Skip to content

Fix DNS network policy for NodeLocal DNSCache#88

Merged
tillrohrmann merged 1 commit intorestatedev:mainfrom
tillrohrmann:issues/54
Feb 5, 2026
Merged

Fix DNS network policy for NodeLocal DNSCache#88
tillrohrmann merged 1 commit intorestatedev:mainfrom
tillrohrmann:issues/54

Conversation

@tillrohrmann
Copy link
Contributor

@tillrohrmann tillrohrmann commented Feb 5, 2026

Summary

  • Add support for NodeLocal DNSCache (169.254.20.10) in the DNS egress network policy
  • Fix DNS resolution issues on GKE Autopilot and other Kubernetes environments that use node-local DNS caching
  • Add troubleshooting documentation to README

Changes

  1. Network Policy Updated (src/controllers/restatecluster/reconcilers/network_policies.rs):

    • Renamed policy from allow-egress-to-kube-dns to allow-egress-to-dns
    • Added support for NodeLocal DNSCache IP 169.254.20.10/32
    • Added migration logic to clean up the old policy name

  2. Documentation Added (README.md):

    • Added Troubleshooting section explaining DNS resolution issues
    • Documented workarounds: custom egress rules and disabling network policies
    • Added security warning for disabling network policies

Root Cause

The previous DNS network policy only allowed traffic to kube-dns pods via label selector. On GKE Autopilot (and other clusters with NodeLocal DNSCache enabled), DNS queries go to 169.254.20.10 instead, which was blocked.

Testing

  • Code compiles successfully
  • Passes cargo clippy and cargo fmt

Fixes #54

@tillrohrmann
Fix DNS network policy for NodeLocal DNSCache (restatedev#54)
36786e3 
Add support for NodeLocal DNSCache (169.254.20.10) in the DNS egress
network policy. This fixes DNS resolution issues on GKE Autopilot and
other Kubernetes environments that use node-local DNS caching.

Changes:
- Rename policy from allow-egress-to-kube-dns to allow-egress-to-dns
- Add NodeLocal DNSCache IP (169.254.20.10/32) as allowed DNS target
- Add migration logic to clean up old policy name
- Add Troubleshooting section to README with DNS resolution guidance

Fixes restatedev#54
@tillrohrmann tillrohrmann merged commit ff51799 into restatedev:main Feb 5, 2026
2 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Feb 5, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@jackkleeman jackkleeman jackkleeman approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Minimal RestateCluster not starting on GKE Autopilot

2 participants

@tillrohrmann @jackkleeman