cilium: CiliumNetworkPolicy FQDN egress not working
Is there an existing issue for this?
- I have searched the existing issues
What happened?
I was trying to implement the FQDN feature of CiliumNetworkPolicy but it’s not working for some reason. I tried many things but for the sake of reproduction, let’s use the blog from cilium team directly.
Reproduction steps
- Create a kind cluster
curl -LO https://raw.githubusercontent.com/cilium/cilium/1.12.5/Documentation/gettingstarted/kind-config.yaml kind create cluster --config=kind-config.yaml - Create deployments & services
kubectl create ns empire kubectl apply -n empire -f https://raw.githubusercontent.com/cilium/cilium/v1.2.2/examples/minikube/http-sw-app.yaml - Apply cilium network policy allowing dns resolution
cat <<EOF | kubectl apply -n empire -f - apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: "allow-within-namespace" specs: - endpointSelector: matchLabels: {} egress: - toEndpoints: - matchLabels: "k8s:io.kubernetes.pod.namespace": empire ingress: - fromEndpoints: - matchLabels: "k8s:io.kubernetes.pod.namespace": empire - endpointSelector: matchLabels: {} egress: - toEndpoints: - matchLabels: "k8s:io.kubernetes.pod.namespace": kube-system "k8s:k8s-app": kube-dns EOF - Test for dns connectivity & it’s successful
kubectl exec -it tiefighter -- curl deathstar.empire.svc.cluster.local/v1 - Add an additional rule for outbound traffic to cilium.io
cat <<EOF | kubectl apply -n empire -f - apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: "allow-within-namespace" specs: - endpointSelector: matchLabels: {} egress: - toEndpoints: - matchLabels: "k8s:io.kubernetes.pod.namespace": empire ingress: - fromEndpoints: - matchLabels: "k8s:io.kubernetes.pod.namespace": empire - endpointSelector: matchLabels: {} egress: - toEndpoints: - matchLabels: "k8s:io.kubernetes.pod.namespace": kube-system "k8s:k8s-app": kube-dns - endpointSelector: matchLabels: {} egress: - toFQDNs: - matchName: "cilium.io" EOF - Test for connectivity
6.1 Test for internal DNS resolution - works
kubectl exec -it tiefighter -- curl deathstar.empire.svc.cluster.local/v16.2 Test for external DNS resolution - workskubectl exec -it tiefighter -- nslookup cilium.io 8.8.8.86.3 Test to curl the endpoint - doesn’t workkubectl exec -it tiefighter -- curl cilium.io - For some reason, cilium fqdn list is empty. Not sure if that’s something related to this issue but nevertheless, I tried it.
POD_NAME=$(kubectl get po -n kube-system -l k8s-app=cilium -ojsonpath='{@.items[0].metadata.name}') kubectl exec -n kube-system -it $POD_NAME -- cilium fqdn names
Tried debugging a with cilium observe, cilium endpoint list, etc but no information.
Cilium Version
1.12.2
Kernel Version
Darwin laptop 21.6.0 Darwin Kernel Version 21.6.0: root:xnu-8020.240.7~1/RELEASE_ARM64_T6000 arm64
Kubernetes Version
1.25
Sysdump
cilium-sysdump-20221229-094847.zip
Relevant log output
No response
Anything else?
No response
Code of Conduct
- I agree to follow this project’s Code of Conduct
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 18 (8 by maintainers)
@rewanthtammana Please don’t ping arbitrary people to get attention. You’ve opened this issue in between Christmas and New Year so a bit of delay is only expected.
Whoah, that blog post is 4+ years old. Cilium was a baby back then 😸
Have you tried following the official guide for FQDN policies? In particular, the policy you cited is missing the
dnsrule (which I’m guessing wasn’t required back then) so that won’t work.Yes, it’s working.
I have the same issue.