fix: explicitly allow egress to coredns & nodelocal cache

d3adb5 · d3adb5 · commit fbfde92a8e3a · 2025-10-13T11:07:14.000-07:00
Explicitly allow egress traffic to CoreDNS and NodeLocal DNS Cache.
diff --git a/argo/app-of-apps/templates/argocd/application.yaml b/argo/app-of-apps/templates/argocd/application.yaml
@@ -45,9 +45,31 @@ spec:
           enabled: true
           networkPolicy:
             enabled: true
+            egressRules:
+              - selectors:
+                  - ipBlock:
+                      cidr: 10.96.0.10/32
+                  - ipBlock:
+                      cidr: 169.254.169.254/32
+                ports:
+                  - port: 53
+                    protocol: UDP
+                  - port: 53
+                    protocol: TCP
           haproxy:
             networkPolicy:
               enabled: true
+              egressRules:
+                - selectors:
+                    - ipBlock:
+                        cidr: 10.96.0.10/32
+                    - ipBlock:
+                        cidr: 169.254.169.254/32
+                  ports:
+                    - port: 53
+                      protocol: UDP
+                    - port: 53
+                      protocol: TCP
 
         server:
           autoscaling:
diff --git a/argo/network-policies/templates/deny-all.yaml b/argo/network-policies/templates/deny-all.yaml
@@ -13,9 +13,10 @@ spec:
   ingress: []
   egress:
     - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: kube-system
+        - ipBlock:
+            cidr: 10.96.0.10/32
+        - ipBlock:
+            cidr: 169.254.169.254/32
       ports:
         - port: 53
           protocol: UDP
