Add and enable two egressAllowRules to ensure DNS access #3179
Conversation
There was a problem hiding this comment.
This is a wonderful, nice investigation :) Thank you for deep diving into all of this. I like the defaults, and the reasoning too.
One thing I'd like added is a reference to dnsPortsCloudMetadataServer in the documentation for blockWithIptables, saying that even when it is true, DNS access is allowed and controlled by dnsPortsCloudMetadataServer. With that, this looks good to me.
|
Thanks for reviewing @yuvipanda, and thanks again to @vizeit who did most of the digging that this is based on! I agree with the idea on your docs update Yuvi! I didn't address it in this PR yet though @yuvipanda. I'd like to do it after we've decided on #3180, so I opened #3184 to ensure its gets addressed. Do you have thoughts on #3180? |
jupyterhub/zero-to-jupyterhub-k8s#3179 Merge pull request #3179 from consideRatio/pr/add-network-rules
My pleasure |
This chart ships with togglable predefined networking rules declared in NetworkPolicy resources that may or may not be enforced in a k8s cluster, and if they are enforced they are enforced by varying projects such as Calico or Cilium.
We have previously had a single rule (
dnsPortsPrivateIPs) to ensure pods have access to a k8s cluster's DNS server, but it seems that this rule isn't enogh in two known situations. This PR is adding two rules (dnsPortsCloudMetadataServeranddnsPortsKubeSystemNamespace) to handle those situations.The new rules are described in the configuration reference, screenshotted below.
This PR is based on insights gathered by @vizeit in #3167 and https://www.vizeit.com/jupyterhub-on-gke-autopilot/, thank you soo much @vizeit for digging into this!!!