Fix FQDN policy support for IPv6 #3869
Conversation
tnqn
added
action/backport
|
/test-ipv6-only-e2e |
tnqn
force-pushed
the
fix-fqdn-ipv6
branch
2 times, most recently
from
329caa1 to
47207e5
Compare
|
/test-ipv6-only-e2e |
|
/test-ipv6-only-e2e |
| @@ -207,6 +207,11 @@ nodePortLocal: | |||
| # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. | |||
| kubeAPIServerOverride: {{ .Values.kubeAPIServerOverride | quote }} | |||
|
|
|||
| # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. | |||
| # Defaults to "". It must be a host string or a host:port pair of the dns server (e.g. 10.96.0.10, 10.96.0.10:53, | |||
test/e2e/antreapolicy_test.go
Outdated
| builder := &ClusterNetworkPolicySpecBuilder{} | ||
| builder = builder.SetName("test-acnp-fqdn-cluster-svc"). | ||
| SetTier("application"). | ||
| SetPriority(1.0) | ||
| for idx, service := range services { | ||
| builder.AddFQDNRule(svcDNSName(service), ProtocolTCP, nil, nil, nil, fmt.Sprintf("r%d", idx*2), []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["y"]}, PodSelector: map[string]string{"pod": "b"}}}, crdv1alpha1.RuleActionReject) | ||
| builder.AddFQDNRule(svcDNSName(service), ProtocolTCP, nil, nil, nil, fmt.Sprintf("r%d", idx*2+1), []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["z"]}, PodSelector: map[string]string{"pod": "c"}}}, crdv1alpha1.RuleActionDrop) | ||
| builder.AddFQDNRule(svcFQDN(service), ProtocolTCP, nil, nil, nil, fmt.Sprintf("r%d", idx*2), []ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": namespaces["y"]}, PodSelector: map[string]string{"pod": "b"}}}, crdv1alpha1.RuleActionReject) |
There was a problem hiding this comment.
Based on your comment above, should we use svcDNSName here?
There was a problem hiding this comment.
We expect the string set in the rule to be FQDN, not short names, right? otherwise it should be written with wildcard. The dns go library doesn't append the domains in the search list like what the system resolver does, using short name here would get no resolution result.
There was a problem hiding this comment.
I see what you mean now. If that's the case why do we need the svcDNSName function then?
There was a problem hiding this comment.
It's used in podToAddrTestStep as the server address. As the function comment explains, if we use FQDN as the server address, the client would first try FQDN.<namespace>.svc.cluster.local, then FQDN.svc.cluster.local, then FQDN.cluster.local, last FQDN, likely exceeding the timeout.
There was a problem hiding this comment.
Got it. Thanks for the explanation. Maybe worth adding to the comment in the podToAddrTestStep below that each client Pod's /etc/resolve.conf will append svc.cluster.local as first dns resolution trial, just for laymans like me to understand this better when we look back at the code.
There was a problem hiding this comment.
used another way to avoid unnecessary resolution attemps, and add comment to explain it, PTAL
Codecov Report
@@ Coverage Diff @@
## main #3869 +/- ##
===========================================
- Coverage 64.42% 54.22% -10.20%
===========================================
Files 291 407 +116
Lines 42745 58804 +16059
===========================================
+ Hits 27539 31888 +4349
- Misses 12990 24282 +11292
- Partials 2216 2634 +418
Flags with carried forward coverage won't be shown. Click here to find out more.
|
|
/test-ipv6-only-e2e |
|
/test-ipv6-only-e2e |
IPv6 address must be wrapped with "[]" when used in network API. This patch ensures that the auto-discovered and the user-provided DNS servers use correct format. It also adds the missing configuration "dnsServerOverride" to the configuration file. Signed-off-by: Quan Tian <[email protected]>
|
/test-ipv6-only-e2e |
|
/test-ipv6-only-e2e |
IPv6 address must be wrapped with "[]" when used in network API.
This patch ensures that the auto-discovered and the user-provided DNS
servers use correct format. It also adds the missing configuration
"dnsServerOverride" to the configuration file.
Signed-off-by: Quan Tian [email protected]
Fixes #3873