Created
October 28, 2025 22:31
-
-
Save tnm/853f587fcf9b16c8f016dbe29e9c187c to your computer and use it in GitHub Desktop.
Cased CD Enterprise - NetworkPolicy Diagnostic & Fix
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Cased CD Enterprise - NetworkPolicy Diagnostic & Fix | |
| # This script diagnoses and fixes DNS timeout issues caused by missing NetworkPolicies | |
| set -e | |
| echo "=== Step 1: Check for existing NetworkPolicies for cased-cd ===" | |
| echo "Expected: No results (this is the problem)" | |
| kubectl get networkpolicies -n argocd -o json | jq '.items[] | select(.spec.podSelector.matchLabels."app.kubernetes.io/name" == "cased-cd") | .metadata.name' | |
| echo "" | |
| echo "=== Step 2: Test DNS from nginx worker process ===" | |
| echo "Expected: Should timeout/fail (DNS blocked by default-deny)" | |
| kubectl exec -n argocd deployment/cased-cd -- timeout 5 sh -c 'getent hosts cased-cd-enterprise.argocd.svc.cluster.local' && echo "✓ DNS works" || echo "✗ DNS blocked or timed out" | |
| echo "" | |
| echo "=== Step 3: Test DNS from shell (bypass test) ===" | |
| echo "Expected: Should succeed (shell bypasses network policy)" | |
| kubectl exec -n argocd deployment/cased-cd -- nslookup cased-cd-enterprise.argocd.svc.cluster.local | |
| echo "" | |
| echo "=== Step 4: Apply NetworkPolicy fix ===" | |
| cat <<'EOF' | kubectl apply -f - | |
| --- | |
| # NetworkPolicy for cased-cd frontend | |
| apiVersion: networking.k8s.io/v1 | |
| kind: NetworkPolicy | |
| metadata: | |
| name: cased-cd-network-policy | |
| namespace: argocd | |
| spec: | |
| podSelector: | |
| matchLabels: | |
| app.kubernetes.io/name: cased-cd | |
| app.kubernetes.io/instance: cased-cd | |
| policyTypes: | |
| - Ingress | |
| - Egress | |
| ingress: | |
| # Allow ingress from anywhere (for the web UI) | |
| - from: | |
| - namespaceSelector: {} | |
| ports: | |
| - protocol: TCP | |
| port: 8080 | |
| egress: | |
| # Allow DNS queries to kube-system | |
| - to: | |
| - namespaceSelector: | |
| matchLabels: | |
| kubernetes.io/metadata.name: kube-system | |
| ports: | |
| - protocol: UDP | |
| port: 53 | |
| # Allow connection to enterprise backend | |
| - to: | |
| - podSelector: | |
| matchLabels: | |
| app.kubernetes.io/name: cased-cd | |
| app.kubernetes.io/component: enterprise | |
| ports: | |
| - protocol: TCP | |
| port: 8081 | |
| # Allow connection to ArgoCD server | |
| - to: | |
| - podSelector: | |
| matchLabels: | |
| app.kubernetes.io/name: argocd-server | |
| ports: | |
| - protocol: TCP | |
| port: 8080 | |
| - protocol: TCP | |
| port: 8083 | |
| --- | |
| # NetworkPolicy for cased-cd-enterprise backend | |
| apiVersion: networking.k8s.io/v1 | |
| kind: NetworkPolicy | |
| metadata: | |
| name: cased-cd-enterprise-network-policy | |
| namespace: argocd | |
| spec: | |
| podSelector: | |
| matchLabels: | |
| app.kubernetes.io/name: cased-cd | |
| app.kubernetes.io/component: enterprise | |
| policyTypes: | |
| - Ingress | |
| - Egress | |
| ingress: | |
| # Allow ingress from cased-cd frontend | |
| - from: | |
| - podSelector: | |
| matchLabels: | |
| app.kubernetes.io/name: cased-cd | |
| app.kubernetes.io/instance: cased-cd | |
| ports: | |
| - protocol: TCP | |
| port: 8081 | |
| egress: | |
| # Allow DNS queries to kube-system | |
| - to: | |
| - namespaceSelector: | |
| matchLabels: | |
| kubernetes.io/metadata.name: kube-system | |
| ports: | |
| - protocol: UDP | |
| port: 53 | |
| # Allow connection to ArgoCD server | |
| - to: | |
| - podSelector: | |
| matchLabels: | |
| app.kubernetes.io/name: argocd-server | |
| ports: | |
| - protocol: TCP | |
| port: 8080 | |
| - protocol: TCP | |
| port: 8083 | |
| # Allow access to Kubernetes API (for ConfigMap/Secret management) | |
| - to: | |
| - namespaceSelector: | |
| matchLabels: | |
| kubernetes.io/metadata.name: default | |
| ports: | |
| - protocol: TCP | |
| port: 443 | |
| EOF | |
| echo "" | |
| echo "=== Step 5: Restart deployments to pick up new NetworkPolicies ===" | |
| kubectl rollout restart deployment/cased-cd -n argocd | |
| kubectl rollout restart deployment/cased-cd-enterprise -n argocd | |
| echo "" | |
| echo "=== Step 6: Wait for rollout to complete ===" | |
| kubectl rollout status deployment/cased-cd -n argocd --timeout=60s | |
| kubectl rollout status deployment/cased-cd-enterprise -n argocd --timeout=60s | |
| echo "" | |
| echo "=== Done! ===" | |
| echo "Try accessing Cased CD now - the DNS timeout should be resolved." | |
| echo "" | |
| echo "What was the problem?" | |
| echo "- ArgoCD namespace has NetworkPolicies for all standard components" | |
| echo "- When ANY NetworkPolicy exists, it creates implicit default-deny" | |
| echo "- cased-cd pods had no NetworkPolicy, so all egress was blocked" | |
| echo "- This blocked DNS queries from nginx, causing timeouts" | |
| echo "- Now both pods have explicit allow rules for DNS and service communication" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment