From a93b64ceec6376de7fab79fdd8f3a2e874af9414 Mon Sep 17 00:00:00 2001 From: Laurent Lavaud Date: Wed, 7 Aug 2024 15:23:19 +0200 Subject: [PATCH 1/2] [stable/redis-ha]: Allow DNS requests to local network - In some situations (GKE cluster with [Cloud DNS](https://cloud.google.com/kubernetes-engine/docs/how-to/cloud-dns#architecture)), the DNS server is configured on the local network IP range (169.254.0.0/16), so we should allow this CIDR in the default network policy. Signed-off-by: Laurent Lavaud --- charts/redis-ha/templates/redis-ha-network-policy.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/redis-ha/templates/redis-ha-network-policy.yaml b/charts/redis-ha/templates/redis-ha-network-policy.yaml index 176d91bd..5560e3cc 100644 --- a/charts/redis-ha/templates/redis-ha-network-policy.yaml +++ b/charts/redis-ha/templates/redis-ha-network-policy.yaml @@ -37,6 +37,8 @@ spec: protocol: TCP - to: - namespaceSelector: {} + - ipBlock: + cidr: 169.254.0.0/16 ports: - port: 53 protocol: UDP From d08789a1618f5dfcebebbdae8e6ff81f34cf88a8 Mon Sep 17 00:00:00 2001 From: Laurent Lavaud Date: Sun, 22 Sep 2024 22:12:59 +0200 Subject: [PATCH 2/2] set in default values --- charts/redis-ha/Chart.yaml | 2 +- .../templates/redis-ha-network-policy.yaml | 9 --------- charts/redis-ha/values.yaml | 15 ++++++++++++++- 3 files changed, 15 insertions(+), 11 deletions(-) diff --git a/charts/redis-ha/Chart.yaml b/charts/redis-ha/Chart.yaml index 1090b570..0f651dc9 100644 --- a/charts/redis-ha/Chart.yaml +++ b/charts/redis-ha/Chart.yaml @@ -5,7 +5,7 @@ keywords: - redis - keyvalue - database -version: 4.27.6 +version: 4.27.7 appVersion: 7.2.4 description: This Helm chart provides a highly available Redis implementation with a master/slave configuration and uses Sentinel sidecars for failover management icon: https://upload.wikimedia.org/wikipedia/en/thumb/6/6b/Redis_Logo.svg/1200px-Redis_Logo.svg.png diff --git a/charts/redis-ha/templates/redis-ha-network-policy.yaml b/charts/redis-ha/templates/redis-ha-network-policy.yaml index 5560e3cc..8f688caf 100644 --- a/charts/redis-ha/templates/redis-ha-network-policy.yaml +++ b/charts/redis-ha/templates/redis-ha-network-policy.yaml @@ -35,15 +35,6 @@ spec: protocol: TCP - port: {{ .Values.sentinel.port }} protocol: TCP - - to: - - namespaceSelector: {} - - ipBlock: - cidr: 169.254.0.0/16 - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP {{- range $rule := .Values.networkPolicy.egressRules }} - to: {{ (tpl (toYaml $rule.selectors) $) | indent 7 }} diff --git a/charts/redis-ha/values.yaml b/charts/redis-ha/values.yaml index 1a5e8275..eb978723 100644 --- a/charts/redis-ha/values.yaml +++ b/charts/redis-ha/values.yaml @@ -756,7 +756,20 @@ networkPolicy: # protocol: TCP ## user can define egress rules too, uses the same structure as ingressRules - egressRules: [] + egressRules: + - selectors: + # allow all destinations for DNS traffic + - namespaceSelector: {} + - ipBlock: + # Cloud Provider often uses the local link local range to host managed DNS resolvers. + # We need to allow this range to ensure that the Redis pods can resolve DNS. + # Example architecture for GCP Cloud DNS: https://cloud.google.com/kubernetes-engine/docs/how-to/cloud-dns#architecture + cidr: 169.254.0.0/16 + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP splitBrainDetection: interval: 60