Calico states the default network policy is to "deny" and yet RKE2's Calico behavior differs

[jskillin-idt]

This is a fairly simple question, I hope! I am trying to understand how RKE2's custom installation of Calico differs from the officially documented version. RKE2 provides very little documentation on its use of Calico, beyond viewing the values.yaml from the RKE2 chart repo.

The issue I'm struggling with is trying to use Calico as the thing that manages the firewall rules on the nodes it's installed on. The documentation states that Calico, by default, denies traffic in several places (here and here) but I have not found this to be true in RKE2's particular version.

Is the RKE2 installation of Calico intended to manage the host firewall? Is it capable of that with just the crd.projectcalico.org/v1 CRDs installed? Or is it intended to only manage the transition between host and pod traffic?

[jskillin-idt]

It might be worth documenting the relationship between RKE2 and the rest of the Calico tools, as well. It appears that RKE2 is missing the Calico API server and its associated CRDs which would enable a safer customization of Calico:
projectcalico/calico#6412 (comment)

[brandond]

Calico blocks all traffic to/from workload interfaces by default; allowing traffic only if the interface is known and policy is in place.
However, for host endpoints, Calico is more lenient; it only polices traffic to/from interfaces that it's been explicitly told about. Traffic to/from other interfaces is left alone.

Does Calico protect a local host from workloads?
Yes. DefaultEndpointToHostAction controls whether or not workloads can access their local host.

Does Calico protect a workload from the host it is running on?
No. Calico allows connections the host makes to the workloads running on that host. Some orchestrators like Kubernetes depend on this connectivity for health checking the workload. Moreover, processes running on the local host are often privileged enough to override local Calico policy. Be very cautious with the processes that you allow to run in the host's root network namespace.

I don't see anything in those docs that suggests Calico restricts external access to the node by default. "Workload interfaces" would be pod networking, not interfaces on the host.

Also, note that Kubernetes Network Polices control traffic within the cluster; ie to/from pods. Traffic to nodes is not within the scope of what is managed by Network Policies.