Auto Host Endpoints: support default deny

[surajssd]

Problem && Current Behavior

I have deployed kube controllers and it created following HostEndpoint automatically:

apiVersion: crd.projectcalico.org/v1
kind: HostEndpoint
metadata:     
  name: suraj-lk-cluster-pool-1-worker-0-auto-hep
...
spec:
  profiles: 
  - projectcalico-default-allow
...

Now the problem is it has added this field called profiles with automatic value of projectcalico-default-allow. Now using Calico on Kubernetes, which is deployed in standard way does not have Profiles CRD.

Possible Solution

Profile docs here https://docs.projectcalico.org/reference/resources/profile say following:

For historic reasons, Profiles can also include policy rules, but that feature is deprecated in favor of the much more flexible NetworkPolicy and GlobalNetworkPolicy resources.

Like the docs say we make heavy use of GlobalNetworkPolicy. Add a knob to disable adding any profiles information. An env var or something in KubeControllersConfiguration.

Let me know what am I doing wrong?

Context

I cannot make use of calico version v3.14.0 with kube controller.

Your Environment

• Calico version: v3.14.0
• Orchestrator version: Kubernetes
• Operating System and version: Flatcar Container Linux 2247.7.0
• Link to your project (optional): https://github.com/kinvolk/lokomotive/pull/415

[caseydavenport]

That profile is actually intended to be there - it's not a real profile (stored via a CRD) but rather a dummy value that Calico knows about internally which is used to enable "default allow until selected behavior"

It's not expected to be something that you need to edit, etc. and GlobalNetworkPolicies should still work as expected.

[caseydavenport]

Is the issue that a profile exists? Or is there another symptom that you're experiencing?

[caseydavenport]

Adjusting title to be a feature request: support for default deny on automatically created host endpoints (which is what I assume you're looking for based on the description)