1
// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
2
// Licensed under the GNU Affero General Public License (AGPL).
3
// See License.AGPL.txt in the project root for license information.
4

5
package common
6

7
import (
8
	corev1 "k8s.io/api/core/v1"
9
	v1 "k8s.io/api/networking/v1"
10
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
11
	"k8s.io/apimachinery/pkg/util/intstr"
12
)
13

14
func AllowKubeDnsEgressRule() v1.NetworkPolicyEgressRule {
15
	var tcp = corev1.ProtocolTCP
16
	var udp = corev1.ProtocolUDP
17

18
	dnsEgressRule := v1.NetworkPolicyEgressRule{
19
		Ports: []v1.NetworkPolicyPort{
20
			{
21
				Protocol: &tcp,
22
				Port: &intstr.IntOrString{
23
					IntVal: 53,
24
				},
25
			},
26
			{
27
				Protocol: &udp,
28
				Port: &intstr.IntOrString{
29
					IntVal: 53,
30
				},
31
			},
32
		},
33
		// Enable access to DNS service in the cluster: kube-dns or coredns
34
		To: []v1.NetworkPolicyPeer{
35
			{
36
				PodSelector: &metav1.LabelSelector{
37
					MatchLabels: map[string]string{
38
						"k8s-app": "kube-dns",
39
					},
40
				},
41
				NamespaceSelector: &metav1.LabelSelector{},
42
			}, {
43
				PodSelector: &metav1.LabelSelector{
44
					MatchLabels: map[string]string{
45
						"k8s-app": "coredns",
46
					},
47
				},
48
				NamespaceSelector: &metav1.LabelSelector{},
49
			},
50
		},
51
	}
52

53
	return dnsEgressRule
54
}
55

56