0

I am using calico 2.6 with docker 17.09.0-ce and it is working fine. I only have 2 questions that I cannot find an answer to.

1) How do I turn off the calico/felix iptables rules completely? I was thinking this might work with the CALICO_LIBNETWORK_CREATE_PROFILES=false environment variable, but the iptable rules are still set. Or alternatively how do I set the system to "allow all".

2) If the answer to 1) is that this is not possible then how do I allow any host in the cluster to talk to (e.g. ping or curl) any workloadEndpoint? I can talk to the workloads from the host where the workload is running on, but not from any other host in the cluster. I've tried by applying a profile with "egress: action: allow" and "ingress: action: allow", but it still blocks the traffic from other hosts. I verified that it is really due to the iptables rules that calico generates by tracing them and also by disabling them. Then it works. I used the following script after stopping the calico/node container: https://github.com/projectcalico/calico/blob/master/hack/remove-calico-policy/remove-calico-policy.sh

By the way, the FELIX_DEFAULTENDPOINTTOHOSTACTION=ACCEPT flag also does not seem to work.

cs224
  • 328
  • 2
  • 12

1 Answers1

1

I just got a reply via the slack channel: https://calicousers.slack.com/archives/C0BCA44LA/p1512125998000122

The answer is to use a policy file like the below:

apiVersion: v1
kind: policy
metadata:
  name: allow-all
spec:
  selector: "all()"
  types:
  - ingress
  - egress
  ingress:
  - action: allow
  egress:
  - action: allow
cs224
  • 328
  • 2
  • 12