Egress rules: unable to resolve DNS

aws / aws-network-policy-agent

Apache License 2.0

42 stars 25 forks source link

Egress rules: unable to resolve DNS #230

Closed matrix-root closed 5 months ago

matrix-root commented 5 months ago

What happened:

I want to define Egress policy for my namespace. However, if I add it - pod unable to lookup DNS resolution So I need to add Egress rule which allows access to kube-dns as well

Is it expected behaviour and I need to add this kube-dns policy to every namespace which uses Egress rule?

Environment:

Kubernetes version (use kubectl version): 1.27
CNI Version: v1.16.2
OS (e.g: cat /etc/os-release): EKS
Kernel (e.g. uname -a): EKS

jdn5126 commented 5 months ago

@matrix-root this sounds like a Network Policy question, so moving this issue to https://github.com/aws/aws-network-policy-agent/issues

jdn5126 commented 5 months ago

@matrix-root yes, if your application needs to perform DNS resolution, your egress policy needs to allow DNS requests to reach the kube-dns service

Pacobart commented 5 months ago

@matrix-root I've had this same issue with my clusters. I had to explicitly add this policy to every policy that defines an egress policy type:

  egress:
    - to:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: kube-system
        podSelector:
          matchLabels:
            k8s-app: kube-dns
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP

jdn5126 commented 5 months ago

Yep, if the application needs to reach DNS, you need to allow access in the allow-list. Not all applications need DNS or are permitted to make DNS requests, so this is not a protocol that can be inferred or allowed by default.