Edit this page

Profile Resource (Profile)

A profile resource (Profile) represents a set of rules which are applied to the individual endpoints to which this profile has been assigned.

Each Calico endpoint or host endpoint can be assigned to zero or more profiles.

Also see the NetworkPolicy and GlobalNetworkPolicy which provide an alternate way to select what policy is applied to an endpoint.

For calicoctl commands that specify a resource type on the CLI, the following aliases are supported (all case insensitive): profile, profiles, pro, pros.

Sample YAML

The following sample profile allows all traffic from endpoints that have the profile label set to profile1 (i.e. endpoints that reference this profile), except that all traffic from 10.0.20.0/24 is denied.

apiVersion: projectcalico.org/v3
kind: Profile
metadata:
  name: profile1
  labels:
    profile: profile1
spec:
  ingress:
  - action: Deny
    source:
      nets:
      - 10.0.20.0/24
  - action: Allow
    source:
      selector: profile == 'profile1'
  egress:
  - action: Allow

Definition

Metadata

Field	Description	Accepted Values	Schema
name	The name of the profile. Required.	Alphanumeric string with optional `.`, `_`, or `-`.	string
labels	A set of labels for this profile.		map of string key to string values
tags (deprecated)	A list of tag names to apply to endpoints using this profile.		list of strings

Spec

Field	Description	Schema
ingress	The ingress rules belonging to this profile.	List of Rule
egress	The egress rules belonging to this profile.	List of Rule
labelsToApply	An optional set of labels to apply to each endpoint in this profile (in addition to the endpoint’s own labels)	map

Rule

Field	Description	Accepted Values	Schema
action	Action to perform when matching this rule.	`Allow`, `Deny`, `Log`, `Pass`	string
protocol	Positive protocol match.	`TCP`, `UDP`, `ICMP`, `ICMPv6`, `SCTP`, `UDPLite`, `1`-`255`	string \| integer
notProtocol	Negative protocol match.	`TCP`, `UDP`, `ICMP`, `ICMPv6`, `SCTP`, `UDPLite`, `1`-`255`	string \| integer
icmp	ICMP match criteria.		ICMP
notICMP	Negative match on ICMP.		ICMP
ipVersion	Positive IP version match.	`4`, `6`	integer
source	Source match parameters.		EntityRule
destination	Destination match parameters.		EntityRule
http	Match HTTP request parameters. Application layer policy must be enabled to use this field.		HTTPMatch

An action of Pass will skip over the remaining policies and jump to the first profile assigned to the endpoint, applying the policy configured in the profile; if there are no Profiles configured for the endpoint the default applied action is Deny.

ICMP

Field	Description	Accepted Values	Schema	Default
type	Match on ICMP type.	Can be integer 0-254	integer
code	Match on ICMP code.	Can be integer 0-255	integer

EntityRule

Field	Description	Accepted Values	Schema
nets	Match packets with IP in any of the listed CIDRs.	List of valid IPv4 or IPv6 CIDRs	list of cidrs
notNets	Negative match on CIDRs. Match packets with IP not in any of the listed CIDRs.	List of valid IPv4 or IPv6 CIDRs	list of cidrs
selector	Positive match on selected endpoints. If a `namespaceSelector` is also defined, the set of endpoints this applies to is limited to the endpoints in the selected namespaces.	Valid selector	selector
notSelector	Negative match on selected endpoints. If a `namespaceSelector` is also defined, the set of endpoints this applies to is limited to the endpoints in the selected namespaces.	Valid selector	selector
namespaceSelector	Positive match on selected namespaces. If specified, only workload endpoints in the selected Kubernetes namespaces are matched. Matches namespaces based on the labels that have been applied to the namespaces. Defines the context that selectors will apply to, if not defined then selectors apply to the NetworkPolicy’s namespace.	Valid selector	selector
ports	Positive match on the specified ports		list of ports
notPorts	Negative match on the specified ports		list of ports
serviceAccounts	Match endpoints running under service accounts. If a `namespaceSelector` is also defined, the set of service accounts this applies to is limited to the service accounts in the selected namespaces. Application layer policy must be enabled to use this field.		ServiceAccountMatch

Selector

A label selector is an expression which either matches or does not match a resource based on its labels.

Calico label selectors support a number of syntactic primitives. Each of the following primitive expressions can be combined using the logical operator &&.

Syntax	Meaning
all()	Match all resources.
k == ‘v’	Matches any resource with the label ‘k’ and value ‘v’.
k != ‘v’	Matches any resource with the label ‘k’ and value that is not ‘v’.
has(k)	Matches any resource with label ‘k’, independent of value.
!has(k)	Matches any resource that does not have label ‘k’
k in { ‘v1’, ‘v2’ }	Matches any resource with label ‘k’ and value in the given set
k not in { ‘v1’, ‘v2’ }	Matches any resource without label ‘k’ or any with label ‘k’ and value not in the given set

Ports

Calico supports the following syntaxes for expressing ports.

Syntax	Example	Description
int	80	The exact (numeric) port specified
start:end	6040:6050	All (numeric) ports within the range start <= x <= end
string	named-port	A named port, as defined in the ports list of one or more endpoints

An individual numeric port may be specified as a YAML/JSON integer. A port range or named port must be represented as as a string. For example, this would be a valid list of ports:

ports: [8080, "1234:5678", "named-port"]

Named ports

Using a named port in an EntityRule, instead of a numeric port, gives a layer of indirection, allowing for the named port to map to different numeric values for each endpoint.

For example, suppose you have multiple HTTP servers running as workloads; some exposing their HTTP port on port 80 and others on port 8080. In each workload, you could create a named port called http-port that maps to the correct local port. Then, in a rule, you could refer to the name http-port instead of writing a different rule for each type of server.

NOTE: Since each named port may refer to many endpoints (and Calico has to expand a named port into a set of endpoint/port combinations), using a named port is considerably more expensive in terms of CPU than using a simple numeric port. We recommend that they are used sparingly, only where the extra indirection is required.

Application layer policy

Application layer policy is an optional feature of Calico and must be enabled in order to use the following match criteria.

NOTE: Application layer policy match criteria are supported with the following restrictions.

Only ingress policy is supported. Egress policy must not contain any application layer policy match clauses.

Rules must have the action Allow if they contain application layer policy match clauses.

ServiceAccountMatch

A ServiceAccountMatch matches service accounts in an EntityRule.

Field	Description	Schema
names	Match service accounts by name	list of strings
selector	Match service accounts by label	selector

HTTPMatch

An HTTPMatch matches attributes of an HTTP request. The presence of an HTTPMatch clause on a Rule will cause that rule to only match HTTP traffic. Other application layer protocols will not match the rule.

Example:

http:
  methods: ["GET", "PUT"]
  paths:
    - exact: "/projects/calico"
    - prefix: "/users"

Field	Description	Schema
methods	Match HTTP methods. Case sensitive. Standard HTTP method descriptions.	list of strings
paths	Match HTTP paths. Case sensitive.	list of HTTPPathMatch

HTTPPathMatch

Syntax	Example	Description
exact	`exact: "/foo/bar"`	Matches the exact path as written, not including the query string or fragments.
prefix	`prefix: "/keys"`	Matches any path that begins with the given prefix.

Supported operations

Datastore type	Create/Delete	Update	Get/List	Notes
etcdv3	Yes	Yes	Yes
Kubernetes API server	No	No	Yes	Calico profiles are pre-assigned for each Namespace.

Rate this Page:

Provide Feedback Get Help via Slack Training