Skip to content

[v1.42] Support Canonical k8s DNS pod labels in network policies#4652

Merged
rene-dekker merged 2 commits intotigera:release-v1.42from
rene-dekker:auto-pick-of-#4502-origin-release-v1.42
Apr 8, 2026
Merged

[v1.42] Support Canonical k8s DNS pod labels in network policies#4652
rene-dekker merged 2 commits intotigera:release-v1.42from
rene-dekker:auto-pick-of-#4502-origin-release-v1.42

Conversation

@rene-dekker
Copy link
Copy Markdown
Member

@rene-dekker rene-dekker commented Apr 7, 2026

Cherry-pick history

Summary

  • Canonical Kubernetes labels DNS pods as k8s-app=coredns instead of the standard k8s-app=kube-dns. This causes operator-managed network policies to block DNS traffic on Canonical clusters.
  • Updated all Calico network policy selectors to use an OR expression: k8s-app == 'kube-dns' || k8s-app == 'coredns'
  • Updated the k8s NetworkPolicy DNS rule to use MatchExpressions with In operator for both values
  • Added a second service selector rule for the coredns service name in AppendServiceSelectorDNSEgressRules
  • Updated the tiers cluster DNS policy selector to match both labels

Test plan

  • All pkg/render/... unit test suites pass
  • Verify on a Canonical k8s cluster that DNS egress is allowed
  • Verify on a standard k8s cluster that DNS egress is still allowed
Added label selector for networkpolicies selecting coredns on Canonical Kubernetes clusters.

rene-dekker and others added 2 commits April 7, 2026 15:42
@rene-dekker @claude
Support Canonical k8s DNS pod labels in network policies
e375054 
Canonical Kubernetes uses the label k8s-app=coredns instead of
k8s-app=kube-dns for DNS pods. Update all network policy selectors
to match either label so policies work on both distributions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@rene-dekker @claude
Use 'in' selector syntax for DNS pod label matching
eb4d4c3 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@rene-dekker rene-dekker requested a review from a team as a code owner April 7, 2026 22:42
@marvin-tigera marvin-tigera added this to the v1.42.0 milestone Apr 7, 2026
@rene-dekker
Copy link
Copy Markdown
Member Author

rene-dekker commented Apr 7, 2026

/merge-when-ready

@marvin-tigera
Copy link
Copy Markdown
Contributor

marvin-tigera commented Apr 7, 2026

OK, I will merge the pull request when it's ready, leave the commits as is when I merge it, and leave the branch after I've merged it.

@rene-dekker rene-dekker merged commit 845e292 into tigera:release-v1.42 Apr 8, 2026
4 of 5 checks passed
@rene-dekker rene-dekker deleted the auto-pick-of-#4502-origin-release-v1.42 branch April 8, 2026 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@caseydavenport caseydavenport caseydavenport approved these changes

Assignees

No one assigned

Labels

docs-pr-required merge-when-ready release-note-required

Projects

None yet

Milestone

v1.42.0

Development

Successfully merging this pull request may close these issues.

3 participants

@rene-dekker @marvin-tigera @caseydavenport