From a78fe3ea1e320bcff51fc100ec234e6f167d3ef7 Mon Sep 17 00:00:00 2001
From: Axel Siebenborn <axel.siebenborn@sap.com>
Date: Tue, 7 Feb 2023 14:45:02 +0100
Subject: [PATCH] Fix network policy for exposure classes. (#7459)

NetworkPolicy `allow-to-dns` was missing for istio-igressgateways of
exposure classes.
---
 pkg/gardenlet/controller/networkpolicy/reconciler.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/gardenlet/controller/networkpolicy/reconciler.go b/pkg/gardenlet/controller/networkpolicy/reconciler.go
index 49ac1266c87..c7a19447c63 100644
--- a/pkg/gardenlet/controller/networkpolicy/reconciler.go
+++ b/pkg/gardenlet/controller/networkpolicy/reconciler.go
@@ -207,6 +207,7 @@ func (r *Reconciler) networkPolicyConfigs() []networkPolicyConfig {
 				labels.SelectorFromSet(labels.Set{v1beta1constants.GardenRole: v1beta1constants.GardenRoleShoot}),
 				labels.SelectorFromSet(labels.Set{v1beta1constants.GardenRole: v1beta1constants.GardenRoleIstioSystem}),
 				labels.SelectorFromSet(labels.Set{v1beta1constants.GardenRole: v1beta1constants.GardenRoleIstioIngress}),
+				labels.SelectorFromSet(labels.Set{v1beta1constants.GardenRole: v1beta1constants.GardenRoleExposureClassHandler}),
 			},
 		},
 	}