Environment:
- Calico v3.31.4 (tigera-operator chart ~3.28.2)
- EKS with cni.type: AmazonVPC, calicoNetwork.bgp: Disabled
- Kubernetes 1.35
Description:
When deploying Calico on EKS with the AmazonVPC CNI, the kube-controllers pod starts with ENABLED_CONTROLLERS=node,loadbalancer — the namespace controller is not included. This means the
projectcalico.org/name label never gets applied to namespaces.
However, the operator creates Kubernetes NetworkPolicies for its own components (Whisker, Goldmane, APIServer) that use projectcalico.org/name in their namespace selectors. For example,
the Whisker NetworkPolicy has this egress rule to allow DNS:
- ports:
- port: 53
protocol: UDP
to:
- namespaceSelector:
matchLabels:
projectcalico.org/name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dnsSince no namespace has the projectcalico.org/name label, this rule never matches, and Whisker can't resolve DNS. The whisker-backend logs show:
failed to stream flows error=rpc error: code = Unavailable desc = dns: A record lookup error:
lookup goldmane.calico-system.svc.cluster.local on 172.20.0.10:53: dial udp 172.20.0.10:53: i/o timeout
The KubeControllersConfiguration CR does have spec.controllers.namespace.reconcilerPeriod: 5m0s set, but the operator overrides this and doesn't include namespace in the
ENABLED_CONTROLLERS env var.
Expected behaviour:
Either:
- The namespace controller should be enabled so projectcalico.org/name labels exist for the operator's own policies to match, or
- The operator-managed NetworkPolicies should use kubernetes.io/metadata.name instead, which is always present on Kubernetes 1.21+
Workaround:
Manually apply projectcalico.org/name labels to namespaces, e.g. via namespace definitions in GitOps.
Environment:
Description:
When deploying Calico on EKS with the AmazonVPC CNI, the kube-controllers pod starts with ENABLED_CONTROLLERS=node,loadbalancer — the namespace controller is not included. This means the
projectcalico.org/name label never gets applied to namespaces.
However, the operator creates Kubernetes NetworkPolicies for its own components (Whisker, Goldmane, APIServer) that use projectcalico.org/name in their namespace selectors. For example,
the Whisker NetworkPolicy has this egress rule to allow DNS:
Since no namespace has the projectcalico.org/name label, this rule never matches, and Whisker can't resolve DNS. The whisker-backend logs show:
failed to stream flows error=rpc error: code = Unavailable desc = dns: A record lookup error:
lookup goldmane.calico-system.svc.cluster.local on 172.20.0.10:53: dial udp 172.20.0.10:53: i/o timeout
The KubeControllersConfiguration CR does have spec.controllers.namespace.reconcilerPeriod: 5m0s set, but the operator overrides this and doesn't include namespace in the
ENABLED_CONTROLLERS env var.
Expected behaviour:
Either:
Workaround:
Manually apply projectcalico.org/name labels to namespaces, e.g. via namespace definitions in GitOps.