Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The Recommended default deny policy should allow DNS over TCP #8224

Closed
wallrj opened this issue Nov 15, 2023 · 1 comment · Fixed by tigera/docs#1096
Closed

The Recommended default deny policy should allow DNS over TCP #8224

wallrj opened this issue Nov 15, 2023 · 1 comment · Fixed by tigera/docs#1096

Comments

@wallrj
Copy link

wallrj commented Nov 15, 2023

The Calico documentation currently contains the following paragraph and sample default deny policy, which allows DNS over UDP to kube-dns from Pods in all namespaces.

I think it should also allow DNS over TCP.

As an alternative best practice we recommend to use the following example, which applies a default-deny behaviour to all non-system pods. The policy also allows access kube-dns, which simplifies per pod policies since you don't need to duplicate the DNS rules in every policy.

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: deny-app-policy
spec:
  namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name not in {"kube-system", "calico-system", "calico-apiserver"}
  types:
  - Ingress
  - Egress
  egress:
  # allow all namespaces to communicate to DNS pods
  - action: Allow
    protocol: UDP
    destination:
      selector: 'k8s-app == "kube-dns"'
      ports:
      - 53

The coredns in my Kind cluster is certainly configured to allow DNS over TCP:

$ kubectl get svc -n kube-system kube-dns
NAME       TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)                  AGE
kube-dns   ClusterIP   10.96.0.10   <none>        53/UDP,53/TCP,9153/TCP   6m59s
$ kubectl run dig --attach --rm --restart=Never --image nixery.dev/dnsutils -- dig @kube-dns.kube-system.svc.cluster.local kubernetes.default.svc.cluster.local. A +tcp

; <<>> DiG 9.18.19 <<>> @kube-dns.kube-system.svc.cluster.local kubernetes.default.svc.cluster.local. A +tcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53329
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: bb4d0b9fc7279ae9 (echoed)
;; QUESTION SECTION:
;kubernetes.default.svc.cluster.local. IN A

;; ANSWER SECTION:
kubernetes.default.svc.cluster.local. 4 IN A    10.96.0.1

;; Query time: 10 msec
;; SERVER: 10.96.0.10#53(kube-dns.kube-system.svc.cluster.local) (TCP)
;; WHEN: Wed Nov 15 09:57:05 UTC 2023
;; MSG SIZE  rcvd: 129

pod "dig" deleted

xref:
This was referenced Nov 15, 2023
Merged
Merged
@matthewdupre
Copy link
Member

Agreed, DNS over TCP should generally be allowed wherever DNS over UDP is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow TCP DNS queries to kube-dns in the default deny policy wallrj/docs
2 participants
@wallrj @matthewdupre