From 34bfa994c2f508ef33ce04c6983e21afd0219a51 Mon Sep 17 00:00:00 2001
From: OG T <ogt@WOOOMacMiniM4.local>
Date: Thu, 26 Mar 2026 17:41:11 +0800
Subject: [PATCH] =?UTF-8?q?fix(k8s):=20NetworkPolicy=20DNS=20=E8=A6=8F?=
 =?UTF-8?q?=E5=89=87=E4=BF=AE=E5=BE=A9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 使用 namespaceSelector 明確指定 kube-system
- ADR-011 Appendix B: CoreDNS 只有 k8s-app=kube-dns 標籤
- 修復 Telegram 告警鏈 DNS 解析失敗問題

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 k8s/awoooi-prod/02-network-policy.yaml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/k8s/awoooi-prod/02-network-policy.yaml b/k8s/awoooi-prod/02-network-policy.yaml
index c43a62a2..781c0571 100644
--- a/k8s/awoooi-prod/02-network-policy.yaml
+++ b/k8s/awoooi-prod/02-network-policy.yaml
@@ -1,8 +1,10 @@
 # AWOOOI 正式環境零信任網路策略
 # 負責人: CIO
-# 版本: v1.1
+# 版本: v1.2
 # 日期: 2026-03-26
-# 變更: 新增 Langfuse LLMOps (192.168.0.110:3100) - Phase 15.1
+# 變更:
+#   - v1.2: 修復 DNS 規則使用 namespaceSelector (ADR-011 Appendix B)
+#   - v1.1: 新增 Langfuse LLMOps (192.168.0.110:3100) - Phase 15.1
 #
 # 原則: Default Deny All - 預設拒絕所有流量，僅白名單允許
 
@@ -152,8 +154,12 @@ spec:
           port: 6443
 
     # 允許 DNS 解析
+    # 2026-03-26 修復: 使用 namespaceSelector 明確指定 kube-system
+    # ADR-011 Appendix B: CoreDNS 只有 k8s-app=kube-dns 標籤，不要加其他標籤要求
     - to:
-        - namespaceSelector: {}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
           podSelector:
             matchLabels:
               k8s-app: kube-dns