diff --git a/pkg/render/common/networkpolicy/k8snetworkpolicy.go b/pkg/render/common/networkpolicy/k8snetworkpolicy.go index 33b1978ac5..251bf6374a 100644 --- a/pkg/render/common/networkpolicy/k8snetworkpolicy.go +++ b/pkg/render/common/networkpolicy/k8snetworkpolicy.go @@ -54,8 +54,13 @@ func K8sDNSEgressRules(openShift bool) []netv1.NetworkPolicyEgressRule { To: []netv1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "k8s-app": "kube-dns", + MatchExpressions: []metav1.LabelSelectorRequirement{ + { + Key: "k8s-app", + Operator: metav1.LabelSelectorOpIn, + // In most Kubernetes distros the label is for kube-dns, but in Canonical it is for codedns. + Values: []string{"kube-dns", "coredns"}, + }, }, }, NamespaceSelector: &metav1.LabelSelector{ diff --git a/pkg/render/common/networkpolicy/networkpolicy.go b/pkg/render/common/networkpolicy/networkpolicy.go index 7d89a870e3..c717b2d717 100644 --- a/pkg/render/common/networkpolicy/networkpolicy.go +++ b/pkg/render/common/networkpolicy/networkpolicy.go @@ -70,8 +70,9 @@ func AppendDNSEgressRules(egressRules []v3.Rule, openShift bool) []v3.Rule { Protocol: &UDPProtocol, Destination: v3.EntityRule{ NamespaceSelector: "projectcalico.org/name == 'kube-system'", - Selector: "k8s-app == 'kube-dns'", - Ports: Ports(53), + // In most Kubernetes distros the label is for kube-dns, but in Canonical it is for codedns. + Selector: "k8s-app == 'kube-dns' || k8s-app == 'coredns'", + Ports: Ports(53), }, }) } @@ -138,16 +139,29 @@ func AppendServiceSelectorDNSEgressRules(egressRules []v3.Rule, openShift bool) }, }...) } else { - egressRules = append(egressRules, v3.Rule{ - Action: v3.Allow, - Protocol: &UDPProtocol, - Destination: v3.EntityRule{ - Services: &v3.ServiceMatch{ - Namespace: "kube-system", - Name: "kube-dns", + // In most Kubernetes distros, the DNS service is kube-dns, but in Canonical it is coredns. + egressRules = append(egressRules, []v3.Rule{ + { + Action: v3.Allow, + Protocol: &UDPProtocol, + Destination: v3.EntityRule{ + Services: &v3.ServiceMatch{ + Namespace: "kube-system", + Name: "kube-dns", + }, }, }, - }) + { + Action: v3.Allow, + Protocol: &UDPProtocol, + Destination: v3.EntityRule{ + Services: &v3.ServiceMatch{ + Namespace: "kube-system", + Name: "coredns", + }, + }, + }, + }...) } return egressRules diff --git a/pkg/render/intrusion_detection_test.go b/pkg/render/intrusion_detection_test.go index f19969b888..8e23c70026 100644 --- a/pkg/render/intrusion_detection_test.go +++ b/pkg/render/intrusion_detection_test.go @@ -734,7 +734,7 @@ var _ = Describe("Intrusion Detection rendering tests", func() { Protocol: &networkpolicy.UDPProtocol, Destination: v3.EntityRule{ NamespaceSelector: "projectcalico.org/name == 'kube-system'", - Selector: "k8s-app == 'kube-dns'", + Selector: "k8s-app == 'kube-dns' || k8s-app == 'coredns'", Ports: networkpolicy.Ports(53), }, }, diff --git a/pkg/render/testutils/expected_policies/alertmanager-mesh.json b/pkg/render/testutils/expected_policies/alertmanager-mesh.json index b6518f0f3b..c6541f262c 100644 --- a/pkg/render/testutils/expected_policies/alertmanager-mesh.json +++ b/pkg/render/testutils/expected_policies/alertmanager-mesh.json @@ -61,7 +61,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/alertmanager.json b/pkg/render/testutils/expected_policies/alertmanager.json index 7fb5bee519..c4e1e910a2 100644 --- a/pkg/render/testutils/expected_policies/alertmanager.json +++ b/pkg/render/testutils/expected_policies/alertmanager.json @@ -30,7 +30,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/apiserver.json b/pkg/render/testutils/expected_policies/apiserver.json index 1615c239b3..f48716f5c0 100644 --- a/pkg/render/testutils/expected_policies/apiserver.json +++ b/pkg/render/testutils/expected_policies/apiserver.json @@ -55,7 +55,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/compliance-server.json b/pkg/render/testutils/expected_policies/compliance-server.json index f824edac11..b8e5f49f15 100644 --- a/pkg/render/testutils/expected_policies/compliance-server.json +++ b/pkg/render/testutils/expected_policies/compliance-server.json @@ -57,7 +57,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/compliance_managed.json b/pkg/render/testutils/expected_policies/compliance_managed.json index 8deb3ae3b3..157654eb27 100644 --- a/pkg/render/testutils/expected_policies/compliance_managed.json +++ b/pkg/render/testutils/expected_policies/compliance_managed.json @@ -28,7 +28,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/compliance_unmanaged.json b/pkg/render/testutils/expected_policies/compliance_unmanaged.json index 57b64fdcdc..92f2342e60 100644 --- a/pkg/render/testutils/expected_policies/compliance_unmanaged.json +++ b/pkg/render/testutils/expected_policies/compliance_unmanaged.json @@ -28,7 +28,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/dashboards.json b/pkg/render/testutils/expected_policies/dashboards.json index 54871fed11..6efc228e9c 100644 --- a/pkg/render/testutils/expected_policies/dashboards.json +++ b/pkg/render/testutils/expected_policies/dashboards.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/dex.json b/pkg/render/testutils/expected_policies/dex.json index ca007db949..5b12ee77ce 100644 --- a/pkg/render/testutils/expected_policies/dex.json +++ b/pkg/render/testutils/expected_policies/dex.json @@ -99,7 +99,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/dns.json b/pkg/render/testutils/expected_policies/dns.json index 1d551b833d..9c71427508 100644 --- a/pkg/render/testutils/expected_policies/dns.json +++ b/pkg/render/testutils/expected_policies/dns.json @@ -30,7 +30,7 @@ "destination": {} } ], - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "types": [ "Ingress", "Egress" diff --git a/pkg/render/testutils/expected_policies/dpi_managed.json b/pkg/render/testutils/expected_policies/dpi_managed.json index 366f069447..be314ecb08 100644 --- a/pkg/render/testutils/expected_policies/dpi_managed.json +++ b/pkg/render/testutils/expected_policies/dpi_managed.json @@ -33,6 +33,16 @@ } } }, + { + "action": "Allow", + "protocol": "UDP", + "destination": { + "services": { + "namespace": "kube-system", + "name": "coredns" + } + } + }, { "action": "Allow", "protocol": "TCP", diff --git a/pkg/render/testutils/expected_policies/dpi_unmanaged.json b/pkg/render/testutils/expected_policies/dpi_unmanaged.json index 442bb108e7..0ecd30419b 100644 --- a/pkg/render/testutils/expected_policies/dpi_unmanaged.json +++ b/pkg/render/testutils/expected_policies/dpi_unmanaged.json @@ -33,6 +33,16 @@ } } }, + { + "action": "Allow", + "protocol": "UDP", + "destination": { + "services": { + "namespace": "kube-system", + "name": "coredns" + } + } + }, { "action": "Allow", "protocol": "TCP", diff --git a/pkg/render/testutils/expected_policies/elastic-operator.json b/pkg/render/testutils/expected_policies/elastic-operator.json index 37d9a538ec..24dec7d339 100644 --- a/pkg/render/testutils/expected_policies/elastic-operator.json +++ b/pkg/render/testutils/expected_policies/elastic-operator.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/elasticsearch.json b/pkg/render/testutils/expected_policies/elasticsearch.json index 7093122468..44362a57a0 100644 --- a/pkg/render/testutils/expected_policies/elasticsearch.json +++ b/pkg/render/testutils/expected_policies/elasticsearch.json @@ -83,7 +83,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/es-gateway.json b/pkg/render/testutils/expected_policies/es-gateway.json index 41dc9813e6..504402bdad 100644 --- a/pkg/render/testutils/expected_policies/es-gateway.json +++ b/pkg/render/testutils/expected_policies/es-gateway.json @@ -121,7 +121,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/es-kubecontrollers.json b/pkg/render/testutils/expected_policies/es-kubecontrollers.json index 63d2ab94c0..79873a9e09 100644 --- a/pkg/render/testutils/expected_policies/es-kubecontrollers.json +++ b/pkg/render/testutils/expected_policies/es-kubecontrollers.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/es-metrics.json b/pkg/render/testutils/expected_policies/es-metrics.json index a8f71186c1..d99e628412 100644 --- a/pkg/render/testutils/expected_policies/es-metrics.json +++ b/pkg/render/testutils/expected_policies/es-metrics.json @@ -48,7 +48,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/fluentd_unmanaged.json b/pkg/render/testutils/expected_policies/fluentd_unmanaged.json index 390a7d4660..9b65bf8f3f 100644 --- a/pkg/render/testutils/expected_policies/fluentd_unmanaged.json +++ b/pkg/render/testutils/expected_policies/fluentd_unmanaged.json @@ -61,7 +61,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/guardian.json b/pkg/render/testutils/expected_policies/guardian.json index 39df2daaca..e640078bee 100644 --- a/pkg/render/testutils/expected_policies/guardian.json +++ b/pkg/render/testutils/expected_policies/guardian.json @@ -132,7 +132,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json index 4168ce1d11..b99e1ac8a4 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json @@ -42,7 +42,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json index 88c5526720..9eb8b4ae85 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json @@ -42,7 +42,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json index 152863cc1c..2d8e633a4e 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json @@ -42,7 +42,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-elastic.json b/pkg/render/testutils/expected_policies/intrusion-detection-elastic.json index 29c588b1b2..6492378c55 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-elastic.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-elastic.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/kibana.json b/pkg/render/testutils/expected_policies/kibana.json index f17a3c6ff3..827dd18c2b 100644 --- a/pkg/render/testutils/expected_policies/kibana.json +++ b/pkg/render/testutils/expected_policies/kibana.json @@ -101,7 +101,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/kubecontrollers.json b/pkg/render/testutils/expected_policies/kubecontrollers.json index f831d81e91..43cc5c3d58 100644 --- a/pkg/render/testutils/expected_policies/kubecontrollers.json +++ b/pkg/render/testutils/expected_policies/kubecontrollers.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/kubecontrollers_managed.json b/pkg/render/testutils/expected_policies/kubecontrollers_managed.json index 1aac5135c1..c0a26ff666 100644 --- a/pkg/render/testutils/expected_policies/kubecontrollers_managed.json +++ b/pkg/render/testutils/expected_policies/kubecontrollers_managed.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/linseed.json b/pkg/render/testutils/expected_policies/linseed.json index 086cc8ddaa..611bf21543 100644 --- a/pkg/render/testutils/expected_policies/linseed.json +++ b/pkg/render/testutils/expected_policies/linseed.json @@ -177,7 +177,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/linseed_dpi_enabled.json b/pkg/render/testutils/expected_policies/linseed_dpi_enabled.json index d9b7670798..a0a244a28b 100644 --- a/pkg/render/testutils/expected_policies/linseed_dpi_enabled.json +++ b/pkg/render/testutils/expected_policies/linseed_dpi_enabled.json @@ -186,7 +186,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/manager.json b/pkg/render/testutils/expected_policies/manager.json index 97d18b7539..6b779ecc94 100644 --- a/pkg/render/testutils/expected_policies/manager.json +++ b/pkg/render/testutils/expected_policies/manager.json @@ -152,7 +152,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/packetcapture.json b/pkg/render/testutils/expected_policies/packetcapture.json index 0a07976542..7054982cc2 100644 --- a/pkg/render/testutils/expected_policies/packetcapture.json +++ b/pkg/render/testutils/expected_policies/packetcapture.json @@ -44,7 +44,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/packetcapture_managed.json b/pkg/render/testutils/expected_policies/packetcapture_managed.json index 0bbbe598c7..3eb8aab798 100644 --- a/pkg/render/testutils/expected_policies/packetcapture_managed.json +++ b/pkg/render/testutils/expected_policies/packetcapture_managed.json @@ -44,7 +44,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/policyrecommendation.json b/pkg/render/testutils/expected_policies/policyrecommendation.json index b63e268b54..fb438526b6 100644 --- a/pkg/render/testutils/expected_policies/policyrecommendation.json +++ b/pkg/render/testutils/expected_policies/policyrecommendation.json @@ -53,7 +53,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/prometheus-api.json b/pkg/render/testutils/expected_policies/prometheus-api.json index b3ba35a024..01485c21b5 100644 --- a/pkg/render/testutils/expected_policies/prometheus-api.json +++ b/pkg/render/testutils/expected_policies/prometheus-api.json @@ -30,7 +30,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/prometheus-operator.json b/pkg/render/testutils/expected_policies/prometheus-operator.json index 8fa0df32aa..717e8c5c7e 100644 --- a/pkg/render/testutils/expected_policies/prometheus-operator.json +++ b/pkg/render/testutils/expected_policies/prometheus-operator.json @@ -18,7 +18,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/testutils/expected_policies/prometheus.json b/pkg/render/testutils/expected_policies/prometheus.json index 538b33ccba..12b5510365 100644 --- a/pkg/render/testutils/expected_policies/prometheus.json +++ b/pkg/render/testutils/expected_policies/prometheus.json @@ -30,7 +30,7 @@ "protocol": "UDP", "destination": { "namespaceSelector": "projectcalico.org/name == 'kube-system'", - "selector": "k8s-app == 'kube-dns'", + "selector": "k8s-app == 'kube-dns' || k8s-app == 'coredns'", "ports": [ 53 ] diff --git a/pkg/render/tiers/tiers.go b/pkg/render/tiers/tiers.go index 43eaa225a4..e3267c342d 100644 --- a/pkg/render/tiers/tiers.go +++ b/pkg/render/tiers/tiers.go @@ -116,7 +116,8 @@ func (t tiersComponent) calicoSystemClusterDNSPolicy() *v3.NetworkPolicy { dnsPolicySelector = "dns.operator.openshift.io/daemonset-dns == 'default'" dnsPolicyNamespace = "openshift-dns" } else { - dnsPolicySelector = "k8s-app == 'kube-dns'" + // In most Kubernetes distros the label is for kube-dns, but in Canonical it is for codedns. + dnsPolicySelector = "k8s-app == 'kube-dns' || k8s-app == 'coredns'" dnsPolicyNamespace = "kube-system" }