a named port in an EntityRule, instead of a numeric port, gives a layer of indirection, allowing for the named port to map to different numeric values for each endpoint.

For example, suppose you have multiple HTTP servers running as workloads; some exposing their HTTP port on port 80 and others on port 8080. In each workload, you could create a named port called http-port that maps to the correct local port. Then, in a rule, you could refer to the name http-port instead of writing a different rule for each type of server.

NOTE: Since each named port may refer to many endpoints (and Calico has to expand a named port into a set of endpoint/port combinations), using a named port is considerably more expensive in terms of CPU than using a simple numeric port. We recommend that they are used sparingly, only where the extra indirection is required.

ServiceAccountMatch

A ServiceAccountMatch matches service accounts in an EntityRule.

Field Description Schema
names Match service accounts by name list of strings
selector Match service accounts by label selector

Application layer policy

Application layer policy is an optional feature of Calico and must be enabled in order to use the following match criteria.

NOTE: Application layer policy match criteria are supported with the following restrictions.

  • Only ingress policy is supported. Egress policy must not contain any application layer policy match clauses.
  • Rules must have the action Allow if they contain application layer policy match clauses.

HTTPMatch

An HTTPMatch matches attributes of an HTTP request. The presence of an HTTPMatch clause on a Rule will cause that rule to only match HTTP traffic. Other application layer protocols will not match the rule.

Example:

http:
  methods: ["GET", "PUT"]
  paths:
    - exact: "/projects/calico"
    - prefix: "/users"
Field Description Schema
methods Match HTTP methods. Case sensitive. Standard HTTP method descriptions. list of strings
paths Match HTTP paths. Case sensitive. list of HTTPPathMatch

HTTPPathMatch

Syntax Example Description
exact exact: "/foo/bar" Matches the exact path as written, not including the query string or fragments.
prefix prefix: "/keys" Matches any path that begins with the given prefix.

Supported operations

Datastore type Create/Delete Update Get/List Notes
etcdv3 Yes Yes Yes  
Kubernetes API server No No Yes Calico profiles are pre-assigned for each Namespace.