Egress rules: unable to resolve DNS
matrix-root opened this issue · comments
What happened:
I want to define Egress policy for my namespace. However, if I add it - pod unable to lookup DNS resolution
So I need to add Egress rule which allows access to kube-dns
as well
Is it expected behaviour and I need to add this kube-dns
policy to every namespace which uses Egress rule?
Environment:
- Kubernetes version (use
kubectl version
): 1.27 - CNI Version: v1.16.2
- OS (e.g:
cat /etc/os-release
): EKS - Kernel (e.g.
uname -a
): EKS
@matrix-root this sounds like a Network Policy question, so moving this issue to https://github.com/aws/aws-network-policy-agent/issues
@matrix-root yes, if your application needs to perform DNS resolution, your egress policy needs to allow DNS requests to reach the kube-dns
service
@matrix-root I've had this same issue with my clusters. I had to explicitly add this policy to every policy that defines an egress policy type:
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
Yep, if the application needs to reach DNS, you need to allow access in the allow-list. Not all applications need DNS or are permitted to make DNS requests, so this is not a protocol that can be inferred or allowed by default.