While trying to configure global and namespaced network policies for my first time, I struggle to completely understand how to specify my selectors.
The specific issues currently is with pods running
I’m trying to allow access to the cluster dns service in kube-system namespace.
apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: cluster-dns spec: # TODO: doesn't work? # selector: k8s-app == 'kube-dns' types: - Ingress ingress: # Allow from host & pod networks - action: Allow protocol: UDP destination: ports: - 53 source: nets: - 127.0.0.1/32 - 10.96.0.0/16 - 192.168.0.0/16
This works fine. But trying to use a selector to specify that only the destination of kube-dns pods should be allowed fails miserably.
At first I thought it would even work with a namespaced network policy targeting the pod specifically. But this seem to only work for pods not running with the host network.
I’ve also tried enabling the applyOnForward and preDNAT without luck. I didn’t however try to target the service cluster IP itself
This must be a common issue, for allowing the cluster dns to function?