Allow public dns requests and imrpove calico config readme

YuryHrytsuk · YuryHrytsuk · commit ea116a7f4bee · 2025-08-06T08:17:14.000+02:00
diff --git a/charts/adminer/templates/networkpolicy.yaml b/charts/adminer/templates/networkpolicy.yaml
@@ -18,3 +18,9 @@ spec:
       destination:
         ports:
           - 5432
+    # allow dns requests to public dns servers
+    - action: Allow
+      protocol: UDP
+      destination:
+        ports:
+          - 53
diff --git a/charts/calico-configuration/README.md b/charts/calico-configuration/README.md
@@ -1,18 +1,31 @@
 ## How to add network policy (local deployment)
 
 How to discover ports / networks that are used by application
-* enable and observe traffic via
-  - https://docs.tigera.io/calico/3.30/observability/enable-whisker
-  - https://docs.tigera.io/calico/3.30/observability/view-flow-logs
+* observe existing traffic (see `Debug network policies` below)
 * add staged policies to make sure all cases are included https://docs.tigera.io/calico/3.30/network-policy/staged-network-policies
-* transform staged policies to "normal" policies
+  - make sure deployed calico version supports it
+* based on observations, create a needed network policy
 
 ## Debug network policies
+
+if calico version 3.30+ is installed
 * observe traffic and check `policies` field in whisker logs
   - https://docs.tigera.io/calico/3.30/observability/enable-whisker
   - https://docs.tigera.io/calico/3.30/observability/view-flow-logs
 
-Warning: make sure that calico version being used support Whisker (first introduced in v3.30)
+if calico version <= 3.29
+* create network policy with action log
+  ```yaml
+  apiVersion: projectcalico.org/v3
+  kind: NetworkPolicy
+  metadata:
+    name: log ingress requests
+  spec:
+    selector: app == 'db'
+    ingress:
+    - action: Log
+  ```
+* apply policy and see logs via journalctl (you can grep with `calico-packet`)
 
 ## Known issues
 
