Skip to content

NE-1476: Added network policies for DNS #458

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rfredette wants to merge 3 commits into
base: master
Choose a base branch
from
Open

NE-1476: Added network policies for DNS #458

rfredette wants to merge 3 commits into from

Conversation

@rfredette
Copy link
Contributor

@rfredette rfredette commented Jan 21, 2026

Taking over from #443 from @knobunc. Original description:

Added the framework for network policies for DNS for the operator and the dns pods.

The operator has a deny all network policy that for the openshift-dns-operator namespace and an allow policy for egress to the apiserver and dns ports at any IP.

The operator installs a deny all network policy for the openshift-dns namespace.

Then for each dns that it manages it installs an allow policy for ingress for dns traffic and metrics.

It has to allow ingress from the dns pods to any IP because we allow configuration to set the upstream server and port, so any valid IP and port needs to be allowed.

It also needs access to the api server, but that is covered by the wildcard allow policy.

https://issues.redhat.com/browse/NE-1476

knobunc and others added 3 commits August 11, 2025 12:14
@knobunc
NE-1476 - Added network policies for DNS
fb1a7b4 
Added the framework for network policies for DNS for the operator and
the dns pods.

The operator has a deny all network policy that for the
openshift-dns-operator namespace and an allow policy for egress to the
apiserver and dns ports at any IP.

The operator installs a deny all network policy for the openshift-dns
namespace.

Then for each dns that it manages it installs an allow policy for
ingress for dns traffic and metrics.

It has to allow ingress from the dns pods to any IP because we allow
configuration to set the upstream server and port, so any valid IP and
port needs to be allowed.

It also needs access to the api server, but that is covered by the
wildcard allow policy.

https://issues.redhat.com/browse/NE-1476
@knobunc
Updated with review suggestions
333c04b
@rfredette
Address review comments
3964cc9
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 21, 2026
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 21, 2026
edited by openshift-ci bot
Loading

@rfredette: This pull request references NE-1476 which is a valid jira issue.

Details

In response to this:

Taking over from #443 from @knobunc. Original description:

Added the framework for network policies for DNS for the operator and the dns pods.

The operator has a deny all network policy that for the openshift-dns-operator namespace and an allow policy for egress to the apiserver and dns ports at any IP.

The operator installs a deny all network policy for the openshift-dns namespace.

Then for each dns that it manages it installs an allow policy for ingress for dns traffic and metrics.

It has to allow ingress from the dns pods to any IP because we allow configuration to set the upstream server and port, so any valid IP and port needs to be allowed.

It also needs access to the api server, but that is covered by the wildcard allow policy.

https://issues.redhat.com/browse/NE-1476

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from knobunc and rikatz January 21, 2026 19:40
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 21, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign alebedev87 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 21, 2026

@rfredette: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-serial-2of2 3964cc9 link true /test e2e-aws-ovn-serial-2of2
ci/prow/e2e-aws-ovn-operator 3964cc9 link true /test e2e-aws-ovn-operator
ci/prow/e2e-aws-ovn-serial-1of2 3964cc9 link true /test e2e-aws-ovn-serial-1of2

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knobunc knobunc Awaiting requested review from knobunc

@rikatz rikatz Awaiting requested review from rikatz

Assignees

No one assigned

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rfredette @openshift-ci-robot @knobunc