From 487f2e8151a2bf07ce16ac9d33dc3fb09454517d Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Wed, 15 Nov 2023 10:17:46 +0000 Subject: [PATCH] Allow TCP DNS queries to kube-dns in the default deny policy In https://github.com/cert-manager/website/pull/1344#discussion_r1393908103 we're discussing whether the default Calico deny policy should also allow TCP DNS queries. Is there a reason to block them? --- .../network-policy/get-started/kubernetes-default-deny.mdx | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/calico/network-policy/get-started/kubernetes-default-deny.mdx b/calico/network-policy/get-started/kubernetes-default-deny.mdx index 52cad07998..e33df48cec 100644 --- a/calico/network-policy/get-started/kubernetes-default-deny.mdx +++ b/calico/network-policy/get-started/kubernetes-default-deny.mdx @@ -95,6 +95,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` It is important to note the above policy deliberately excludes the `kube-system`, `calico-system` and `calico-apiserver` namespaces by using a negative `namespaceSelector` to avoid impacting any control plane components. To secure the control plane you can write specific policies for each control plane component, though you should do so with care, ideally at cluster creation time, since getting these wrong can leave your cluster in a broken state. We recommend you always make sure you have the correct {{prodname}} [failsafe ports](../../reference/felix/configuration.mdx) in place before you start trying to create policies for the control plane.