diff --git a/pkg/render/common/networkpolicy/k8snetworkpolicy.go b/pkg/render/common/networkpolicy/k8snetworkpolicy.go index 33b1978ac5..0fe415ab4c 100644 --- a/pkg/render/common/networkpolicy/k8snetworkpolicy.go +++ b/pkg/render/common/networkpolicy/k8snetworkpolicy.go @@ -54,8 +54,13 @@ func K8sDNSEgressRules(openShift bool) []netv1.NetworkPolicyEgressRule { To: []netv1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "k8s-app": "kube-dns", + MatchExpressions: []metav1.LabelSelectorRequirement{ + { + Key: "k8s-app", + Operator: metav1.LabelSelectorOpIn, + // In most Kubernetes distros the label is for kube-dns, but in Canonical it is for coredns. + Values: []string{"kube-dns", "coredns"}, + }, }, }, NamespaceSelector: &metav1.LabelSelector{ diff --git a/pkg/render/common/networkpolicy/networkpolicy.go b/pkg/render/common/networkpolicy/networkpolicy.go index 5d9d51a6d7..b1c18c5587 100644 --- a/pkg/render/common/networkpolicy/networkpolicy.go +++ b/pkg/render/common/networkpolicy/networkpolicy.go @@ -70,8 +70,9 @@ func AppendDNSEgressRules(egressRules []v3.Rule, openShift bool) []v3.Rule { Protocol: &UDPProtocol, Destination: v3.EntityRule{ NamespaceSelector: "projectcalico.org/name == 'kube-system'", - Selector: "k8s-app == 'kube-dns'", - Ports: Ports(53), + // In most Kubernetes distros the label is for kube-dns, but in Canonical it is for coredns. + Selector: "k8s-app in { 'kube-dns', 'coredns' }", + Ports: Ports(53), }, }) } @@ -138,16 +139,29 @@ func AppendServiceSelectorDNSEgressRules(egressRules []v3.Rule, openShift bool) }, }...) } else { - egressRules = append(egressRules, v3.Rule{ - Action: v3.Allow, - Protocol: &UDPProtocol, - Destination: v3.EntityRule{ - Services: &v3.ServiceMatch{ - Namespace: "kube-system", - Name: "kube-dns", + // In most Kubernetes distros, the DNS service is kube-dns, but in Canonical it is coredns. + egressRules = append(egressRules, []v3.Rule{ + { + Action: v3.Allow, + Protocol: &UDPProtocol, + Destination: v3.EntityRule{ + Services: &v3.ServiceMatch{ + Namespace: "kube-system", + Name: "kube-dns", + }, }, }, - }) + { + Action: v3.Allow, + Protocol: &UDPProtocol, + Destination: v3.EntityRule{ + Services: &v3.ServiceMatch{ + Namespace: "kube-system", + Name: "coredns", + }, + }, + }, + }...) } return egressRules diff --git a/pkg/render/intrusion_detection_test.go b/pkg/render/intrusion_detection_test.go index f19969b888..04e828e73f 100644 --- a/pkg/render/intrusion_detection_test.go +++ b/pkg/render/intrusion_detection_test.go @@ -734,7 +734,7 @@ var _ = Describe("Intrusion Detection rendering tests", func() { Protocol: &networkpolicy.UDPProtocol, Destination: v3.EntityRule{ NamespaceSelector: "projectcalico.org/name == 'kube-system'", - Selector: "k8s-app == 'kube-dns'", + Selector: "k8s-app in { 'kube-dns', 'coredns' }", Ports: networkpolicy.Ports(53), }, }, diff --git a/pkg/render/testutils/expected_policies/alertmanager-mesh.json b/pkg/render/testutils/expected_policies/alertmanager-mesh.json index b6518f0f3b..cad878a686 100644 --- a/pkg/render/testutils/expected_policies/alertmanager-mesh.json +++ b/pkg/render/testutils/expected_policies/alertmanager-mesh.json @@ -61,7 +61,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/alertmanager.json b/pkg/render/testutils/expected_policies/alertmanager.json index 7fb5bee519..f7ca78dcb4 100644 --- a/pkg/render/testutils/expected_policies/alertmanager.json +++ b/pkg/render/testutils/expected_policies/alertmanager.json @@ -30,7 +30,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/apiserver.json b/pkg/render/testutils/expected_policies/apiserver.json index c9de43ee07..50a456c541 100644 --- a/pkg/render/testutils/expected_policies/apiserver.json +++ b/pkg/render/testutils/expected_policies/apiserver.json @@ -55,7 +55,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/compliance-server.json b/pkg/render/testutils/expected_policies/compliance-server.json index f824edac11..9353a2b3cc 100644 --- a/pkg/render/testutils/expected_policies/compliance-server.json +++ b/pkg/render/testutils/expected_policies/compliance-server.json @@ -57,7 +57,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/compliance_managed.json b/pkg/render/testutils/expected_policies/compliance_managed.json index 8deb3ae3b3..b2115c4c17 100644 --- a/pkg/render/testutils/expected_policies/compliance_managed.json +++ b/pkg/render/testutils/expected_policies/compliance_managed.json @@ -28,7 +28,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/compliance_unmanaged.json b/pkg/render/testutils/expected_policies/compliance_unmanaged.json index 57b64fdcdc..41f871ec22 100644 --- a/pkg/render/testutils/expected_policies/compliance_unmanaged.json +++ b/pkg/render/testutils/expected_policies/compliance_unmanaged.json @@ -28,7 +28,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/dashboards.json b/pkg/render/testutils/expected_policies/dashboards.json index 54871fed11..4fad45a29d 100644 --- a/pkg/render/testutils/expected_policies/dashboards.json +++ b/pkg/render/testutils/expected_policies/dashboards.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/dex.json b/pkg/render/testutils/expected_policies/dex.json index ca007db949..50204e38f0 100644 --- a/pkg/render/testutils/expected_policies/dex.json +++ b/pkg/render/testutils/expected_policies/dex.json @@ -99,7 +99,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/dns.json b/pkg/render/testutils/expected_policies/dns.json index 1d551b833d..1a6562ee4b 100644 --- a/pkg/render/testutils/expected_policies/dns.json +++ b/pkg/render/testutils/expected_policies/dns.json @@ -30,7 +30,7 @@ "destination": {} } ], - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "types": [ "Ingress", "Egress" diff --git a/pkg/render/testutils/expected_policies/dpi_managed.json b/pkg/render/testutils/expected_policies/dpi_managed.json index 366f069447..be314ecb08 100644 --- a/pkg/render/testutils/expected_policies/dpi_managed.json +++ b/pkg/render/testutils/expected_policies/dpi_managed.json @@ -33,6 +33,16 @@ } } }, + { + "action": "Allow", + "protocol": "UDP", + "destination": { + "services": { + "namespace": "kube-system", + "name": "coredns" + } + } + }, { "action": "Allow", "protocol": "TCP", diff --git a/pkg/render/testutils/expected_policies/dpi_unmanaged.json b/pkg/render/testutils/expected_policies/dpi_unmanaged.json index 442bb108e7..0ecd30419b 100644 --- a/pkg/render/testutils/expected_policies/dpi_unmanaged.json +++ b/pkg/render/testutils/expected_policies/dpi_unmanaged.json @@ -33,6 +33,16 @@ } } }, + { + "action": "Allow", + "protocol": "UDP", + "destination": { + "services": { + "namespace": "kube-system", + "name": "coredns" + } + } + }, { "action": "Allow", "protocol": "TCP", diff --git a/pkg/render/testutils/expected_policies/elastic-operator.json b/pkg/render/testutils/expected_policies/elastic-operator.json index 37d9a538ec..f7973c4bf8 100644 --- a/pkg/render/testutils/expected_policies/elastic-operator.json +++ b/pkg/render/testutils/expected_policies/elastic-operator.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/elasticsearch.json b/pkg/render/testutils/expected_policies/elasticsearch.json index 7093122468..6273caa254 100644 --- a/pkg/render/testutils/expected_policies/elasticsearch.json +++ b/pkg/render/testutils/expected_policies/elasticsearch.json @@ -83,7 +83,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/es-gateway.json b/pkg/render/testutils/expected_policies/es-gateway.json index 41dc9813e6..8d7b439c8a 100644 --- a/pkg/render/testutils/expected_policies/es-gateway.json +++ b/pkg/render/testutils/expected_policies/es-gateway.json @@ -121,7 +121,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/es-kubecontrollers.json b/pkg/render/testutils/expected_policies/es-kubecontrollers.json index 63d2ab94c0..a5f1a48962 100644 --- a/pkg/render/testutils/expected_policies/es-kubecontrollers.json +++ b/pkg/render/testutils/expected_policies/es-kubecontrollers.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/es-metrics.json b/pkg/render/testutils/expected_policies/es-metrics.json index a8f71186c1..0a9ee014c3 100644 --- a/pkg/render/testutils/expected_policies/es-metrics.json +++ b/pkg/render/testutils/expected_policies/es-metrics.json @@ -48,7 +48,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/fluentd_unmanaged.json b/pkg/render/testutils/expected_policies/fluentd_unmanaged.json index 390a7d4660..39ef72b426 100644 --- a/pkg/render/testutils/expected_policies/fluentd_unmanaged.json +++ b/pkg/render/testutils/expected_policies/fluentd_unmanaged.json @@ -61,7 +61,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/guardian.json b/pkg/render/testutils/expected_policies/guardian.json index 39df2daaca..05cc65475e 100644 --- a/pkg/render/testutils/expected_policies/guardian.json +++ b/pkg/render/testutils/expected_policies/guardian.json @@ -132,7 +132,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json index 4168ce1d11..526f27ca1d 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json @@ -42,7 +42,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json index 88c5526720..fbad321ef3 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json @@ -42,7 +42,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json index 152863cc1c..1588f155f9 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json @@ -42,7 +42,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-elastic.json b/pkg/render/testutils/expected_policies/intrusion-detection-elastic.json index 29c588b1b2..75b9c9996a 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-elastic.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-elastic.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/kibana.json b/pkg/render/testutils/expected_policies/kibana.json index f17a3c6ff3..c8d9bee417 100644 --- a/pkg/render/testutils/expected_policies/kibana.json +++ b/pkg/render/testutils/expected_policies/kibana.json @@ -101,7 +101,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/kubecontrollers.json b/pkg/render/testutils/expected_policies/kubecontrollers.json index f831d81e91..5cb789a606 100644 --- a/pkg/render/testutils/expected_policies/kubecontrollers.json +++ b/pkg/render/testutils/expected_policies/kubecontrollers.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/kubecontrollers_managed.json b/pkg/render/testutils/expected_policies/kubecontrollers_managed.json index 1aac5135c1..1fa07de749 100644 --- a/pkg/render/testutils/expected_policies/kubecontrollers_managed.json +++ b/pkg/render/testutils/expected_policies/kubecontrollers_managed.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/linseed.json b/pkg/render/testutils/expected_policies/linseed.json index 609a20867b..6d75c7caa3 100644 --- a/pkg/render/testutils/expected_policies/linseed.json +++ b/pkg/render/testutils/expected_policies/linseed.json @@ -190,7 +190,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/linseed_dpi_enabled.json b/pkg/render/testutils/expected_policies/linseed_dpi_enabled.json index af1cfaeda8..c7ab55cfd1 100644 --- a/pkg/render/testutils/expected_policies/linseed_dpi_enabled.json +++ b/pkg/render/testutils/expected_policies/linseed_dpi_enabled.json @@ -199,7 +199,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/manager.json b/pkg/render/testutils/expected_policies/manager.json index 97d18b7539..f08f400ff6 100644 --- a/pkg/render/testutils/expected_policies/manager.json +++ b/pkg/render/testutils/expected_policies/manager.json @@ -152,7 +152,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/packetcapture.json b/pkg/render/testutils/expected_policies/packetcapture.json index 0a07976542..99d9e63b94 100644 --- a/pkg/render/testutils/expected_policies/packetcapture.json +++ b/pkg/render/testutils/expected_policies/packetcapture.json @@ -44,7 +44,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/packetcapture_managed.json b/pkg/render/testutils/expected_policies/packetcapture_managed.json index 0bbbe598c7..bda9822ddd 100644 --- a/pkg/render/testutils/expected_policies/packetcapture_managed.json +++ b/pkg/render/testutils/expected_policies/packetcapture_managed.json @@ -44,7 +44,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/policyrecommendation.json b/pkg/render/testutils/expected_policies/policyrecommendation.json index b63e268b54..79325f8cac 100644 --- a/pkg/render/testutils/expected_policies/policyrecommendation.json +++ b/pkg/render/testutils/expected_policies/policyrecommendation.json @@ -53,7 +53,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/prometheus-api.json b/pkg/render/testutils/expected_policies/prometheus-api.json index b3ba35a024..27343ea317 100644 --- a/pkg/render/testutils/expected_policies/prometheus-api.json +++ b/pkg/render/testutils/expected_policies/prometheus-api.json @@ -30,7 +30,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/prometheus-operator.json b/pkg/render/testutils/expected_policies/prometheus-operator.json index 8fa0df32aa..0506b6d4a0 100644 --- a/pkg/render/testutils/expected_policies/prometheus-operator.json +++ b/pkg/render/testutils/expected_policies/prometheus-operator.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/prometheus.json b/pkg/render/testutils/expected_policies/prometheus.json index 538b33ccba..d47931760e 100644 --- a/pkg/render/testutils/expected_policies/prometheus.json +++ b/pkg/render/testutils/expected_policies/prometheus.json @@ -30,7 +30,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/tiers/tiers.go b/pkg/render/tiers/tiers.go index 0242b2bd70..9a79caebc5 100644 --- a/pkg/render/tiers/tiers.go +++ b/pkg/render/tiers/tiers.go @@ -116,7 +116,8 @@ func (t tiersComponent) calicoSystemClusterDNSPolicy() *v3.NetworkPolicy { dnsPolicySelector = "dns.operator.openshift.io/daemonset-dns == 'default'" dnsPolicyNamespace = "openshift-dns" } else { - dnsPolicySelector = "k8s-app == 'kube-dns'" + // In most Kubernetes distros the label is for kube-dns, but in Canonical it is for coredns. + dnsPolicySelector = "k8s-app in { 'kube-dns', 'coredns' }" dnsPolicyNamespace = "kube-system" }