Allow TCP port 53 when creating an allow all NetworkPolicy to kube-dn…

…s - to support TCP DNS (#536)
otterize · Dec 15, 2024 · 74bf78e · 74bf78e
1 parent d3f0997
commit 74bf78e
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 8 deletions.
diff --git a/...rator/controllers/intents_reconcilers/networkpolicy/builders/dns_egress_network_policy.go b/...rator/controllers/intents_reconcilers/networkpolicy/builders/dns_egress_network_policy.go
@@ -30,6 +30,10 @@ func (r *DNSEgressNetworkPolicyBuilder) buildNetworkPolicyEgressRules(ep effecti
 				Protocol: lo.ToPtr(corev1.ProtocolUDP),
 				Port:     lo.ToPtr(intstr.FromInt32(53)),
 			},
+			{
+				Protocol: lo.ToPtr(corev1.ProtocolTCP),
+				Port:     lo.ToPtr(intstr.FromInt32(53)),
+			},
 		},
 	})
 	return egressRules

diff --git a/.../controllers/intents_reconcilers/networkpolicy/builders/dns_egress_network_policy_test.go b/.../controllers/intents_reconcilers/networkpolicy/builders/dns_egress_network_policy_test.go
@@ -164,6 +164,10 @@ func networkPolicyDNSEgressTemplate(
 							Protocol: lo.ToPtr(corev1.ProtocolUDP),
 							Port:     lo.ToPtr(intstr.FromInt32(53)),
 						},
+						{
+							Protocol: lo.ToPtr(corev1.ProtocolTCP),
+							Port:     lo.ToPtr(intstr.FromInt32(53)),
+						},
 					},
 				},
 			},

diff --git a/...ers/intents_reconcilers/networkpolicy/builders/ingress_dns_server_allow_network_policy.go b/...ers/intents_reconcilers/networkpolicy/builders/ingress_dns_server_allow_network_policy.go
@@ -29,10 +29,16 @@ func (r *IngressDNSServerAutoAllowNetpolBuilder) buildIngressRulesFromServiceEff
 		return ingressRules
 	}
 	ingressRules = append(ingressRules, v1.NetworkPolicyIngressRule{
-		Ports: []v1.NetworkPolicyPort{{
-			Protocol: lo.ToPtr(corev1.ProtocolUDP),
-			Port:     lo.ToPtr(intstr.FromInt32(53)),
-		}},
+		Ports: []v1.NetworkPolicyPort{
+			{
+				Protocol: lo.ToPtr(corev1.ProtocolUDP),
+				Port:     lo.ToPtr(intstr.FromInt32(53)),
+			},
+			{
+				Protocol: lo.ToPtr(corev1.ProtocolTCP),
+				Port:     lo.ToPtr(intstr.FromInt32(53)),
+			},
+		},
 	})
 	return ingressRules
 }

diff --git a/...ntents_reconcilers/networkpolicy/builders/ingress_dns_server_allow_network_policy_test.go b/...ntents_reconcilers/networkpolicy/builders/ingress_dns_server_allow_network_policy_test.go
@@ -104,10 +104,16 @@ func ingressDNSnetworkPolicyIngressTemplate(
 ) *v1.NetworkPolicy {
 	ingressRules := lo.Map(intentsObjNamespaces, func(namespace string, _ int) v1.NetworkPolicyIngressRule {
 		return v1.NetworkPolicyIngressRule{
-			Ports: []v1.NetworkPolicyPort{{
-				Protocol: lo.ToPtr(v12.ProtocolUDP),
-				Port:     &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
-			}},
+			Ports: []v1.NetworkPolicyPort{
+				{
+					Protocol: lo.ToPtr(v12.ProtocolUDP),
+					Port:     &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
+				},
+				{
+					Protocol: lo.ToPtr(v12.ProtocolTCP),
+					Port:     &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
+				},
+			},
 		}
 	})
 	return &v1.NetworkPolicy{