Allow TCP DNS queries to kube-dns in the default deny policy

[wallrj]

In cert-manager/website#1344 (comment) we're discussing whether the default Calico deny policy should also allow TCP DNS queries.

Is there a reason to block them?

Fixes: projectcalico/calico#8224

Product Version(s):

Issue:

Link to docs preview:

SME review:

• An SME has approved this change.

DOCS review:

• A member of the docs team has approved this change.

Additional information:

Merge checklist:

• Deploy preview inspected wherever changes were made
• Build completed successfully
• Test have passed

[netlify]

✅ Deploy Preview for calico-docs-preview-next ready!

Name	Link
🔨 Latest commit	487f2e8
🔍 Latest deploy log	https://app.netlify.com/sites/calico-docs-preview-next/deploys/65549b02c6f8eb000843c126
😎 Deploy Preview	https://deploy-preview-1096--calico-docs-preview-next.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 57 (🔴 down 15 from production) Accessibility: 93 (no change from production) Best Practices: 92 (no change from production) SEO: 79 (no change from production) PWA: - View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[netlify]

✅ Deploy Preview succeeded!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	487f2e8
🔍 Latest deploy log	https://app.netlify.com/sites/tigera/deploys/65549b021e607d0008ea107c
😎 Deploy Preview	https://deploy-preview-1096--tigera.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 44 (🔴 down 28 from production) Accessibility: 93 (no change from production) Best Practices: 83 (no change from production) SEO: 86 (no change from production) PWA: - View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[CLAassistant]

All committers have signed the CLA.

[ctauchen]

Thanks for the submission, @wallrj. This subject of this is out of scope for a docs-only discussion. The question isn't "How should we be documenting X?" so much as "How should we do/write/build X?"

I suggest you raise an issue with Project Calico and add link to this PR.

[wallrj]

I suggest you raise an issue with Project Calico and add link to this PR.

Done:

• The Recommended default deny policy should allow DNS over TCP projectcalico/calico#8224

[matthewdupre]

This is a better policy than the existing one.

[ctauchen]

LGTM