-
Notifications
You must be signed in to change notification settings - Fork 39.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support copying "options" in resolv.conf into pod sandbox when dnsPolicy is Default #54773
Support copying "options" in resolv.conf into pod sandbox when dnsPolicy is Default #54773
Conversation
cc @kubernetes/sig-network-misc, any comments of this change? |
/ok-to-test |
Just thinking loud here: Might this not potentially enable people to break their system in completely new ways ( thinking of musl for example ) Woudln't it make sense to have some checks of the resolv.conf being imported so it does not have to many search domains & servers etc |
scratch that comment. saw your using checkLimitsForResolvConf I just have something nagging in the back of my head saying that i read somewhere that the limits glibc imposes are not the same for musl |
ping @kubernetes/sig-network-misc |
@phsiao: Reiterating the mentions to trigger a notification: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
kubernetes/community#1276 seems like a better all around answer. I'm wary of inheriting that stuff because, frankly, inheriting the host's DNS was probably a mistake. The config for the node is pretty unrelated to what the config should be for a pod. Are you simply trying to set timeout? |
For our use case, the host's DNS is more relevant than kube-dns, and it performs much better. We don't use the kube-dns as pod's resolver, and we delegate cluster domain to kube-dns pods. Pods and VMs/baremetal servers are all first class systems in our environment, and our pods resolve non-k8s names more than they resolve k8s names today. We actually prefer to use dnsPolicy: Default, but we can't inherit anything from options so none of the policy is ideal. We do need some tweaking to options to leverage our multiple resolvers without causing extended disruption during resolver maintenance. I think having dnsPolicy: Default inheriting options does not violate what you described. It is not a default behavior, and the least surprise would be to get the /etc/resolv.conf file in its entirety but being able to copy over options is probably just as good. |
I did look at kubernetes/community#1276 and I believe it is trying to address a different problem. |
kubernetes/community#1276 should cover this use case. We should close this until we solve that larger design problem. Alternatively, I mightbe OK to inherit |
That is exactly what this PR is, the title was a little misleading, but the initial comment stated that. |
Sorry, I skimmed too hard. @bowei can you review or assign? I guess I am OK with inheriting |
taking a look |
pkg/kubelet/kubelet.go
Outdated
if err != nil { | ||
return nil, nil, false, err | ||
return nil, nil, hostOptions, false, err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return nil, nil, nil, false, er
pkg/kubelet/kubelet_pods.go
Outdated
@@ -429,7 +429,7 @@ func (kl *Kubelet) GenerateRunContainerOptions(pod *v1.Pod, container *v1.Contai | |||
} | |||
} | |||
|
|||
opts.DNS, opts.DNSSearch, useClusterFirstPolicy, err = kl.GetClusterDNS(pod) | |||
opts.DNS, opts.DNSSearch, _, useClusterFirstPolicy, err = kl.GetClusterDNS(pod) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like resolv.conf options are not piped into pod yet. Are we planing to do that in follow-up PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe only the podSandboxConfig.DnsConfig
returned by generatePodSandboxConfig()
in pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
is used to generate resolv.conf
.
This portion of GetClusterDNS()
does not appear to be affecting the generation of resolv.conf
, so the options were ignored. This portion of settings are used to set parameters for launching a container, and not in the container sandbox.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, looked around and confirmed this is correct.
/test pull-kubernetes-bazel-build |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Thanks, don't have more comments, seems to be a straightforward change.
pkg/kubelet/kubelet_pods.go
Outdated
@@ -429,7 +429,7 @@ func (kl *Kubelet) GenerateRunContainerOptions(pod *v1.Pod, container *v1.Contai | |||
} | |||
} | |||
|
|||
opts.DNS, opts.DNSSearch, useClusterFirstPolicy, err = kl.GetClusterDNS(pod) | |||
opts.DNS, opts.DNSSearch, _, useClusterFirstPolicy, err = kl.GetClusterDNS(pod) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, looked around and confirmed this is correct.
Saw test failures appear to be flakes, and squash the commits. |
/lgtm |
/assign @thockin |
ping @thockin for approval. |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Clean up redundant DNS related codes **What this PR does / why we need it**: As #54773 (comment) described, resolv.conf setup for pod is handled by `generatePodSandboxConfig()`, though we have some redundant DNS related codes in `GenerateRunContainerOptions()` which seems to have no effect. This PR cleans up the ineffective codes and rearranges the cluster DNS unit test and hopefully it would be less confusing. **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes #55201 **Special notes for your reviewer**: cc @Random-Liu @phsiao **Release note**: ```release-note NONE ```
/retest |
@phsiao Thanks, this still LGTM. /lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: MrHohn, phsiao, thockin Associated issue: 42542 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
This PR adds support for copying "options" from host's /etc/resolv.conf (or --resolv-conf) into pod's resolv.conf when dnsPolicy is Default. Being able to customize options is important because it is common to leverage options to fine-tune the behavior of DNS client.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close that issue when PR gets merged): fixes #42542Special notes for your reviewer:
I originally wanted to also tackle the issue of copying options for when dnsPolicy is ClusterFirst, but with ability to "merge" with default options (ndots:5 more specifically) when it makes sense. I decided to leave it off for now because the "merging" may need more discussions. Happy to add that to this PR or create another PR for that if it makes sense and is clear what should be done. I think even when dnsPolicy is ClusterFirst it is important to allow customization.
Release note:
kubelet: add support for copying "options" from /etc/resolv.conf (or --resolv-conf if it is used) into pod's /etc/resolv.conf when dnsPolicy is Default.