Install calico GlobalNetworkPolicy via helm chart

Question

I am trying to install a calico GlobalNetworkPolicy that will be applicable to all the pods in the cluster regardless of namespace , and to apply GlobalNetworkPolicy as per docs here -

Calico network policies and Calico global network policies are applied using calicoctl

i.e calicoctl command (assuming calicoctl binary installed in the host) ->

calicoctl apply -f global-policy.yaml

OR if we have a calicoctl pod running ->

kubectl exec -ti -n kube-system calicoctl -- /calicoctl apply -f global-deny.yaml -o wide

global-policy.yaml ->

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: default-deny
spec:
  selector: projectcalico.org/namespace == "kube-system"
  types:
  - Ingress
  - Egress

Question -> How do I install such a policy via helm chart ? As helm implicitly calls via kubectl and that causes error on install.

Error using kubectl or helm =>

Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: resource mapping not found for name: "default-deny" namespace: "" from "": no matches for kind "GlobalNetworkPolicy" in version "projectcalico.org/v3"

Answer 1

As per the Doc given by you Calico global network policy is a non-namespaced resource and can be applied to any kind of endpoint (pods, VMs, host interfaces) independent of namespace.

But you are using namespace in the Yaml, that might be the reason for the error. Kindly remove the name space and try again.

Because global network policies use kind: GlobalNetworkPolicy, they are grouped separately from kind: NetworkPolicy. For example, global network policies will not be returned from calicoctl get networkpolicy, and are rather returned from calicoctl get globalnetworkpolicy.

Below is the reference yaml from Doc :

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: allow-tcp-port-6379

Refer For more information on Global Network Policy, Calico Install Via Helm and Calico command line tools.