Skip to content

Add egress to Goldmane and Guardian network policies#4940

Open
caseydavenport wants to merge 1 commit into
tigera:masterfrom
caseydavenport:casey-system-egress
Open

Add egress to Goldmane and Guardian network policies#4940
caseydavenport wants to merge 1 commit into
tigera:masterfrom
caseydavenport:casey-system-egress

Conversation

@caseydavenport

@caseydavenport caseydavenport commented Jun 17, 2026

Copy link
Copy Markdown
Member

Description

On Calico OSS clusters, the Goldmane and Guardian pods lost connectivity once the network policy tier was enabled for OSS in 3.32. The calico-system tier's default-deny policy started applying to these pods, but their policies only defined ingress rules, so their egress was dropped: DNS to CoreDNS, the Kubernetes API, and Guardian's tunnel to the management cluster. This showed up as denied flows in Whisker and broke flow visibility on Calico Cloud-connected clusters.

This adds the missing egress:

  • Goldmane: DNS, the Kubernetes API, and (in managed clusters) Guardian. These destinations are all in-cluster, so the policy stays fully locked down.
  • Guardian: DNS and the Kubernetes API, plus a Pass for the tunnel to the management cluster. The management cluster address is environment-specific and often a hostname, which OSS policy can't express as a selector, so we defer it to the cluster's default posture - the same approach the enterprise policy already uses.

Enterprise policy is unchanged.

Fixes #4804
Related: #4772

Release Note

Fixes a regression where the Goldmane and Guardian pods were unable to reach DNS or the management cluster, which could break flow visibility (including on Calico Cloud-connected clusters).

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

  • Milestone set according to targeted release.
  • Appropriate labels:
    • kind/bug if this is a bugfix.
    • kind/enhancement if this is a a new feature.
    • enterprise if this PR applies to Calico Enterprise only.

@caseydavenport
Add egress to Goldmane and Guardian network policies
2a2fbf5 
These policies now allow egress for DNS, the Kubernetes API, and (for
Guardian) the tunnel to the management cluster, which the calico-system
default-deny would otherwise drop on OSS clusters.
@caseydavenport caseydavenport requested a review from a team as a code owner June 17, 2026 21:02
@marvin-tigera marvin-tigera added this to the v1.44.0 milestone Jun 17, 2026
@caseydavenport caseydavenport added docs-not-required kind/bug Something isn't working and removed docs-pr-required labels Jun 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

docs-not-required kind/bug Something isn't working release-note-required

Projects

None yet

Milestone

v1.44.0

Development

Successfully merging this pull request may close these issues.

guardian and goldmane network policies missing egress DNS rules

2 participants

@caseydavenport @marvin-tigera