Closed matrix-root closed 5 months ago
@matrix-root this sounds like a Network Policy question, so moving this issue to https://github.com/aws/aws-network-policy-agent/issues
@matrix-root yes, if your application needs to perform DNS resolution, your egress policy needs to allow DNS requests to reach the kube-dns
service
@matrix-root I've had this same issue with my clusters. I had to explicitly add this policy to every policy that defines an egress policy type:
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
Yep, if the application needs to reach DNS, you need to allow access in the allow-list. Not all applications need DNS or are permitted to make DNS requests, so this is not a protocol that can be inferred or allowed by default.
What happened:
I want to define Egress policy for my namespace. However, if I add it - pod unable to lookup DNS resolution So I need to add Egress rule which allows access to
kube-dns
as wellIs it expected behaviour and I need to add this
kube-dns
policy to every namespace which uses Egress rule?Environment:
kubectl version
): 1.27cat /etc/os-release
): EKSuname -a
): EKS