diff --git a/calico-cloud/network-policy/beginners/kubernetes-default-deny.mdx b/calico-cloud/network-policy/beginners/kubernetes-default-deny.mdx index 266e89ce26..51967876af 100644 --- a/calico-cloud/network-policy/beginners/kubernetes-default-deny.mdx +++ b/calico-cloud/network-policy/beginners/kubernetes-default-deny.mdx @@ -91,6 +91,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` It is important to note the above policy deliberately excludes the `kube-system`, `calico-system` and `calico-apiserver` namespaces by using a negative `namespaceSelector` to avoid impacting any control plane components. To secure the control plane you can write specific policies for each control plane component, though you should do so with care, ideally at cluster creation time, since getting these wrong can leave your cluster in a broken state. We recommend you always make sure you have the correct {{prodname}} [failsafe ports](../../reference/component-resources/node/felix/configuration.mdx) in place before you start trying to create policies for the control plane. diff --git a/calico-cloud/network-policy/default-deny.mdx b/calico-cloud/network-policy/default-deny.mdx index 41ad23edb3..82216228ea 100644 --- a/calico-cloud/network-policy/default-deny.mdx +++ b/calico-cloud/network-policy/default-deny.mdx @@ -42,6 +42,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` Note the following: diff --git a/calico-cloud/tutorials/enterprise-security/default-deny.mdx b/calico-cloud/tutorials/enterprise-security/default-deny.mdx index 5844d362e7..23b5eab9e0 100644 --- a/calico-cloud/tutorials/enterprise-security/default-deny.mdx +++ b/calico-cloud/tutorials/enterprise-security/default-deny.mdx @@ -42,6 +42,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` Note the following: diff --git a/calico-cloud_versioned_docs/version-18/network-policy/beginners/kubernetes-default-deny.mdx b/calico-cloud_versioned_docs/version-18/network-policy/beginners/kubernetes-default-deny.mdx index 266e89ce26..51967876af 100644 --- a/calico-cloud_versioned_docs/version-18/network-policy/beginners/kubernetes-default-deny.mdx +++ b/calico-cloud_versioned_docs/version-18/network-policy/beginners/kubernetes-default-deny.mdx @@ -91,6 +91,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` It is important to note the above policy deliberately excludes the `kube-system`, `calico-system` and `calico-apiserver` namespaces by using a negative `namespaceSelector` to avoid impacting any control plane components. To secure the control plane you can write specific policies for each control plane component, though you should do so with care, ideally at cluster creation time, since getting these wrong can leave your cluster in a broken state. We recommend you always make sure you have the correct {{prodname}} [failsafe ports](../../reference/component-resources/node/felix/configuration.mdx) in place before you start trying to create policies for the control plane. diff --git a/calico-cloud_versioned_docs/version-18/network-policy/default-deny.mdx b/calico-cloud_versioned_docs/version-18/network-policy/default-deny.mdx index 41ad23edb3..82216228ea 100644 --- a/calico-cloud_versioned_docs/version-18/network-policy/default-deny.mdx +++ b/calico-cloud_versioned_docs/version-18/network-policy/default-deny.mdx @@ -42,6 +42,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` Note the following: diff --git a/calico-cloud_versioned_docs/version-18/tutorials/enterprise-security/default-deny.mdx b/calico-cloud_versioned_docs/version-18/tutorials/enterprise-security/default-deny.mdx index 5844d362e7..23b5eab9e0 100644 --- a/calico-cloud_versioned_docs/version-18/tutorials/enterprise-security/default-deny.mdx +++ b/calico-cloud_versioned_docs/version-18/tutorials/enterprise-security/default-deny.mdx @@ -42,6 +42,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` Note the following: diff --git a/calico-cloud_versioned_docs/version-3.17/network-policy/beginners/kubernetes-default-deny.mdx b/calico-cloud_versioned_docs/version-3.17/network-policy/beginners/kubernetes-default-deny.mdx index 266e89ce26..51967876af 100644 --- a/calico-cloud_versioned_docs/version-3.17/network-policy/beginners/kubernetes-default-deny.mdx +++ b/calico-cloud_versioned_docs/version-3.17/network-policy/beginners/kubernetes-default-deny.mdx @@ -91,6 +91,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` It is important to note the above policy deliberately excludes the `kube-system`, `calico-system` and `calico-apiserver` namespaces by using a negative `namespaceSelector` to avoid impacting any control plane components. To secure the control plane you can write specific policies for each control plane component, though you should do so with care, ideally at cluster creation time, since getting these wrong can leave your cluster in a broken state. We recommend you always make sure you have the correct {{prodname}} [failsafe ports](../../reference/component-resources/node/felix/configuration.mdx) in place before you start trying to create policies for the control plane. diff --git a/calico-cloud_versioned_docs/version-3.17/network-policy/default-deny.mdx b/calico-cloud_versioned_docs/version-3.17/network-policy/default-deny.mdx index 41ad23edb3..82216228ea 100644 --- a/calico-cloud_versioned_docs/version-3.17/network-policy/default-deny.mdx +++ b/calico-cloud_versioned_docs/version-3.17/network-policy/default-deny.mdx @@ -42,6 +42,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` Note the following: diff --git a/calico-cloud_versioned_docs/version-3.17/tutorials/enterprise-security/default-deny.mdx b/calico-cloud_versioned_docs/version-3.17/tutorials/enterprise-security/default-deny.mdx index 5844d362e7..23b5eab9e0 100644 --- a/calico-cloud_versioned_docs/version-3.17/tutorials/enterprise-security/default-deny.mdx +++ b/calico-cloud_versioned_docs/version-3.17/tutorials/enterprise-security/default-deny.mdx @@ -42,6 +42,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` Note the following: diff --git a/calico-enterprise/network-policy/beginners/kubernetes-default-deny.mdx b/calico-enterprise/network-policy/beginners/kubernetes-default-deny.mdx index 266e89ce26..51967876af 100644 --- a/calico-enterprise/network-policy/beginners/kubernetes-default-deny.mdx +++ b/calico-enterprise/network-policy/beginners/kubernetes-default-deny.mdx @@ -91,6 +91,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` It is important to note the above policy deliberately excludes the `kube-system`, `calico-system` and `calico-apiserver` namespaces by using a negative `namespaceSelector` to avoid impacting any control plane components. To secure the control plane you can write specific policies for each control plane component, though you should do so with care, ideally at cluster creation time, since getting these wrong can leave your cluster in a broken state. We recommend you always make sure you have the correct {{prodname}} [failsafe ports](../../reference/component-resources/node/felix/configuration.mdx) in place before you start trying to create policies for the control plane. diff --git a/calico-enterprise/network-policy/default-deny.mdx b/calico-enterprise/network-policy/default-deny.mdx index 9f3cb7043e..35e04604f1 100644 --- a/calico-enterprise/network-policy/default-deny.mdx +++ b/calico-enterprise/network-policy/default-deny.mdx @@ -42,6 +42,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` Note the following: diff --git a/calico-enterprise_versioned_docs/version-3.15/network-policy/beginners/kubernetes-default-deny.mdx b/calico-enterprise_versioned_docs/version-3.15/network-policy/beginners/kubernetes-default-deny.mdx index 266e89ce26..51967876af 100644 --- a/calico-enterprise_versioned_docs/version-3.15/network-policy/beginners/kubernetes-default-deny.mdx +++ b/calico-enterprise_versioned_docs/version-3.15/network-policy/beginners/kubernetes-default-deny.mdx @@ -91,6 +91,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` It is important to note the above policy deliberately excludes the `kube-system`, `calico-system` and `calico-apiserver` namespaces by using a negative `namespaceSelector` to avoid impacting any control plane components. To secure the control plane you can write specific policies for each control plane component, though you should do so with care, ideally at cluster creation time, since getting these wrong can leave your cluster in a broken state. We recommend you always make sure you have the correct {{prodname}} [failsafe ports](../../reference/component-resources/node/felix/configuration.mdx) in place before you start trying to create policies for the control plane. diff --git a/calico-enterprise_versioned_docs/version-3.15/network-policy/default-deny.mdx b/calico-enterprise_versioned_docs/version-3.15/network-policy/default-deny.mdx index 9f3cb7043e..35e04604f1 100644 --- a/calico-enterprise_versioned_docs/version-3.15/network-policy/default-deny.mdx +++ b/calico-enterprise_versioned_docs/version-3.15/network-policy/default-deny.mdx @@ -42,6 +42,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` Note the following: diff --git a/calico-enterprise_versioned_docs/version-3.16/network-policy/beginners/kubernetes-default-deny.mdx b/calico-enterprise_versioned_docs/version-3.16/network-policy/beginners/kubernetes-default-deny.mdx index 266e89ce26..51967876af 100644 --- a/calico-enterprise_versioned_docs/version-3.16/network-policy/beginners/kubernetes-default-deny.mdx +++ b/calico-enterprise_versioned_docs/version-3.16/network-policy/beginners/kubernetes-default-deny.mdx @@ -91,6 +91,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` It is important to note the above policy deliberately excludes the `kube-system`, `calico-system` and `calico-apiserver` namespaces by using a negative `namespaceSelector` to avoid impacting any control plane components. To secure the control plane you can write specific policies for each control plane component, though you should do so with care, ideally at cluster creation time, since getting these wrong can leave your cluster in a broken state. We recommend you always make sure you have the correct {{prodname}} [failsafe ports](../../reference/component-resources/node/felix/configuration.mdx) in place before you start trying to create policies for the control plane. diff --git a/calico-enterprise_versioned_docs/version-3.16/network-policy/default-deny.mdx b/calico-enterprise_versioned_docs/version-3.16/network-policy/default-deny.mdx index 9f3cb7043e..35e04604f1 100644 --- a/calico-enterprise_versioned_docs/version-3.16/network-policy/default-deny.mdx +++ b/calico-enterprise_versioned_docs/version-3.16/network-policy/default-deny.mdx @@ -42,6 +42,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` Note the following: diff --git a/calico-enterprise_versioned_docs/version-3.17/network-policy/beginners/kubernetes-default-deny.mdx b/calico-enterprise_versioned_docs/version-3.17/network-policy/beginners/kubernetes-default-deny.mdx index 266e89ce26..51967876af 100644 --- a/calico-enterprise_versioned_docs/version-3.17/network-policy/beginners/kubernetes-default-deny.mdx +++ b/calico-enterprise_versioned_docs/version-3.17/network-policy/beginners/kubernetes-default-deny.mdx @@ -91,6 +91,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` It is important to note the above policy deliberately excludes the `kube-system`, `calico-system` and `calico-apiserver` namespaces by using a negative `namespaceSelector` to avoid impacting any control plane components. To secure the control plane you can write specific policies for each control plane component, though you should do so with care, ideally at cluster creation time, since getting these wrong can leave your cluster in a broken state. We recommend you always make sure you have the correct {{prodname}} [failsafe ports](../../reference/component-resources/node/felix/configuration.mdx) in place before you start trying to create policies for the control plane. diff --git a/calico-enterprise_versioned_docs/version-3.17/network-policy/default-deny.mdx b/calico-enterprise_versioned_docs/version-3.17/network-policy/default-deny.mdx index 9f3cb7043e..35e04604f1 100644 --- a/calico-enterprise_versioned_docs/version-3.17/network-policy/default-deny.mdx +++ b/calico-enterprise_versioned_docs/version-3.17/network-policy/default-deny.mdx @@ -42,6 +42,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` Note the following: diff --git a/calico-enterprise_versioned_docs/version-3.18/network-policy/beginners/kubernetes-default-deny.mdx b/calico-enterprise_versioned_docs/version-3.18/network-policy/beginners/kubernetes-default-deny.mdx index 266e89ce26..51967876af 100644 --- a/calico-enterprise_versioned_docs/version-3.18/network-policy/beginners/kubernetes-default-deny.mdx +++ b/calico-enterprise_versioned_docs/version-3.18/network-policy/beginners/kubernetes-default-deny.mdx @@ -91,6 +91,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` It is important to note the above policy deliberately excludes the `kube-system`, `calico-system` and `calico-apiserver` namespaces by using a negative `namespaceSelector` to avoid impacting any control plane components. To secure the control plane you can write specific policies for each control plane component, though you should do so with care, ideally at cluster creation time, since getting these wrong can leave your cluster in a broken state. We recommend you always make sure you have the correct {{prodname}} [failsafe ports](../../reference/component-resources/node/felix/configuration.mdx) in place before you start trying to create policies for the control plane. diff --git a/calico-enterprise_versioned_docs/version-3.18/network-policy/default-deny.mdx b/calico-enterprise_versioned_docs/version-3.18/network-policy/default-deny.mdx index 9f3cb7043e..35e04604f1 100644 --- a/calico-enterprise_versioned_docs/version-3.18/network-policy/default-deny.mdx +++ b/calico-enterprise_versioned_docs/version-3.18/network-policy/default-deny.mdx @@ -42,6 +42,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` Note the following: diff --git a/calico/network-policy/get-started/kubernetes-default-deny.mdx b/calico/network-policy/get-started/kubernetes-default-deny.mdx index fb497b96db..12eabf7100 100644 --- a/calico/network-policy/get-started/kubernetes-default-deny.mdx +++ b/calico/network-policy/get-started/kubernetes-default-deny.mdx @@ -95,6 +95,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` It is important to note the above policy deliberately excludes the `kube-system`, `calico-system` and `calico-apiserver` namespaces by using a negative `namespaceSelector` to avoid impacting any control plane components. To secure the control plane you can write specific policies for each control plane component, though you should do so with care, ideally at cluster creation time, since getting these wrong can leave your cluster in a broken state. We recommend you always make sure you have the correct {{prodname}} [failsafe ports](../../reference/felix/configuration.mdx) in place before you start trying to create policies for the control plane. diff --git a/calico_versioned_docs/version-3.24/network-policy/get-started/kubernetes-default-deny.mdx b/calico_versioned_docs/version-3.24/network-policy/get-started/kubernetes-default-deny.mdx index 7753e06f86..e03687fd90 100644 --- a/calico_versioned_docs/version-3.24/network-policy/get-started/kubernetes-default-deny.mdx +++ b/calico_versioned_docs/version-3.24/network-policy/get-started/kubernetes-default-deny.mdx @@ -95,6 +95,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` It is important to note the above policy deliberately excludes the `kube-system`, `calico-system` and `calico-apiserver` namespaces by using a negative `namespaceSelector` to avoid impacting any control plane components. To secure the control plane you can write specific policies for each control plane component, though you should do so with care, ideally at cluster creation time, since getting these wrong can leave your cluster in a broken state. We recommend you always make sure you have the correct {{prodname}} [failsafe ports](../../reference/felix/configuration.mdx) in place before you start trying to create policies for the control plane. diff --git a/calico_versioned_docs/version-3.25/network-policy/get-started/kubernetes-default-deny.mdx b/calico_versioned_docs/version-3.25/network-policy/get-started/kubernetes-default-deny.mdx index 7753e06f86..e03687fd90 100644 --- a/calico_versioned_docs/version-3.25/network-policy/get-started/kubernetes-default-deny.mdx +++ b/calico_versioned_docs/version-3.25/network-policy/get-started/kubernetes-default-deny.mdx @@ -95,6 +95,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` It is important to note the above policy deliberately excludes the `kube-system`, `calico-system` and `calico-apiserver` namespaces by using a negative `namespaceSelector` to avoid impacting any control plane components. To secure the control plane you can write specific policies for each control plane component, though you should do so with care, ideally at cluster creation time, since getting these wrong can leave your cluster in a broken state. We recommend you always make sure you have the correct {{prodname}} [failsafe ports](../../reference/felix/configuration.mdx) in place before you start trying to create policies for the control plane. diff --git a/calico_versioned_docs/version-3.26/network-policy/get-started/kubernetes-default-deny.mdx b/calico_versioned_docs/version-3.26/network-policy/get-started/kubernetes-default-deny.mdx index fb497b96db..12eabf7100 100644 --- a/calico_versioned_docs/version-3.26/network-policy/get-started/kubernetes-default-deny.mdx +++ b/calico_versioned_docs/version-3.26/network-policy/get-started/kubernetes-default-deny.mdx @@ -95,6 +95,12 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 + - action: Allow + protocol: TCP + destination: + selector: 'k8s-app == "kube-dns"' + ports: + - 53 ``` It is important to note the above policy deliberately excludes the `kube-system`, `calico-system` and `calico-apiserver` namespaces by using a negative `namespaceSelector` to avoid impacting any control plane components. To secure the control plane you can write specific policies for each control plane component, though you should do so with care, ideally at cluster creation time, since getting these wrong can leave your cluster in a broken state. We recommend you always make sure you have the correct {{prodname}} [failsafe ports](../../reference/felix/configuration.mdx) in place before you start trying to create policies for the control plane.