Best practice for access to kube-dns

Hi,

in [calico_versioned_docs/version-3.30/network-policy/policy-rules/service-policy.mdx#L53-L64](https://github.com/tigera/docs/blob/fe242c23c4e3c2e69780798de84b6dc4a7b9bc16/calico_versioned_docs/version-3.30/network-policy/policy-rules/service-policy.mdx?plain=1#L53-L64) the example to allow access to `kube-dns` uses the service:

``` yaml
- action: Allow
  destination:
    services:
      name: kube-dns
      namespace: kube-system
```

on the other hand, [calico_versioned_docs/version-3.30/network-policy/get-started/kubernetes-default-deny.mdx#L109-L120](https://github.com/tigera/docs/blob/fe242c23c4e3c2e69780798de84b6dc4a7b9bc16/calico_versioned_docs/version-3.30/network-policy/get-started/kubernetes-default-deny.mdx?plain=1#L109-L120) accomplishes the same with a more complex rule using a label selector:

```yaml
- action: Allow
  protocol: UDP
  destination:
    selector: 'k8s-app == "kube-dns"'
    ports:
    - 53
- action: Allow
  protocol: TCP
  destination:
    selector: 'k8s-app == "kube-dns"'
    ports:
    - 53
```

While I assume both to be working the same, from user perspective this might irritate when one only knows one variant and stumbles upon the other.

Should these example be adjusted to be the same? And if not: Which would be the preferred one from Calicos perspective?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Best practice for access to kube-dns #2251

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Best practice for access to kube-dns #2251

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions