Investigate network traffic to enable API server to Metrics server communication

Problem

When networkPolicies.controlplaneCidr is set to a specific value (not 0.0.0.0/0) then the kube-apiserver will not be able to communicate with the metrics server.

Additional Information

Logs in the apiserver state connection refused to the IP of the metrics server service. if we create a netpol that allows ingress from the svc CIDR, the functionality returns to working as expected.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-svc-ingress
  namespace: metrics
spec:
  podSelector: {}
  policyTypes:
  # - Egress
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 10.43.0.0/12

Admin message

Investigate network traffic to enable API server to Metrics server communication

Problem

Additional Information