Egress rules: unable to resolve DNS

Question

Egress rules: unable to resolve DNS

matrix-root opened this issue 4 months ago · comments

What happened:

I want to define Egress policy for my namespace. However, if I add it - pod unable to lookup DNS resolution
So I need to add Egress rule which allows access to kube-dns as well

Is it expected behaviour and I need to add this kube-dns policy to every namespace which uses Egress rule?

Environment:

Kubernetes version (use kubectl version): 1.27
CNI Version: v1.16.2
OS (e.g: cat /etc/os-release): EKS
Kernel (e.g. uname -a): EKS

Jeffrey Nelson · Answer 1 · Wed Mar 06 2024 23:59:18 GMT+0800 (China Standard Time)

@matrix-root this sounds like a Network Policy question, so moving this issue to https://github.com/aws/aws-network-policy-agent/issues

Jeffrey Nelson · Answer 2 · Thu Mar 07 2024 00:17:52 GMT+0800 (China Standard Time)

@matrix-root yes, if your application needs to perform DNS resolution, your egress policy needs to allow DNS requests to reach the kube-dns service

Parker Barthlome · Answer 3 · Fri Mar 08 2024 05:10:01 GMT+0800 (China Standard Time)

@matrix-root I've had this same issue with my clusters. I had to explicitly add this policy to every policy that defines an egress policy type:

  egress:
    - to:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: kube-system
        podSelector:
          matchLabels:
            k8s-app: kube-dns
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP

Jeffrey Nelson · Answer 4 · Fri Mar 08 2024 05:47:28 GMT+0800 (China Standard Time)

Yep, if the application needs to reach DNS, you need to allow access in the allow-list. Not all applications need DNS or are permitted to make DNS requests, so this is not a protocol that can be inferred or allowed by default.