Skip to content

Commit 60fd872

Browse files
committed
Fix DRA NetworkPolicy: allow API server and DNS egress
The DRA NetworkPolicy declares both Ingress and Egress policy types but has no egress rules, which blocks all outbound traffic from the DRA kubelet plugin pod. This prevents the plugin from reaching the API server to create/update ResourceSlices. Allow egress to the API server (TCP 443) and DNS (TCP/UDP 53). Signed-off-by: Anthony Byrne <abyrne@redhat.com>
1 parent 1f029e1 commit 60fd872

2 files changed

Lines changed: 27 additions & 1 deletion

File tree

internal/networkpolicy/networkpolicy.go

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,10 +5,13 @@ import (
55
"fmt"
66

77
"github.com/rh-ecosystem-edge/kernel-module-management/internal/pod"
8+
v1 "k8s.io/api/core/v1"
89
networkingv1 "k8s.io/api/networking/v1"
910
k8serrors "k8s.io/apimachinery/pkg/api/errors"
1011
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1112
"k8s.io/apimachinery/pkg/runtime"
13+
"k8s.io/apimachinery/pkg/util/intstr"
14+
"k8s.io/utils/ptr"
1215
"sigs.k8s.io/controller-runtime/pkg/client"
1316
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
1417
"sigs.k8s.io/controller-runtime/pkg/log"
@@ -201,6 +204,19 @@ func (np *networkPolicy) DRANetworkPolicy(namespace string) *networkingv1.Networ
201204
"app.kubernetes.io/component": "dra",
202205
},
203206
},
207+
Egress: []networkingv1.NetworkPolicyEgressRule{
208+
{
209+
Ports: []networkingv1.NetworkPolicyPort{
210+
{Protocol: ptr.To(v1.ProtocolTCP), Port: ptr.To(intstr.FromInt32(443))},
211+
},
212+
},
213+
{
214+
Ports: []networkingv1.NetworkPolicyPort{
215+
{Protocol: ptr.To(v1.ProtocolTCP), Port: ptr.To(intstr.FromInt32(53))},
216+
{Protocol: ptr.To(v1.ProtocolUDP), Port: ptr.To(intstr.FromInt32(53))},
217+
},
218+
},
219+
},
204220
PolicyTypes: []networkingv1.PolicyType{
205221
networkingv1.PolicyTypeIngress,
206222
networkingv1.PolicyTypeEgress,

internal/networkpolicy/networkpolicy_test.go

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,10 +10,13 @@ import (
1010
"github.com/rh-ecosystem-edge/kernel-module-management/internal/client"
1111
"github.com/rh-ecosystem-edge/kernel-module-management/internal/pod"
1212
"go.uber.org/mock/gomock"
13+
v1 "k8s.io/api/core/v1"
1314
networkingv1 "k8s.io/api/networking/v1"
1415
k8serrors "k8s.io/apimachinery/pkg/api/errors"
1516
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1617
"k8s.io/apimachinery/pkg/runtime/schema"
18+
"k8s.io/apimachinery/pkg/util/intstr"
19+
"k8s.io/utils/ptr"
1720
ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
1821
)
1922

@@ -268,7 +271,14 @@ var _ = Describe("NetworkPolicy", func() {
268271
))
269272

270273
Expect(result.Spec.Ingress).To(BeEmpty())
271-
Expect(result.Spec.Egress).To(BeEmpty())
274+
Expect(result.Spec.Egress).To(HaveLen(2))
275+
Expect(result.Spec.Egress[0].Ports).To(ConsistOf(
276+
networkingv1.NetworkPolicyPort{Protocol: ptr.To(v1.ProtocolTCP), Port: ptr.To(intstr.FromInt32(443))},
277+
))
278+
Expect(result.Spec.Egress[1].Ports).To(ConsistOf(
279+
networkingv1.NetworkPolicyPort{Protocol: ptr.To(v1.ProtocolTCP), Port: ptr.To(intstr.FromInt32(53))},
280+
networkingv1.NetworkPolicyPort{Protocol: ptr.To(v1.ProtocolUDP), Port: ptr.To(intstr.FromInt32(53))},
281+
))
272282
})
273283

274284
It("should use default namespace when empty namespace is provided", func() {

0 commit comments

Comments
 (0)