Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Add support for dns name as a field in NetworkPolicyPeer and the application of that #56901
Today NetworkPolicyPeer supports ipBlock, namespaceSelector, and podSelector. This leaves one use case that is fairly common for dns name-based restrictions. I think we should support that by having a way to express peers for both ingress and egress via dns domain name.
Had a chat with @cmluciano, there are a two potential issues with supporting DNS name.
DNS whitelisting does't require HTTP proxy if same agent can see both DNS requests and IP traffic.
In kubernetes world that for instance can be a kube-proxy acting as DNS interceptor (or as an explicitly configured DNS server via kubelet), which then performs DNS resolution, observes response and open iptables rules before passing response to a POD.
iptables rules should include every A and AAAA record returned in the response and can be implemented using
Implemented like that, it can support DNS whitelisting for arbitrary protocols, not only TCP.