Closed StromBreaker10 closed 1 year ago
The field should be called "services".
Per the example from the docs:
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: allow-api-access
namespace: my-app
spec:
selector: all()
egress:
- action: Allow
destination:
services:
name: kubernetes
namespace: default
https://docs.tigera.io/archive/v3.20/security/service-policy
we tried the filed "services", still the same error.
Could you provide the full yaml object you're trying to create?
apiVersion: crd.projectcalico.org/v1
kind: NetworkPolicy
metadata:
name: allow-my-component
namespace: my-namespace
spec:
selector: com.org.container.app == 'myApp' && com.org.container.component == 'my-component'
types:
- Ingress
- Egress
ingress:
- action: allow
protocol: TCP
source: {}
destination:
selector: com.org.container.app == 'myApp' && com.org.container.component == 'my-component'
ports:
- 8888
egress:
- action: allow
protocol: TCP
source:
selector: com.org.container.app == 'myApp' && com.org.container.component == 'my-component'
destination:
serviceMatch:
name: service-svc
namespace: my-namespace
ports:
- 777
apiVersion: crd.projectcalico.org/v1
Please see this issue: https://github.com/projectcalico/calico/issues/6412
serviceMatch:
Like I said in my previous message, this is wrong. It needs to be services
How this field "serviceMatch" or "services" functionality is working with version V1 and CRDs in Calico 3.15 (kubernetes 1.21) and not in Calico 3.20 (kubernetes 1.24)? We have trigera resource apiserver also running in our 1.24env.
we are using the open source calico and not planning to migrate to enterprise edition.
Is this field deprecated in latest versions?
Reminder on this issue. please reopen the issue.
Could you provide the full yaml object you're trying to create?
Could you please show me a valid Calico API object? The one that you included in your previous comment is not valid for the two reasons I suggested:
Until I have that I can't reasonably say this is a bug in Calico.
apiVersion: crd.projectcalico.org/v1
kind: NetworkPolicy
metadata:
name: allow-my-component
namespace: my-namespace
spec:
selector: com.org.container.app == 'myApp' && com.org.container.component == 'my-component'
types:
- Ingress
- Egress
ingress:
- action: allow
protocol: TCP
source: {}
destination:
selector: com.org.container.app == 'myApp' && com.org.container.component == 'my-component'
ports:
- 8888
egress:
- action: allow
protocol: TCP
source:
selector: com.org.container.app == 'myApp' && com.org.container.component == 'my-component'
destination:
services:
name: service-svc
namespace: my-namespace
ports:
- 777
This the yaml we tested, as you can see we used the feild "services" instead of services. Regarding the api version we can't use v3 since we using open source calico not the enterprise edition. we using open source calico and crds hence v1 not v3.
Regarding the api version we can't use v3 since we using open source calico not the enterprise edition. we using open source calico and crds hence v1 not v3.
Open-source Calico is what we're talking about here - in OSS Calico, the v3 API is supported and the v1 API is not. It's not a matter of OSS vs Enterprise
I am trying to create a network policy in kubernetes 1.24 and calico 3.20 environment so that my component connect to the database through service by making use of serviceMatch feild. This solution worked for us in 1.21 and 3.15 and 1.24 and 3.15 without any errors. But when we upgraded the calico to 3.20 we getting unknown feild error.
Network rule in NetworkPolicy yaml:
Error:
Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: error validating "": error validating data: ValidationError(NetworkPolicy.spec.egress[2].destination): unknown field "serviceMatch" in org.projectcalico.crd.v1.NetworkPolicy.spec.egress.destination
Environment Details: kubernetes version: 1.24 calico version: 3.20 (docker.io/calico/node:v3.20.0) networkpolicy api version: crd.projectcalico.org/v1