Network set

A network set resource (NetworkSet) represents an arbitrary set of IP subnetworks/CIDRs, allowing it to be matched by Calico policy. Network sets are useful for applying policy to traffic coming from (or going to) external, non-Calico, networks.

NetworkSet is a namespaced resource. NetworkSets in a specific namespace only applies to network policies in that namespace. Two resources are in the same namespace if the namespace value is set the same on both. (See GlobalNetworkSet for non-namespaced network sets.)

The metadata for each network set includes a set of labels. When Calico is calculating the set of IPs that should match a source/destination selector within a network policy rule, it includes the CIDRs from any network sets that match the selector.

Important: Since Calico matches packets based on their source/destination IP addresses, Calico rules may not behave as expected if there is NAT between the Calico-enabled node and the networks listed in a network set. For example, in Kubernetes, incoming traffic via a service IP is typically SNATed by the kube-proxy before reaching the destination host so Calico’s workload policy will see the kube-proxy’s host’s IP as the source instead of the real source.

For calicoctl commands that specify a resource type on the CLI, the following aliases are supported (all case insensitive): networkset, networksets, netsets.

Sample YAML

kind: NetworkSet
  name: external-database
  namespace: staging
    role: db

Network set definition


Field Description Accepted Values Schema Default
name The name of this network set. Required. Lower-case alphanumeric with optional _ or -. string  
namespace Namespace provides an additional qualification to a resource name.   string “default”
labels A set of labels to apply to this endpoint.   map  


Field Description Accepted Values Schema Default
nets The IP networks/CIDRs to include in the set. Valid IPv4 or IPv6 CIDRs, for example “” list