From 0b4bebcefe21df938ac71c4efe8e60cd079f1f8d Mon Sep 17 00:00:00 2001 From: eminaktas Date: Thu, 28 Jul 2022 15:02:50 +0300 Subject: [PATCH] fix(connectivity): Add node-local-dns entitiy match for local ip usage case Signed-off-by: eminaktas --- .gitignore | 1 + .../allow-all-except-world-pre-v1.11.yaml | 10 +++++++++ .../manifests/allow-all-except-world.yaml | 14 +++++++++++- .../manifests/client-egress-only-dns.yaml | 22 +++++++++++-------- .../manifests/client-egress-to-echo.yaml | 12 +++++++++- .../client-egress-to-entities-world.yaml | 12 +++++++++- ...lient-egress-to-fqdns-one-one-one-one.yaml | 12 +++++++++- 7 files changed, 70 insertions(+), 13 deletions(-) diff --git a/.gitignore b/.gitignore index 6ff6c873a3..bfd36c6d13 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,4 @@ cilium-sysdump-*.zip # Editor metas .vscode/ +.idea/ diff --git a/connectivity/manifests/allow-all-except-world-pre-v1.11.yaml b/connectivity/manifests/allow-all-except-world-pre-v1.11.yaml index c1522ff5f5..d090c8de56 100644 --- a/connectivity/manifests/allow-all-except-world-pre-v1.11.yaml +++ b/connectivity/manifests/allow-all-except-world-pre-v1.11.yaml @@ -13,6 +13,16 @@ spec: - health - toEndpoints: - {} + # When node-local-dns is deployed with local IP, + # Cilium labels its ip as world. + # This change prevents failing the connectivity + # test for such environments. + - toPorts: + - ports: + - port: "53" + protocol: UDP + toEntities: + - world ingress: - fromEntities: - host diff --git a/connectivity/manifests/allow-all-except-world.yaml b/connectivity/manifests/allow-all-except-world.yaml index 2e511d22b3..27a375ff71 100644 --- a/connectivity/manifests/allow-all-except-world.yaml +++ b/connectivity/manifests/allow-all-except-world.yaml @@ -13,7 +13,19 @@ spec: - health - kube-apiserver - toEndpoints: - - {} + - matchExpressions: + - { key: 'k8s-app', operator: In, values: [ "node-local-dns", "nodelocaldns" ] } + - { key: 'io.kubernetes.pod.namespace', operator: In, values: [ "kube-system" ] } + # When node-local-dns is deployed with local IP, + # Cilium labels its ip as world. + # This change prevents failing the connectivity + # test for such environments. + - toPorts: + - ports: + - port: "53" + protocol: UDP + toEntities: + - world ingress: - fromEntities: - host diff --git a/connectivity/manifests/client-egress-only-dns.yaml b/connectivity/manifests/client-egress-only-dns.yaml index 67e08ed1c1..32e4acc534 100644 --- a/connectivity/manifests/client-egress-only-dns.yaml +++ b/connectivity/manifests/client-egress-only-dns.yaml @@ -15,12 +15,16 @@ spec: dns: - matchPattern: "*" toEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: kube-system - k8s-app: kube-dns - - matchLabels: - io.kubernetes.pod.namespace: kube-system - k8s-app: coredns - - matchLabels: - io.kubernetes.pod.namespace: kube-system - k8s-app: node-local-dns + - matchExpressions: + - { key: 'k8s-app', operator: In, values: [ "kube-dns", "coredns", "node-local-dns", "nodelocaldns" ] } + - { key: 'io.kubernetes.pod.namespace', operator: In, values: [ "kube-system" ] } + # When node-local-dns is deployed with local IP, + # Cilium labels its ip as world. + # This change prevents failing the connectivity + # test for such environments. + - toPorts: + - ports: + - port: "53" + protocol: UDP + toEntities: + - world diff --git a/connectivity/manifests/client-egress-to-echo.yaml b/connectivity/manifests/client-egress-to-echo.yaml index 27efd78333..2b1f9f1e48 100644 --- a/connectivity/manifests/client-egress-to-echo.yaml +++ b/connectivity/manifests/client-egress-to-echo.yaml @@ -21,5 +21,15 @@ spec: protocol: ANY toEndpoints: - matchExpressions: - - { key: 'k8s-app', operator: In, values: [ "kube-dns", "coredns", "node-local-dns" ] } + - { key: 'k8s-app', operator: In, values: [ "kube-dns", "coredns", "node-local-dns", "nodelocaldns" ] } - { key: 'io.kubernetes.pod.namespace', operator: In, values: [ "kube-system" ] } + # When node-local-dns is deployed with local IP, + # Cilium labels its ip as world. + # This change prevents failing the connectivity + # test for such environments. + - toPorts: + - ports: + - port: "53" + protocol: UDP + toEntities: + - world diff --git a/connectivity/manifests/client-egress-to-entities-world.yaml b/connectivity/manifests/client-egress-to-entities-world.yaml index b2a9e089c4..cb0d0d2221 100644 --- a/connectivity/manifests/client-egress-to-entities-world.yaml +++ b/connectivity/manifests/client-egress-to-entities-world.yaml @@ -15,9 +15,19 @@ spec: protocol: TCP - toEndpoints: - matchExpressions: - - { key: 'k8s-app', operator: In, values: [ "kube-dns", "coredns", "node-local-dns" ] } + - { key: 'k8s-app', operator: In, values: [ "kube-dns", "coredns", "node-local-dns", "nodelocaldns" ] } - { key: 'io.kubernetes.pod.namespace', operator: In, values: [ "kube-system" ] } toPorts: - ports: - port: "53" protocol: ANY + # When node-local-dns is deployed with local IP, + # Cilium labels its ip as world. + # This change prevents failing the connectivity + # test for such environments. + - toPorts: + - ports: + - port: "53" + protocol: UDP + toEntities: + - world diff --git a/connectivity/manifests/client-egress-to-fqdns-one-one-one-one.yaml b/connectivity/manifests/client-egress-to-fqdns-one-one-one-one.yaml index 4471c31011..ed0d078863 100644 --- a/connectivity/manifests/client-egress-to-fqdns-one-one-one-one.yaml +++ b/connectivity/manifests/client-egress-to-fqdns-one-one-one-one.yaml @@ -26,5 +26,15 @@ spec: - matchPattern: "*" toEndpoints: - matchExpressions: - - { key: 'k8s-app', operator: In, values: [ "kube-dns", "coredns", "node-local-dns" ] } + - { key: 'k8s-app', operator: In, values: [ "kube-dns", "coredns", "node-local-dns", "nodelocaldns" ] } - { key: 'io.kubernetes.pod.namespace', operator: In, values: [ "kube-system" ] } + # When node-local-dns is deployed with local IP, + # Cilium labels its ip as world. + # This change prevents failing the connectivity + # test for such environments. + - toPorts: + - ports: + - port: "53" + protocol: UDP + toEntities: + - world