fqdn-policy manages Kubernetes Network Policies with fully qualified domain names (FQDNs).
FQDNs are provided through the custom resource definition (CRD) FQDNNetworkPolicy:
apiVersion: networking.gke.io/v1alpha3
kind: FQDNNetworkPolicy
metadata:
name: example
namespace: example
spec:
egress:
- ports:
- port: 443
protocol: TCP
to:
- fqdns:
- example.com
podSelector:
matchLabels:
role: example
policyTypes:
- EgressThe fqdn-policy controller in turn creates (and owns) a corresponding NetworkPolicy with the domains now resolved to IP addresses:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: example
namespace: example
spec:
egress:
- ports:
- port: 443
protocol: TCP
to:
- ipBlock:
cidr: x.x.x.x/32
podSelector:
matchLabels:
role: example
policyTypes:
- EgressThis project is a fork of the now-archived GoogleCloudPlatform/gke-fqdnnetworkpolicies-golang project.
Differences and improvements from the original fork include:
- The controller will query all
kube-dnspods in the cluster for DNS resolution, rather than just the first server found in/etc/resolv.conf. This results in more accurate and stable policies as individualkube-dnspods may return different results. - DNS resolution is cached in the controller, preventing excessive queries for
FQDNNetworkPolicyresources with common domains. - Resolved DNS records are cached for an additional 5 minutes after the TTL expires for stability.
- Custom annotations are removed in favor of Kubernetes-native mechanisms:
fqdnnetworkpolicies.networking.gke.io/owned-byannotation is replaced with the use of owner references. Existing NetworkPolicies with the same name are always adopted, unless owned by another controller.fqdnnetworkpolicies.networking.gke.io/delete-policyannotation is removed. To abandon deletion of aNetworkPolicywhen deleting anFQDNNetworkPolicy, usekubectl delete fqdnnetworkpolicy <name> --cascade=orphan.
- If there are no resolved rules for the resulting
NetworkPolicy, the controller will automatically remove the equivalentpolicyType. This prevents theNetworkPolicyfrom inadvertently blocking all traffic.
There are a few functional limitations to FQDNNetworkPolicies:
- Only hostnames are supported. In particular, you can't configure a FQDNNetworkPolicy with:
- IP addresses or CIDR blocks. Use NetworkPolicies directly for that.
- wildcard hostnames like
*.example.com.
- Only A, AAAA, and CNAME records are supported.
- Records defined in the
/etc/hostsfile are not supported. Those records are probably static, so we recommend you use a normalNetworkPolicyfor them. - When using an IDN, use the punycode equivalent as the locale used inside the controller might not be compatible with your locale.
- Due to the how
NetworkPolicyworks, the use ofFQDNNetworkPolicieswill allow traffic to multiple hosts resolve that to the same IP address as soon as one host is allowed.
- Some service meshes such as Istio (via Egress gateways) support proxy-based solutions for restricting traffic based on FQDNs. This uses TLS SNI instead of DNS resolution to determine the destination, which is only applicable for HTTPS traffic.
- Some CNI plugins such as Cilium (via CiliumNetworkPolicy) can intercept DNS-based traffic and enforce policies based on DNS names.
- There is an active proposal for the NetworkPolicy API project (part of SIG-Network in Kubernetes) to support FQDN selectors for egress traffic in NPEP-133
helm install fqdn-policy ./chartsFor available Makefile targets, run:
make help- GoogleCloudPlatform/gke-fqdnnetworkpolicies-golang - the original project of which this is a fork of
- delta10/fqdnnetworkpolicies - a fork of this project with similar improvements (some of which we've incorporated here)