Hi!
While trying to configure global and namespaced network policies for my first time, I struggle to completely understand how to specify my selectors.
The specific issues currently is with pods running hostNetwork: true
.
I’m trying to allow access to the cluster dns service in kube-system namespace.
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: cluster-dns
spec:
# TODO: doesn't work?
# selector: k8s-app == 'kube-dns'
types:
- Ingress
ingress:
# Allow from host & pod networks
- action: Allow
protocol: UDP
destination:
ports:
- 53
source:
nets:
- 127.0.0.1/32
- 10.96.0.0/16
- 192.168.0.0/16
This works fine. But trying to use a selector to specify that only the destination of kube-dns pods should be allowed fails miserably.
At first I thought it would even work with a namespaced network policy targeting the pod specifically. But this seem to only work for pods not running with the host network.
I’ve also tried enabling the applyOnForward and preDNAT without luck. I didn’t however try to target the service cluster IP itself
This must be a common issue, for allowing the cluster dns to function?