From 4c271724dcb8428c970c79bdc9a613aa65478b2d Mon Sep 17 00:00:00 2001
From: Richard Wall <wallrj@users.noreply.github.com>
Date: Wed, 15 Nov 2023 10:17:46 +0000
Subject: [PATCH] Allow TCP DNS queries to kube-dns in the default deny policy

In https://github.com/cert-manager/website/pull/1344#discussion_r1393908103 we're discussing whether the default Calico deny policy should also allow TCP DNS queries.

Is there a reason to block them?
---
 .../network-policy/get-started/kubernetes-default-deny.mdx  | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/calico/network-policy/get-started/kubernetes-default-deny.mdx b/calico/network-policy/get-started/kubernetes-default-deny.mdx
index fb497b96db..12eabf7100 100644
--- a/calico/network-policy/get-started/kubernetes-default-deny.mdx
+++ b/calico/network-policy/get-started/kubernetes-default-deny.mdx
@@ -95,6 +95,12 @@ spec:
       selector: 'k8s-app == "kube-dns"'
       ports:
       - 53
+  - action: Allow
+    protocol: TCP
+    destination:
+      selector: 'k8s-app == "kube-dns"'
+      ports:
+      - 53
 ```
 
 It is important to note the above policy deliberately excludes the `kube-system`, `calico-system` and `calico-apiserver` namespaces by using a negative `namespaceSelector` to avoid impacting any control plane components. To secure the control plane you can write specific policies for each control plane component, though you should do so with care, ideally at cluster creation time, since getting these wrong can leave your cluster in a broken state. We recommend you always make sure you have the correct {{prodname}} [failsafe ports](../../reference/felix/configuration.mdx) in place before you start trying to create policies for the control plane.