This dns-network-policy-operator manages Kubernetes network policies with DNS-based egress rules support.
The operator uses our operatorkit framework. It manages a dnsnetworkpolicy CRD using a generated client stored in our apiextensions repo.
Basic DNS network policy may look like:
apiVersion: example.giantswarm.io/v1alpha1
kind: DNSNetworkPolicy
metadata:
name: example
namespace: default
spec:
targetNetworkPolicy: example
domains:
- example.com
- google.com
- kubernetes-headless.kube-system
There are only two configurable fields in CR:
- `domains` - list of domains, which are allowed for egress traffic
- `targetNetworkPolicy` - this is base policy, used to generate new effective policy with IPs of resolved domains
dns-network-policy-opereratorreconcilesdnsnetworkpolicyCR.- If there is
targetNetworkPolicynetwork policy found in the CR namespace, it is duplicated into new network policy with<target network policy name>-active. - All the domains from CR are resolved into IP addresses. Failing resolves ignored.
- Newly created effective network policy gets updated with list of resolved IP addresses.
targetNetworkPolicysupressed by adding random label into pod selector of the policy.
You can find more samples in samples.