Creating policy for basic connectivity
When a host endpoint is added, if there is no security policy for that endpoint, Calico will default to denying traffic to/from that endpoint, except for traffic that is allowed by the failsafe rules.
While the failsafe rules provide protection against removing all connectivity to a host:
They are overly broad in allowing inbound SSH on any interface and allowing traffic out to etcd’s ports on any interface.
Depending on your network, they may not cover all the ports that are required; for example, your network may rely on allowing ICMP, or DHCP.
Therefore, we recommend creating a failsafe Calico security policy that
is tailored to your environment. The example command below shows one
example of how you might do that; the command uses
calicoctl to create a single
policy resource, which:
- Applies to all known endpoints.
- Allows inbound ssh access from a defined “management” subnet.
- Allows outbound connectivity to etcd on a particular IP; if you have multiple etcd servers you should duplicate the rule for each destination.
- Allows inbound ICMP.
- Allows outbound UDP on port 67, for DHCP.
When running this command, replace the placeholders in angle brackets with appropriate values for your deployment.
cat << EOF | calicoctl create -f - - apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: failsafe spec: selector: "all()" order: 0 ingress: - action: Allow protocol: TCP source: nets: - "<your management CIDR>" destination: ports:  - action: Allow protocol: ICMP egress: - action: Allow protocol: TCP destination: nets: - "<your etcd IP>/32" ports: [<your etcd ports>] - action: Allow protocol: UDP destination: ports:  EOF
Once you have such a policy in place, you may want to disable the failsafe rules.
Note: Packets that reach the end of the list of rules fall-through to the next policy (sorted by the
The selector in the policy,
all(), will match all endpoints, including any workload endpoints. If you have workload endpoints as well as host endpoints then you may wish to use a more restrictive selector. For example, you could label management interfaces with label
endpoint_type = managementand then use selector
endpoint_type == "management"
If you are using Calico for networking workloads, you should add inbound and outbound rules to allow BGP: add an ingress and egress rule to allow TCP traffic to destination port 179.