Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for defining dnsPolicy and dnsConfig options for ECK operator statefulset #7999

Open
wants to merge 9 commits into
base: main
Choose a base branch
from

Conversation

haam3r
Copy link
Contributor

@haam3r haam3r commented Aug 12, 2024

This PR adds support to the statefulset template for defining dnsPolicy and dnsConfig options.

Flow control is designed to both prevent conflicts with the existing hostNetwork option and to only render out these options if they are both defined together.

If hostNetwork is enabled, dnsPolicy defaults to ClusterFirstWithHostNet unless explicitly set.

Both new options have been documented with examples in values.yaml.

@botelastic botelastic bot added the triage label Aug 12, 2024
@thbkrkr thbkrkr added >feature Adds or discusses adding a feature to the product :helm-charts labels Aug 26, 2024
@botelastic botelastic bot removed the triage label Aug 26, 2024
@naemono naemono self-assigned this Nov 21, 2024
@naemono naemono self-requested a review November 21, 2024 15:12
Copy link
Contributor

@naemono naemono left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really sorry for the delays in getting this reviewed. I have a question about why we are making decisions on linking dnsPolicy and dnsConfig? And what if we set hostNetwork: true, and dnsPolicy: "something-else"? It explicitly sets dnsPolicy to clusterfirstWithHostNet.

deploy/eck-operator/templates/statefulset.yaml Outdated Show resolved Hide resolved
@thbkrkr
Copy link
Contributor

thbkrkr commented Dec 11, 2024

Thank you for this contribution! Since there hasn’t been recent activity, I’ll adopt this PR to complete it and get it merged. Your work will be preserved and credited.

@thbkrkr thbkrkr force-pushed the operator-dns-config branch from e26e6b7 to 795dab6 Compare December 11, 2024 15:09
@thbkrkr thbkrkr requested a review from naemono December 11, 2024 15:11
# CAUTION: Proceed at your own risk. This setting has security concerns such as allowing malicious users to access workloads running on the host.
hostNetwork: false
#
# dnsPolicy defines the DNS policy for the operator pod. Available options are:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add a link to the original documentation (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy), and invite the reader to go there for more information?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@thbkrkr
Copy link
Contributor

thbkrkr commented Dec 17, 2024

buildkite test this

@haam3r
Copy link
Contributor Author

haam3r commented Dec 18, 2024

Really sorry for the delays in getting this reviewed. I have a question about why we are making decisions on linking dnsPolicy and dnsConfig? And what if we set hostNetwork: true, and dnsPolicy: "something-else"? It explicitly sets dnsPolicy to clusterfirstWithHostNet.

Sorry for the delay in responding, I missed the intial notification.
We are not specifically linking dnsPolicy and dnsConfig. They can still be defined separately, we are only statically setting dnsPolicy when hostnetwork is specified.
We explicitly set dnspolicy in that case because the k8s documentation says to do that. Otherwise as the docs say we introduce unintended behaviour. Per the docs linked in the code comment:

For Pods running with hostNetwork, you should explicitly set its DNS policy to "ClusterFirstWithHostNet". Otherwise, Pods running with hostNetwork and "ClusterFirst" will fallback to the behavior of the "Default" policy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>feature Adds or discusses adding a feature to the product :helm-charts
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants