From 2caab4c9d6c251976e3634701c70649ebab98348 Mon Sep 17 00:00:00 2001 From: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> Date: Wed, 12 Nov 2025 08:30:20 -0500 Subject: [PATCH] fix(dns): Allow external-dns in network policy The network policy assigned to the etcd service should allow both coredns and external-dns services. Signed-off-by: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> --- .../dns/coredns/etcd/network-policy.yaml | 49 +++++++++++-------- 1 file changed, 28 insertions(+), 21 deletions(-) diff --git a/kustomize/dns/coredns/etcd/network-policy.yaml b/kustomize/dns/coredns/etcd/network-policy.yaml index 839c3b12..5ba43185 100644 --- a/kustomize/dns/coredns/etcd/network-policy.yaml +++ b/kustomize/dns/coredns/etcd/network-policy.yaml @@ -18,37 +18,44 @@ spec: matchLabels: app: etcd ports: - - protocol: TCP - port: 2380 - # Allow client connections from CoreDNS + - port: 2380 + protocol: TCP + # Allow CoreDNS to connect to etcd client endpoint - from: - podSelector: matchLabels: - app: coredns + app.kubernetes.io/name: coredns ports: - - protocol: TCP - port: 2379 + - port: 2379 + protocol: TCP + # Allow external-dns to connect to etcd client endpoint + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: external-dns + ports: + - port: 2379 + protocol: TCP egress: # Allow DNS resolution - - to: [] - ports: - - protocol: UDP - port: 53 - - protocol: TCP - port: 53 + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP # Allow etcd peer communication - - to: + - ports: + - port: 2380 + protocol: TCP + to: - podSelector: matchLabels: app: etcd - ports: - - protocol: TCP - port: 2380 - # Allow client connections to other etcd instances - - to: + # Allow etcd client communication (for cluster operations) + - ports: + - port: 2379 + protocol: TCP + to: - podSelector: matchLabels: app: etcd - ports: - - protocol: TCP - port: 2379