coredns scrape target down in hardened rke2

[mjnagel]

Environment

Device and OS: AWS Ec2
App version: 0.33.1 (snapshot)
Kubernetes distro being used: Rke2

Steps to reproduce

Deploy an RKE2 cluster using one of the CIS profiles. When using these profiles RKE2 applies some default network policies that block Ingress to kube-system for most services. As a result the service monitor that should monitor core-dns will appear as down.

Expected result

Prometheus is able to scrape the configured targets in any environment.

Actual Result

Prometheus cannot scrape coredns.

Severity/Priority

Low - this may be environment specific and there is a clear workaround.

Additional Context

I was able to workaround this by applying the following network policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-prometheus-to-kube-dns
  namespace: kube-system
spec:
  podSelector:
    matchLabels:
      k8s-app: kube-dns
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: monitoring
          podSelector:
            matchLabels:
              app: prometheus
      ports:
        - protocol: TCP
          port: 9153

This policy may belong in uds-core, behind a toggle? May warrant more conversation on whether this is a common problem or specific to hardened RKE2.