From fb3a8f87c2c28be2b862c23bbadcaf4c8bcef26e Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Thu, 20 Jun 2024 16:38:53 +0800
Subject: [PATCH] fix(cilium): dns netpols

---
 .../netpols/cluster-default-kube-dns.yaml     | 65 ++++++++-----------
 1 file changed, 26 insertions(+), 39 deletions(-)

diff --git a/kube/deploy/core/_networking/cilium/netpols/cluster-default-kube-dns.yaml b/kube/deploy/core/_networking/cilium/netpols/cluster-default-kube-dns.yaml
index 8260d57b..79f7a91c 100644
--- a/kube/deploy/core/_networking/cilium/netpols/cluster-default-kube-dns.yaml
+++ b/kube/deploy/core/_networking/cilium/netpols/cluster-default-kube-dns.yaml
@@ -20,50 +20,17 @@ spec:
 apiVersion: "cilium.io/v2"
 kind: CiliumClusterwideNetworkPolicy
 metadata:
-  name: "cluster-default-kube-dns-ingress-old"
-spec:
-  description: "Policy for ingress allow to kube-dns from all Cilium managed endpoints in the cluster (1.13.4)"
-  endpointSelector:
-    matchLabels:
-      k8s:io.kubernetes.pod.namespace: kube-system
-      k8s-app: kube-dns
-  ingress:
-    - fromEndpoints:
-        - {}
-      toPorts:
-        - ports:
-            - port: "53"
-              protocol: "ANY"
----
-apiVersion: "cilium.io/v2"
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: "cluster-default-kube-dns-egress"
+  name: "cluster-default-kube-dns-egress-l7"
 spec:
   description: "Policy for egress allow to kube-dns from all Cilium managed endpoints in the cluster"
-  endpointSelector: {}
+  endpointSelector:
+    matchExpressions:
+      - {key: dns.home.arpa/l7, operator: NotIn, values: ["false"]}
   egress:
     - toEndpoints:
         - matchLabels:
             "k8s:io.kubernetes.pod.namespace": kube-system
             "k8s:k8s-app": kube-dns
-      toPorts:
-        - ports:
-            - port: "53"
-              protocol: "ANY"
-          rules:
-            dns:
-              - matchPattern: "*"
----
-apiVersion: "cilium.io/v2"
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: "cluster-default-kube-dns-egress-old"
-spec:
-  description: "Policy for egress allow to kube-dns from all Cilium managed endpoints in the cluster (1.13.4)"
-  endpointSelector: {}
-  egress:
-    - toEndpoints:
         - matchLabels:
             io.kubernetes.pod.namespace: kube-system
             k8s-app: kube-dns
@@ -74,5 +41,25 @@ spec:
           rules:
             dns:
               - matchPattern: "*"
-              - {}
-
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: "cluster-default-kube-dns-egress"
+spec:
+  description: "Policy for egress allow to kube-dns from all Cilium managed endpoints in the cluster"
+  endpointSelector:
+    matchExpressions:
+      - {key: dns.home.arpa/l7, operator: In, values: ["false"]}
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            "k8s:io.kubernetes.pod.namespace": kube-system
+            "k8s:k8s-app": kube-dns
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: "ANY"