kubernetes/connectivity-check: Whitelist OpenShift DNS

OpenShift DNS is using non-standard labels and non-standard namespace. Signed-off-by: Thomas Graf <thomas@cilium.io>
cilium · Apr 1, 2020 · 2069570 · 2069570
1 parent 4459e83
commit 2069570
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 0 deletions.
diff --git a/examples/kubernetes/connectivity-check/connectivity-check.yaml b/examples/kubernetes/connectivity-check/connectivity-check.yaml
@@ -197,6 +197,14 @@ spec:
     - ports:
       - port: "53"
         protocol: UDP
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: openshift-dns
+        k8s:dns.operator.openshift.io/daemonset-dns: default
+    toPorts:
+    - ports:
+      - port: "5353"
+        protocol: UDP
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -243,6 +251,14 @@ spec:
     - ports:
       - port: "53"
         protocol: UDP
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: openshift-dns
+        k8s:dns.operator.openshift.io/daemonset-dns: default
+    toPorts:
+    - ports:
+      - port: "5353"
+        protocol: UDP
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -438,6 +454,17 @@ spec:
       rules:
         dns:
         - matchPattern: "*"
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: openshift-dns
+        k8s:dns.operator.openshift.io/daemonset-dns: default
+    toPorts:
+    - ports:
+      - port: "5353"
+        protocol: UDP
+      rules:
+        dns:
+        - matchPattern: "*"
   - toFQDNs:
     - matchPattern: "*.google.com"
 ---
diff --git a/examples/kubernetes/connectivity-check/pod-to-a-allowed.yaml b/examples/kubernetes/connectivity-check/pod-to-a-allowed.yaml
@@ -48,3 +48,11 @@ spec:
     - ports:
       - port: "53"
         protocol: UDP
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: openshift-dns
+        k8s:dns.operator.openshift.io/daemonset-dns: default
+    toPorts:
+    - ports:
+      - port: "5353"
+        protocol: UDP
diff --git a/examples/kubernetes/connectivity-check/pod-to-a-denied.yaml b/examples/kubernetes/connectivity-check/pod-to-a-denied.yaml
@@ -43,3 +43,11 @@ spec:
     - ports:
       - port: "53"
         protocol: UDP
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: openshift-dns
+        k8s:dns.operator.openshift.io/daemonset-dns: default
+    toPorts:
+    - ports:
+      - port: "5353"
+        protocol: UDP
diff --git a/examples/kubernetes/connectivity-check/pod-to-external-fqdn-allow-google.yaml b/examples/kubernetes/connectivity-check/pod-to-external-fqdn-allow-google.yaml
@@ -44,5 +44,16 @@ spec:
       rules:
         dns:
         - matchPattern: "*"
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: openshift-dns
+        k8s:dns.operator.openshift.io/daemonset-dns: default
+    toPorts:
+    - ports:
+      - port: "5353"
+        protocol: UDP
+      rules:
+        dns:
+        - matchPattern: "*"
   - toFQDNs:
     - matchPattern: "*.google.com"