From ead4e20bb36fec5dbf3fdaed371dcadab38ee16a Mon Sep 17 00:00:00 2001 From: Rene Dekker Date: Thu, 5 Mar 2026 15:58:51 -0800 Subject: [PATCH 1/2] Support Canonical k8s DNS pod labels in network policies Canonical Kubernetes uses the label k8s-app=coredns instead of k8s-app=kube-dns for DNS pods. Update all network policy selectors to match either label so policies work on both distributions. Co-Authored-By: Claude Opus 4.6 --- .../common/networkpolicy/k8snetworkpolicy.go | 9 +++-- .../common/networkpolicy/networkpolicy.go | 34 +++++++++++++------ pkg/render/intrusion_detection_test.go | 2 +- .../expected_policies/alertmanager-mesh.json | 2 +- .../expected_policies/alertmanager.json | 2 +- .../expected_policies/apiserver.json | 2 +- .../expected_policies/compliance-server.json | 2 +- .../expected_policies/compliance_managed.json | 2 +- .../compliance_unmanaged.json | 2 +- .../expected_policies/dashboards.json | 2 +- .../testutils/expected_policies/dex.json | 2 +- .../testutils/expected_policies/dns.json | 2 +- .../expected_policies/dpi_managed.json | 10 ++++++ .../expected_policies/dpi_unmanaged.json | 10 ++++++ .../expected_policies/elastic-operator.json | 2 +- .../expected_policies/elasticsearch.json | 2 +- .../expected_policies/es-gateway.json | 2 +- .../expected_policies/es-kubecontrollers.json | 2 +- .../expected_policies/es-metrics.json | 2 +- .../expected_policies/fluentd_unmanaged.json | 2 +- .../testutils/expected_policies/guardian.json | 2 +- ...ntrusion-detection-controller_managed.json | 2 +- ...usion-detection-controller_management.json | 2 +- ...usion-detection-controller_standalone.json | 2 +- .../intrusion-detection-elastic.json | 2 +- .../testutils/expected_policies/kibana.json | 2 +- .../expected_policies/kubecontrollers.json | 2 +- .../kubecontrollers_managed.json | 2 +- .../testutils/expected_policies/linseed.json | 2 +- .../linseed_dpi_enabled.json | 2 +- .../testutils/expected_policies/manager.json | 2 +- .../expected_policies/packetcapture.json | 2 +- .../packetcapture_managed.json | 2 +- .../policyrecommendation.json | 2 +- .../expected_policies/prometheus-api.json | 2 +- .../prometheus-operator.json | 2 +- .../expected_policies/prometheus.json | 2 +- pkg/render/tiers/tiers.go | 3 +- 38 files changed, 86 insertions(+), 46 deletions(-) diff --git a/pkg/render/common/networkpolicy/k8snetworkpolicy.go b/pkg/render/common/networkpolicy/k8snetworkpolicy.go index 33b1978ac5..0fe415ab4c 100644 --- a/pkg/render/common/networkpolicy/k8snetworkpolicy.go +++ b/pkg/render/common/networkpolicy/k8snetworkpolicy.go @@ -54,8 +54,13 @@ func K8sDNSEgressRules(openShift bool) []netv1.NetworkPolicyEgressRule { To: []netv1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "k8s-app": "kube-dns", + MatchExpressions: []metav1.LabelSelectorRequirement{ + { + Key: "k8s-app", + Operator: metav1.LabelSelectorOpIn, + // In most Kubernetes distros the label is for kube-dns, but in Canonical it is for coredns. + Values: []string{"kube-dns", "coredns"}, + }, }, }, NamespaceSelector: &metav1.LabelSelector{ diff --git a/pkg/render/common/networkpolicy/networkpolicy.go b/pkg/render/common/networkpolicy/networkpolicy.go index 5d9d51a6d7..44e3296d07 100644 --- a/pkg/render/common/networkpolicy/networkpolicy.go +++ b/pkg/render/common/networkpolicy/networkpolicy.go @@ -70,8 +70,9 @@ func AppendDNSEgressRules(egressRules []v3.Rule, openShift bool) []v3.Rule { Protocol: &UDPProtocol, Destination: v3.EntityRule{ NamespaceSelector: "projectcalico.org/name == 'kube-system'", - Selector: "k8s-app == 'kube-dns'", - Ports: Ports(53), + // In most Kubernetes distros the label is for kube-dns, but in Canonical it is for coredns. + Selector: "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + Ports: Ports(53), }, }) } @@ -138,16 +139,29 @@ func AppendServiceSelectorDNSEgressRules(egressRules []v3.Rule, openShift bool) }, }...) } else { - egressRules = append(egressRules, v3.Rule{ - Action: v3.Allow, - Protocol: &UDPProtocol, - Destination: v3.EntityRule{ - Services: &v3.ServiceMatch{ - Namespace: "kube-system", - Name: "kube-dns", + // In most Kubernetes distros, the DNS service is kube-dns, but in Canonical it is coredns. + egressRules = append(egressRules, []v3.Rule{ + { + Action: v3.Allow, + Protocol: &UDPProtocol, + Destination: v3.EntityRule{ + Services: &v3.ServiceMatch{ + Namespace: "kube-system", + Name: "kube-dns", + }, }, }, - }) + { + Action: v3.Allow, + Protocol: &UDPProtocol, + Destination: v3.EntityRule{ + Services: &v3.ServiceMatch{ + Namespace: "kube-system", + Name: "coredns", + }, + }, + }, + }...) } return egressRules diff --git a/pkg/render/intrusion_detection_test.go b/pkg/render/intrusion_detection_test.go index f19969b888..8e23c70026 100644 --- a/pkg/render/intrusion_detection_test.go +++ b/pkg/render/intrusion_detection_test.go @@ -734,7 +734,7 @@ var _ = Describe("Intrusion Detection rendering tests", func() { Protocol: &networkpolicy.UDPProtocol, Destination: v3.EntityRule{ NamespaceSelector: "projectcalico.org/name == 'kube-system'", - Selector: "k8s-app == 'kube-dns'", + Selector: "k8s-app == 'kube-dns' || k8s-app == 'coredns'", Ports: networkpolicy.Ports(53), }, }, diff --git a/pkg/render/testutils/expected_policies/alertmanager-mesh.json b/pkg/render/testutils/expected_policies/alertmanager-mesh.json index b6518f0f3b..c6541f262c 100644 --- a/pkg/render/testutils/expected_policies/alertmanager-mesh.json +++ b/pkg/render/testutils/expected_policies/alertmanager-mesh.json @@ -61,7 +61,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/alertmanager.json b/pkg/render/testutils/expected_policies/alertmanager.json index 7fb5bee519..c4e1e910a2 100644 --- a/pkg/render/testutils/expected_policies/alertmanager.json +++ b/pkg/render/testutils/expected_policies/alertmanager.json @@ -30,7 +30,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/apiserver.json b/pkg/render/testutils/expected_policies/apiserver.json index c9de43ee07..b7280a7c13 100644 --- a/pkg/render/testutils/expected_policies/apiserver.json +++ b/pkg/render/testutils/expected_policies/apiserver.json @@ -55,7 +55,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/compliance-server.json b/pkg/render/testutils/expected_policies/compliance-server.json index f824edac11..b8e5f49f15 100644 --- a/pkg/render/testutils/expected_policies/compliance-server.json +++ b/pkg/render/testutils/expected_policies/compliance-server.json @@ -57,7 +57,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/compliance_managed.json b/pkg/render/testutils/expected_policies/compliance_managed.json index 8deb3ae3b3..157654eb27 100644 --- a/pkg/render/testutils/expected_policies/compliance_managed.json +++ b/pkg/render/testutils/expected_policies/compliance_managed.json @@ -28,7 +28,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/compliance_unmanaged.json b/pkg/render/testutils/expected_policies/compliance_unmanaged.json index 57b64fdcdc..92f2342e60 100644 --- a/pkg/render/testutils/expected_policies/compliance_unmanaged.json +++ b/pkg/render/testutils/expected_policies/compliance_unmanaged.json @@ -28,7 +28,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/dashboards.json b/pkg/render/testutils/expected_policies/dashboards.json index 54871fed11..6efc228e9c 100644 --- a/pkg/render/testutils/expected_policies/dashboards.json +++ b/pkg/render/testutils/expected_policies/dashboards.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/dex.json b/pkg/render/testutils/expected_policies/dex.json index ca007db949..5b12ee77ce 100644 --- a/pkg/render/testutils/expected_policies/dex.json +++ b/pkg/render/testutils/expected_policies/dex.json @@ -99,7 +99,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/dns.json b/pkg/render/testutils/expected_policies/dns.json index 1d551b833d..9c71427508 100644 --- a/pkg/render/testutils/expected_policies/dns.json +++ b/pkg/render/testutils/expected_policies/dns.json @@ -30,7 +30,7 @@ "destination": {} } ], - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "types": [ "Ingress", "Egress" diff --git a/pkg/render/testutils/expected_policies/dpi_managed.json b/pkg/render/testutils/expected_policies/dpi_managed.json index 366f069447..be314ecb08 100644 --- a/pkg/render/testutils/expected_policies/dpi_managed.json +++ b/pkg/render/testutils/expected_policies/dpi_managed.json @@ -33,6 +33,16 @@ } } }, + { + "action": "Allow", + "protocol": "UDP", + "destination": { + "services": { + "namespace": "kube-system", + "name": "coredns" + } + } + }, { "action": "Allow", "protocol": "TCP", diff --git a/pkg/render/testutils/expected_policies/dpi_unmanaged.json b/pkg/render/testutils/expected_policies/dpi_unmanaged.json index 442bb108e7..0ecd30419b 100644 --- a/pkg/render/testutils/expected_policies/dpi_unmanaged.json +++ b/pkg/render/testutils/expected_policies/dpi_unmanaged.json @@ -33,6 +33,16 @@ } } }, + { + "action": "Allow", + "protocol": "UDP", + "destination": { + "services": { + "namespace": "kube-system", + "name": "coredns" + } + } + }, { "action": "Allow", "protocol": "TCP", diff --git a/pkg/render/testutils/expected_policies/elastic-operator.json b/pkg/render/testutils/expected_policies/elastic-operator.json index 37d9a538ec..24dec7d339 100644 --- a/pkg/render/testutils/expected_policies/elastic-operator.json +++ b/pkg/render/testutils/expected_policies/elastic-operator.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/elasticsearch.json b/pkg/render/testutils/expected_policies/elasticsearch.json index 7093122468..44362a57a0 100644 --- a/pkg/render/testutils/expected_policies/elasticsearch.json +++ b/pkg/render/testutils/expected_policies/elasticsearch.json @@ -83,7 +83,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/es-gateway.json b/pkg/render/testutils/expected_policies/es-gateway.json index 41dc9813e6..504402bdad 100644 --- a/pkg/render/testutils/expected_policies/es-gateway.json +++ b/pkg/render/testutils/expected_policies/es-gateway.json @@ -121,7 +121,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/es-kubecontrollers.json b/pkg/render/testutils/expected_policies/es-kubecontrollers.json index 63d2ab94c0..79873a9e09 100644 --- a/pkg/render/testutils/expected_policies/es-kubecontrollers.json +++ b/pkg/render/testutils/expected_policies/es-kubecontrollers.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/es-metrics.json b/pkg/render/testutils/expected_policies/es-metrics.json index a8f71186c1..d99e628412 100644 --- a/pkg/render/testutils/expected_policies/es-metrics.json +++ b/pkg/render/testutils/expected_policies/es-metrics.json @@ -48,7 +48,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/fluentd_unmanaged.json b/pkg/render/testutils/expected_policies/fluentd_unmanaged.json index 390a7d4660..9b65bf8f3f 100644 --- a/pkg/render/testutils/expected_policies/fluentd_unmanaged.json +++ b/pkg/render/testutils/expected_policies/fluentd_unmanaged.json @@ -61,7 +61,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/guardian.json b/pkg/render/testutils/expected_policies/guardian.json index 39df2daaca..e640078bee 100644 --- a/pkg/render/testutils/expected_policies/guardian.json +++ b/pkg/render/testutils/expected_policies/guardian.json @@ -132,7 +132,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json index 4168ce1d11..b99e1ac8a4 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json @@ -42,7 +42,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json index 88c5526720..9eb8b4ae85 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json @@ -42,7 +42,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json index 152863cc1c..2d8e633a4e 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json @@ -42,7 +42,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-elastic.json b/pkg/render/testutils/expected_policies/intrusion-detection-elastic.json index 29c588b1b2..6492378c55 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-elastic.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-elastic.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/kibana.json b/pkg/render/testutils/expected_policies/kibana.json index f17a3c6ff3..827dd18c2b 100644 --- a/pkg/render/testutils/expected_policies/kibana.json +++ b/pkg/render/testutils/expected_policies/kibana.json @@ -101,7 +101,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/kubecontrollers.json b/pkg/render/testutils/expected_policies/kubecontrollers.json index f831d81e91..43cc5c3d58 100644 --- a/pkg/render/testutils/expected_policies/kubecontrollers.json +++ b/pkg/render/testutils/expected_policies/kubecontrollers.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/kubecontrollers_managed.json b/pkg/render/testutils/expected_policies/kubecontrollers_managed.json index 1aac5135c1..c0a26ff666 100644 --- a/pkg/render/testutils/expected_policies/kubecontrollers_managed.json +++ b/pkg/render/testutils/expected_policies/kubecontrollers_managed.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/linseed.json b/pkg/render/testutils/expected_policies/linseed.json index 609a20867b..7a8ab93c0a 100644 --- a/pkg/render/testutils/expected_policies/linseed.json +++ b/pkg/render/testutils/expected_policies/linseed.json @@ -190,7 +190,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/linseed_dpi_enabled.json b/pkg/render/testutils/expected_policies/linseed_dpi_enabled.json index af1cfaeda8..3d99c57352 100644 --- a/pkg/render/testutils/expected_policies/linseed_dpi_enabled.json +++ b/pkg/render/testutils/expected_policies/linseed_dpi_enabled.json @@ -199,7 +199,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/manager.json b/pkg/render/testutils/expected_policies/manager.json index 97d18b7539..6b779ecc94 100644 --- a/pkg/render/testutils/expected_policies/manager.json +++ b/pkg/render/testutils/expected_policies/manager.json @@ -152,7 +152,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/packetcapture.json b/pkg/render/testutils/expected_policies/packetcapture.json index 0a07976542..7054982cc2 100644 --- a/pkg/render/testutils/expected_policies/packetcapture.json +++ b/pkg/render/testutils/expected_policies/packetcapture.json @@ -44,7 +44,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/packetcapture_managed.json b/pkg/render/testutils/expected_policies/packetcapture_managed.json index 0bbbe598c7..3eb8aab798 100644 --- a/pkg/render/testutils/expected_policies/packetcapture_managed.json +++ b/pkg/render/testutils/expected_policies/packetcapture_managed.json @@ -44,7 +44,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/policyrecommendation.json b/pkg/render/testutils/expected_policies/policyrecommendation.json index b63e268b54..fb438526b6 100644 --- a/pkg/render/testutils/expected_policies/policyrecommendation.json +++ b/pkg/render/testutils/expected_policies/policyrecommendation.json @@ -53,7 +53,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/prometheus-api.json b/pkg/render/testutils/expected_policies/prometheus-api.json index b3ba35a024..01485c21b5 100644 --- a/pkg/render/testutils/expected_policies/prometheus-api.json +++ b/pkg/render/testutils/expected_policies/prometheus-api.json @@ -30,7 +30,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/prometheus-operator.json b/pkg/render/testutils/expected_policies/prometheus-operator.json index 8fa0df32aa..717e8c5c7e 100644 --- a/pkg/render/testutils/expected_policies/prometheus-operator.json +++ b/pkg/render/testutils/expected_policies/prometheus-operator.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/prometheus.json b/pkg/render/testutils/expected_policies/prometheus.json index 538b33ccba..12b5510365 100644 --- a/pkg/render/testutils/expected_policies/prometheus.json +++ b/pkg/render/testutils/expected_policies/prometheus.json @@ -30,7 +30,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/tiers/tiers.go b/pkg/render/tiers/tiers.go index 0242b2bd70..dfc5c9f1fc 100644 --- a/pkg/render/tiers/tiers.go +++ b/pkg/render/tiers/tiers.go @@ -116,7 +116,8 @@ func (t tiersComponent) calicoSystemClusterDNSPolicy() *v3.NetworkPolicy { dnsPolicySelector = "dns.operator.openshift.io/daemonset-dns == 'default'" dnsPolicyNamespace = "openshift-dns" } else { - dnsPolicySelector = "k8s-app == 'kube-dns'" + // In most Kubernetes distros the label is for kube-dns, but in Canonical it is for coredns. + dnsPolicySelector = "k8s-app == 'kube-dns' || k8s-app == 'coredns'" dnsPolicyNamespace = "kube-system" } From d7b8aa89a7a598d5aab9a05599b4b69b604c1acf Mon Sep 17 00:00:00 2001 From: Rene Dekker Date: Thu, 2 Apr 2026 13:11:06 -0700 Subject: [PATCH 2/2] Use 'in' selector syntax for DNS pod label matching Co-Authored-By: Claude Opus 4.6 (1M context) --- pkg/render/common/networkpolicy/networkpolicy.go | 2 +- pkg/render/intrusion_detection_test.go | 2 +- pkg/render/testutils/expected_policies/alertmanager-mesh.json | 2 +- pkg/render/testutils/expected_policies/alertmanager.json | 2 +- pkg/render/testutils/expected_policies/apiserver.json | 2 +- pkg/render/testutils/expected_policies/compliance-server.json | 2 +- pkg/render/testutils/expected_policies/compliance_managed.json | 2 +- .../testutils/expected_policies/compliance_unmanaged.json | 2 +- pkg/render/testutils/expected_policies/dashboards.json | 2 +- pkg/render/testutils/expected_policies/dex.json | 2 +- pkg/render/testutils/expected_policies/dns.json | 2 +- pkg/render/testutils/expected_policies/elastic-operator.json | 2 +- pkg/render/testutils/expected_policies/elasticsearch.json | 2 +- pkg/render/testutils/expected_policies/es-gateway.json | 2 +- pkg/render/testutils/expected_policies/es-kubecontrollers.json | 2 +- pkg/render/testutils/expected_policies/es-metrics.json | 2 +- pkg/render/testutils/expected_policies/fluentd_unmanaged.json | 2 +- pkg/render/testutils/expected_policies/guardian.json | 2 +- .../intrusion-detection-controller_managed.json | 2 +- .../intrusion-detection-controller_management.json | 2 +- .../intrusion-detection-controller_standalone.json | 2 +- .../expected_policies/intrusion-detection-elastic.json | 2 +- pkg/render/testutils/expected_policies/kibana.json | 2 +- pkg/render/testutils/expected_policies/kubecontrollers.json | 2 +- .../testutils/expected_policies/kubecontrollers_managed.json | 2 +- pkg/render/testutils/expected_policies/linseed.json | 2 +- pkg/render/testutils/expected_policies/linseed_dpi_enabled.json | 2 +- pkg/render/testutils/expected_policies/manager.json | 2 +- pkg/render/testutils/expected_policies/packetcapture.json | 2 +- .../testutils/expected_policies/packetcapture_managed.json | 2 +- .../testutils/expected_policies/policyrecommendation.json | 2 +- pkg/render/testutils/expected_policies/prometheus-api.json | 2 +- pkg/render/testutils/expected_policies/prometheus-operator.json | 2 +- pkg/render/testutils/expected_policies/prometheus.json | 2 +- pkg/render/tiers/tiers.go | 2 +- 35 files changed, 35 insertions(+), 35 deletions(-) diff --git a/pkg/render/common/networkpolicy/networkpolicy.go b/pkg/render/common/networkpolicy/networkpolicy.go index 44e3296d07..b1c18c5587 100644 --- a/pkg/render/common/networkpolicy/networkpolicy.go +++ b/pkg/render/common/networkpolicy/networkpolicy.go @@ -71,7 +71,7 @@ func AppendDNSEgressRules(egressRules []v3.Rule, openShift bool) []v3.Rule { Destination: v3.EntityRule{ NamespaceSelector: "projectcalico.org/name == 'kube-system'", // In most Kubernetes distros the label is for kube-dns, but in Canonical it is for coredns. - Selector: "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + Selector: "k8s-app in { 'kube-dns', 'coredns' }", Ports: Ports(53), }, }) diff --git a/pkg/render/intrusion_detection_test.go b/pkg/render/intrusion_detection_test.go index 8e23c70026..04e828e73f 100644 --- a/pkg/render/intrusion_detection_test.go +++ b/pkg/render/intrusion_detection_test.go @@ -734,7 +734,7 @@ var _ = Describe("Intrusion Detection rendering tests", func() { Protocol: &networkpolicy.UDPProtocol, Destination: v3.EntityRule{ NamespaceSelector: "projectcalico.org/name == 'kube-system'", - Selector: "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + Selector: "k8s-app in { 'kube-dns', 'coredns' }", Ports: networkpolicy.Ports(53), }, }, diff --git a/pkg/render/testutils/expected_policies/alertmanager-mesh.json b/pkg/render/testutils/expected_policies/alertmanager-mesh.json index c6541f262c..cad878a686 100644 --- a/pkg/render/testutils/expected_policies/alertmanager-mesh.json +++ b/pkg/render/testutils/expected_policies/alertmanager-mesh.json @@ -61,7 +61,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/alertmanager.json b/pkg/render/testutils/expected_policies/alertmanager.json index c4e1e910a2..f7ca78dcb4 100644 --- a/pkg/render/testutils/expected_policies/alertmanager.json +++ b/pkg/render/testutils/expected_policies/alertmanager.json @@ -30,7 +30,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/apiserver.json b/pkg/render/testutils/expected_policies/apiserver.json index b7280a7c13..50a456c541 100644 --- a/pkg/render/testutils/expected_policies/apiserver.json +++ b/pkg/render/testutils/expected_policies/apiserver.json @@ -55,7 +55,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/compliance-server.json b/pkg/render/testutils/expected_policies/compliance-server.json index b8e5f49f15..9353a2b3cc 100644 --- a/pkg/render/testutils/expected_policies/compliance-server.json +++ b/pkg/render/testutils/expected_policies/compliance-server.json @@ -57,7 +57,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/compliance_managed.json b/pkg/render/testutils/expected_policies/compliance_managed.json index 157654eb27..b2115c4c17 100644 --- a/pkg/render/testutils/expected_policies/compliance_managed.json +++ b/pkg/render/testutils/expected_policies/compliance_managed.json @@ -28,7 +28,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/compliance_unmanaged.json b/pkg/render/testutils/expected_policies/compliance_unmanaged.json index 92f2342e60..41f871ec22 100644 --- a/pkg/render/testutils/expected_policies/compliance_unmanaged.json +++ b/pkg/render/testutils/expected_policies/compliance_unmanaged.json @@ -28,7 +28,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/dashboards.json b/pkg/render/testutils/expected_policies/dashboards.json index 6efc228e9c..4fad45a29d 100644 --- a/pkg/render/testutils/expected_policies/dashboards.json +++ b/pkg/render/testutils/expected_policies/dashboards.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/dex.json b/pkg/render/testutils/expected_policies/dex.json index 5b12ee77ce..50204e38f0 100644 --- a/pkg/render/testutils/expected_policies/dex.json +++ b/pkg/render/testutils/expected_policies/dex.json @@ -99,7 +99,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/dns.json b/pkg/render/testutils/expected_policies/dns.json index 9c71427508..1a6562ee4b 100644 --- a/pkg/render/testutils/expected_policies/dns.json +++ b/pkg/render/testutils/expected_policies/dns.json @@ -30,7 +30,7 @@ "destination": {} } ], - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "types": [ "Ingress", "Egress" diff --git a/pkg/render/testutils/expected_policies/elastic-operator.json b/pkg/render/testutils/expected_policies/elastic-operator.json index 24dec7d339..f7973c4bf8 100644 --- a/pkg/render/testutils/expected_policies/elastic-operator.json +++ b/pkg/render/testutils/expected_policies/elastic-operator.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/elasticsearch.json b/pkg/render/testutils/expected_policies/elasticsearch.json index 44362a57a0..6273caa254 100644 --- a/pkg/render/testutils/expected_policies/elasticsearch.json +++ b/pkg/render/testutils/expected_policies/elasticsearch.json @@ -83,7 +83,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/es-gateway.json b/pkg/render/testutils/expected_policies/es-gateway.json index 504402bdad..8d7b439c8a 100644 --- a/pkg/render/testutils/expected_policies/es-gateway.json +++ b/pkg/render/testutils/expected_policies/es-gateway.json @@ -121,7 +121,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/es-kubecontrollers.json b/pkg/render/testutils/expected_policies/es-kubecontrollers.json index 79873a9e09..a5f1a48962 100644 --- a/pkg/render/testutils/expected_policies/es-kubecontrollers.json +++ b/pkg/render/testutils/expected_policies/es-kubecontrollers.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/es-metrics.json b/pkg/render/testutils/expected_policies/es-metrics.json index d99e628412..0a9ee014c3 100644 --- a/pkg/render/testutils/expected_policies/es-metrics.json +++ b/pkg/render/testutils/expected_policies/es-metrics.json @@ -48,7 +48,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/fluentd_unmanaged.json b/pkg/render/testutils/expected_policies/fluentd_unmanaged.json index 9b65bf8f3f..39ef72b426 100644 --- a/pkg/render/testutils/expected_policies/fluentd_unmanaged.json +++ b/pkg/render/testutils/expected_policies/fluentd_unmanaged.json @@ -61,7 +61,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/guardian.json b/pkg/render/testutils/expected_policies/guardian.json index e640078bee..05cc65475e 100644 --- a/pkg/render/testutils/expected_policies/guardian.json +++ b/pkg/render/testutils/expected_policies/guardian.json @@ -132,7 +132,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json index b99e1ac8a4..526f27ca1d 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json @@ -42,7 +42,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json index 9eb8b4ae85..fbad321ef3 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json @@ -42,7 +42,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json index 2d8e633a4e..1588f155f9 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json @@ -42,7 +42,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-elastic.json b/pkg/render/testutils/expected_policies/intrusion-detection-elastic.json index 6492378c55..75b9c9996a 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-elastic.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-elastic.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/kibana.json b/pkg/render/testutils/expected_policies/kibana.json index 827dd18c2b..c8d9bee417 100644 --- a/pkg/render/testutils/expected_policies/kibana.json +++ b/pkg/render/testutils/expected_policies/kibana.json @@ -101,7 +101,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/kubecontrollers.json b/pkg/render/testutils/expected_policies/kubecontrollers.json index 43cc5c3d58..5cb789a606 100644 --- a/pkg/render/testutils/expected_policies/kubecontrollers.json +++ b/pkg/render/testutils/expected_policies/kubecontrollers.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/kubecontrollers_managed.json b/pkg/render/testutils/expected_policies/kubecontrollers_managed.json index c0a26ff666..1fa07de749 100644 --- a/pkg/render/testutils/expected_policies/kubecontrollers_managed.json +++ b/pkg/render/testutils/expected_policies/kubecontrollers_managed.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/linseed.json b/pkg/render/testutils/expected_policies/linseed.json index 7a8ab93c0a..6d75c7caa3 100644 --- a/pkg/render/testutils/expected_policies/linseed.json +++ b/pkg/render/testutils/expected_policies/linseed.json @@ -190,7 +190,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/linseed_dpi_enabled.json b/pkg/render/testutils/expected_policies/linseed_dpi_enabled.json index 3d99c57352..c7ab55cfd1 100644 --- a/pkg/render/testutils/expected_policies/linseed_dpi_enabled.json +++ b/pkg/render/testutils/expected_policies/linseed_dpi_enabled.json @@ -199,7 +199,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/manager.json b/pkg/render/testutils/expected_policies/manager.json index 6b779ecc94..f08f400ff6 100644 --- a/pkg/render/testutils/expected_policies/manager.json +++ b/pkg/render/testutils/expected_policies/manager.json @@ -152,7 +152,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/packetcapture.json b/pkg/render/testutils/expected_policies/packetcapture.json index 7054982cc2..99d9e63b94 100644 --- a/pkg/render/testutils/expected_policies/packetcapture.json +++ b/pkg/render/testutils/expected_policies/packetcapture.json @@ -44,7 +44,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/packetcapture_managed.json b/pkg/render/testutils/expected_policies/packetcapture_managed.json index 3eb8aab798..bda9822ddd 100644 --- a/pkg/render/testutils/expected_policies/packetcapture_managed.json +++ b/pkg/render/testutils/expected_policies/packetcapture_managed.json @@ -44,7 +44,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/policyrecommendation.json b/pkg/render/testutils/expected_policies/policyrecommendation.json index fb438526b6..79325f8cac 100644 --- a/pkg/render/testutils/expected_policies/policyrecommendation.json +++ b/pkg/render/testutils/expected_policies/policyrecommendation.json @@ -53,7 +53,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/prometheus-api.json b/pkg/render/testutils/expected_policies/prometheus-api.json index 01485c21b5..27343ea317 100644 --- a/pkg/render/testutils/expected_policies/prometheus-api.json +++ b/pkg/render/testutils/expected_policies/prometheus-api.json @@ -30,7 +30,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/prometheus-operator.json b/pkg/render/testutils/expected_policies/prometheus-operator.json index 717e8c5c7e..0506b6d4a0 100644 --- a/pkg/render/testutils/expected_policies/prometheus-operator.json +++ b/pkg/render/testutils/expected_policies/prometheus-operator.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/prometheus.json b/pkg/render/testutils/expected_policies/prometheus.json index 12b5510365..d47931760e 100644 --- a/pkg/render/testutils/expected_policies/prometheus.json +++ b/pkg/render/testutils/expected_policies/prometheus.json @@ -30,7 +30,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + "selector": "k8s-app in { 'kube-dns', 'coredns' }", "ports": [ 53 ] diff --git a/pkg/render/tiers/tiers.go b/pkg/render/tiers/tiers.go index dfc5c9f1fc..9a79caebc5 100644 --- a/pkg/render/tiers/tiers.go +++ b/pkg/render/tiers/tiers.go @@ -117,7 +117,7 @@ func (t tiersComponent) calicoSystemClusterDNSPolicy() *v3.NetworkPolicy { dnsPolicyNamespace = "openshift-dns" } else { // In most Kubernetes distros the label is for kube-dns, but in Canonical it is for coredns. - dnsPolicySelector = "k8s-app == 'kube-dns' || k8s-app == 'coredns'" + dnsPolicySelector = "k8s-app in { 'kube-dns', 'coredns' }" dnsPolicyNamespace = "kube-system" }