Description
On an AKS cluster running the OSS Calico variant with tiered network policies, the guardian and goldmane pods in calico-system are unable to resolve DNS. Their egress UDP/53 traffic to CoreDNS in kube-system is being denied.
Observed behavior
Whisker flow logs show denied flows:
The blocking policy is implicit calico-system.default-deny.
Analysis
Looking at the operator render code:
-
pkg/render/goldmane/component.go — the networkPolicy() method only creates a policy with Types: Ingress. There are no egress rules at all for goldmane.
-
pkg/render/guardian.go — the ossNetworkPolicy() function also only creates a policy with Types: Ingress. It allows inbound TCP from goldmane and inbound UDP/53, but does not define any egress.
Meanwhile, the enterprise path in guardianCalicoSystemPolicy() does call networkpolicy.AppendDNSEgressRules(egressRules, cfg.OpenShift), so this issue seems specific to the OSS code path.
The calico-system.default-deny policy applies to all pods where k8s-app != 'calico-apiserver' and covers both Ingress and Egress types with no rules, so any pod without an explicit egress allow gets blocked.
For comparison, calico-system.kube-controller-access and calico-system.apiserver-access both include explicit egress rules allowing UDP/53 to CoreDNS, and those components work fine.
Expected behavior
Both guardian and goldmane should be able to reach CoreDNS for DNS resolution, similar to how calico-kube-controllers and calico-apiserver have egress DNS rules in their respective policies.
Not adding those missing network policies just pollutes whisker denied flow logs.
Environment
- Calico OSS variant (non-enterprise)
- AKS (Azure Kubernetes Service)
- Tigera operator helm chart v3.32.0
Description
On an AKS cluster running the OSS Calico variant with tiered network policies, the
guardianandgoldmanepods incalico-systemare unable to resolve DNS. Their egress UDP/53 traffic to CoreDNS inkube-systemis being denied.Observed behavior
Whisker flow logs show denied flows:
The blocking policy is implicit
calico-system.default-deny.Analysis
Looking at the operator render code:
pkg/render/goldmane/component.go— thenetworkPolicy()method only creates a policy withTypes: Ingress. There are no egress rules at all for goldmane.pkg/render/guardian.go— theossNetworkPolicy()function also only creates a policy withTypes: Ingress. It allows inbound TCP from goldmane and inbound UDP/53, but does not define any egress.Meanwhile, the enterprise path in
guardianCalicoSystemPolicy()does callnetworkpolicy.AppendDNSEgressRules(egressRules, cfg.OpenShift), so this issue seems specific to the OSS code path.The
calico-system.default-denypolicy applies to all pods wherek8s-app != 'calico-apiserver'and covers both Ingress and Egress types with no rules, so any pod without an explicit egress allow gets blocked.For comparison,
calico-system.kube-controller-accessandcalico-system.apiserver-accessboth include explicit egress rules allowing UDP/53 to CoreDNS, and those components work fine.Expected behavior
Both
guardianandgoldmaneshould be able to reach CoreDNS for DNS resolution, similar to howcalico-kube-controllersandcalico-apiserverhave egress DNS rules in their respective policies.Not adding those missing network policies just pollutes whisker denied flow logs.
Environment