Currently it's not possible to address Kubernets API servers easily from NetworkPolicy, but starting with T287443 we now need to.
Right now we have the list of IPs hardcoded in various
The reason behind this is that Calico does not model the Endpoints of the k8s service kubernetes.default.svc.cluster.local as WorkloadEndpoints as they are not backed by Pods. In version 3.20 and onwards concept of service-based egress rules was introduced, especially mentioning the ability to define rules for services not backed by pods.
The following chart/services will need to be refactored/adapted:
- helmfile_istio-gateways.yaml
- flink-kubernetes-operator
- spark-operator
- cert-manager
- kserve
- knative-serving