How can egress from a Kubernetes pod be limited to only specific FQDN/DNS with Azure CNI Network Policies?
This is something that can be achieved with:
Istio
apiVersion: config.istio.io/v1alpha2
kind: EgressRule
metadata:
name: googleapis
namespace: default
spec:
destination:
service: "*.googleapis.com"
ports:
- port: 443
protocol: https
Cilium
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "fqdn"
spec:
endpointSelector:
matchLabels:
app: some-pod
egress:
- toFQDNs:
- matchName: "api.twitter.com"
- toEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": kube-system
"k8s:k8s-app": kube-dns
toPorts:
- ports:
- port: "53"
protocol: ANY
rules:
dns:
- matchPattern: "*"
OpenShift
apiVersion: network.openshift.io/v1
kind: EgressNetworkPolicy
metadata:
name: default-rules
spec:
egress:
- type: Allow
to:
dnsName: www.example.com
- type: Deny
to:
cidrSelector: 0.0.0.0/0
How can something similar be done with Azure CNI Network Policies?
ATM network policies with FQDN/DNS rules are not supported on AKS.
If you use Azure CNI & Azure Policy Plugin you get the default Kubernetes Network Policies.
If you use Azure CNI & Calico Policy Plugin you get advanced possibilities like Global Network Polices but not the FQDN/DNS one. This is a paid feature on Calico Cloud unfortunately.