@@ -475,35 +475,69 @@ func (r *NetworkPolicyHandler) buildNetpolForPod(ctx context.Context, pod *Poten
475475 },
476476 }
477477
478- scrapePort , portDefined , err := r .getMetricsPort (pod . scrapeResourceMeta )
478+ ports , err := r .getNetpolPorts (pod )
479479 if err != nil {
480480 return v1.NetworkPolicy {}, errors .Wrap (err )
481481 }
482482
483+ newPolicy .Spec .Ingress [0 ].Ports = ports
484+ allowDNS := v1.NetworkPolicyIngressRule {
485+ From : []v1.NetworkPolicyPeer {},
486+ Ports : []v1.NetworkPolicyPort {
487+ {
488+ Port : lo .ToPtr (intstr.IntOrString {IntVal : 53 , Type : intstr .Int }),
489+ Protocol : lo .ToPtr (corev1 .ProtocolTCP ),
490+ },
491+ {
492+ Port : lo .ToPtr (intstr.IntOrString {IntVal : 53 , Type : intstr .Int }),
493+ Protocol : lo .ToPtr (corev1 .ProtocolUDP ),
494+ },
495+ },
496+ }
497+
498+ newPolicy .Spec .Ingress = append (newPolicy .Spec .Ingress , allowDNS )
499+
500+ return newPolicy , nil
501+ }
502+
503+ func (r * NetworkPolicyHandler ) getNetpolPorts (pod * PotentiallyScrapeMetricPod ) ([]v1.NetworkPolicyPort , error ) {
504+ netpolPorts := make ([]v1.NetworkPolicyPort , 0 )
505+
506+ scrapePort , portDefined , err := r .getMetricsPort (pod .scrapeResourceMeta )
507+ if err != nil {
508+ return make ([]v1.NetworkPolicyPort , 0 ), errors .Wrap (err )
509+ }
510+
511+ // First we want to see whether the resource has the scraping-port annotation
483512 if portDefined {
484- newPolicy . Spec . Ingress [ 0 ]. Ports = append (newPolicy . Spec . Ingress [ 0 ]. Ports , v1.NetworkPolicyPort {
513+ netpolPorts = append (netpolPorts , v1.NetworkPolicyPort {
485514 Port : lo .ToPtr (intstr.IntOrString {IntVal : scrapePort , Type : intstr .Int }),
486515 Protocol : lo .ToPtr (corev1 .ProtocolTCP ),
487516 })
488- return newPolicy , nil
489- }
517+ } else {
518+ // If it doesn't, we want to mimic Prometheus behavior - which is to attempt to scrape all the ports of the resource
519+ // that is defined with the scraping annotation
520+
521+ // If the resource does not define any ports - then we can't scrape anything..
522+ if len (pod .scrapeResourcePorts ) == 0 {
523+ return make ([]v1.NetworkPolicyPort , 0 ), errors .Wrap (fmt .Errorf ("can not deduce the port to scrape" ))
524+ }
490525
491- if len (pod .scrapeResourcePorts ) == 0 {
492- return v1.NetworkPolicy {}, errors .Wrap (fmt .Errorf ("can not deduce the port to scrape" ))
526+ netpolPorts = lo .Map (pod .scrapeResourcePorts , func (port int32 , _ int ) v1.NetworkPolicyPort {
527+ return v1.NetworkPolicyPort {
528+ Port : lo .ToPtr (intstr.IntOrString {IntVal : port , Type : intstr .Int }),
529+ Protocol : lo .ToPtr (corev1 .ProtocolTCP ),
530+ }
531+ })
493532 }
494533
495534 // We want to have deterministic order, since later on we will compare this policy with the existing one, and we don't
496535 // want to order of the ports to create a difference
497- slices .Sort (pod .scrapeResourcePorts )
498- ingressPorts := lo .Map (pod .scrapeResourcePorts , func (port int32 , _ int ) v1.NetworkPolicyPort {
499- return v1.NetworkPolicyPort {
500- Port : lo .ToPtr (intstr.IntOrString {IntVal : port , Type : intstr .Int }),
501- Protocol : lo .ToPtr (corev1 .ProtocolTCP ),
502- }
536+ slices .SortFunc (netpolPorts , func (port , otherPort v1.NetworkPolicyPort ) bool {
537+ return port .Port .IntValue () < otherPort .Port .IntValue ()
503538 })
504- newPolicy .Spec .Ingress [0 ].Ports = ingressPorts
505539
506- return newPolicy , nil
540+ return netpolPorts , nil
507541}
508542
509543func (r * NetworkPolicyHandler ) handleCreationErrors (ctx context.Context , err error , policy * v1.NetworkPolicy ) error {
0 commit comments