-
Notifications
You must be signed in to change notification settings - Fork 374
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add fqdnCacheMinTTL configuration parameter #6808
Changes from 6 commits
346988f
66e72f1
d92246f
2c58ad2
e9e0286
dd43d6b
7de5ee7
fb28bba
6c6dcc8
b0548d5
19fa9e7
0d86321
2b05275
2231173
5b801c5
3287148
b1cdb6f
e80d7bd
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -306,6 +306,11 @@ kubeAPIServerOverride: {{ .Values.kubeAPIServerOverride | quote }} | |||||
# 10.96.0.10:53, [fd00:10:96::a]:53). | ||||||
dnsServerOverride: {{ .Values.dnsServerOverride | quote }} | ||||||
|
||||||
# The fqdnCacheMinTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record. | ||||||
# It is used to enforce FQDN policy rules, ensuring that resolved IPs are included in datapath rules for as long as the application is caching them. | ||||||
# This value should ideally be set to the maximum caching duration across all applications. | ||||||
fqdnCacheMinTTL: {{ .Values.minTTL }} | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
This is why the manifests are not generated correctly ( There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sorry , my bad. Will correct that. |
||||||
|
||||||
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. | ||||||
# https://golang.org/pkg/crypto/tls/#pkg-constants | ||||||
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always | ||||||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -186,6 +186,10 @@ kubeAPIServerOverride: "" | |
# -- Address of DNS server, to override the kube-dns Service. It's used to | ||
# resolve hostnames in a FQDN policy. | ||
dnsServerOverride: "" | ||
# -- The minTTL setting helps address the problem of applications caching DNS response IPs indefinitely. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. comment out of date |
||
# The Cluster administrators should configure this value, ideally setting it to be equal to or greater than the maximum TTL | ||
# value of the application's DNS cache. | ||
fqdnCacheMinTTL: 0 | ||
# -- IPv4 CIDR range used for Services. Required when AntreaProxy is disabled. | ||
serviceCIDR: "" | ||
# -- IPv6 CIDR range used for Services. Required when AntreaProxy is disabled. | ||
|
antoninbas marked this conversation as resolved.
Show resolved
Hide resolved
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -155,13 +155,19 @@ func (o *Options) validate(args []string) error { | |||||
return fmt.Errorf("nodeType %s requires feature gate ExternalNode to be enabled", o.config.NodeType) | ||||||
} | ||||||
|
||||||
if o.config.NodeType == config.ExternalNode.String() { | ||||||
// validate FqdnCacheMinTTL | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. no need to have the comment as the code is obvious and the comment doesn't provide more information |
||||||
if o.config.FqdnCacheMinTTL < 0 { | ||||||
return fmt.Errorf("fqdnCacheMinTTL set to an invalid value, its must be a positive integer") | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
} | ||||||
|
||||||
switch o.config.NodeType { | ||||||
case config.ExternalNode.String(): | ||||||
o.nodeType = config.ExternalNode | ||||||
return o.validateExternalNodeOptions() | ||||||
} else if o.config.NodeType == config.K8sNode.String() { | ||||||
case config.K8sNode.String(): | ||||||
o.nodeType = config.K8sNode | ||||||
return o.validateK8sNodeOptions() | ||||||
} else { | ||||||
default: | ||||||
return fmt.Errorf("unsupported nodeType %s", o.config.NodeType) | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this is not a bad change, but I would avoid doing it in this PR as it is unrelated |
||||||
} | ||||||
} | ||||||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -196,7 +196,7 @@ func NewNetworkPolicyController(antreaClientGetter client.AntreaClientProvider, | |
gwPort, tunPort uint32, | ||
nodeConfig *config.NodeConfig, | ||
podNetworkWait *utilwait.Group, | ||
l7Reconciler *l7engine.Reconciler) (*Controller, error) { | ||
l7Reconciler *l7engine.Reconciler, fqdnCacheMinTTL uint32) (*Controller, error) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Use a separate line for the new argument like other args. |
||
idAllocator := newIDAllocator(asyncRuleDeleteInterval, dnsInterceptRuleID) | ||
c := &Controller{ | ||
antreaClientProvider: antreaClientGetter, | ||
|
@@ -227,7 +227,7 @@ func NewNetworkPolicyController(antreaClientGetter client.AntreaClientProvider, | |
|
||
var err error | ||
if antreaPolicyEnabled { | ||
if c.fqdnController, err = newFQDNController(ofClient, idAllocator, dnsServerOverride, c.enqueueRule, v4Enabled, v6Enabled, gwPort, clock.RealClock{}); err != nil { | ||
if c.fqdnController, err = newFQDNController(ofClient, idAllocator, dnsServerOverride, c.enqueueRule, v4Enabled, v6Enabled, gwPort, clock.RealClock{}, fqdnCacheMinTTL); err != nil { | ||
return nil, err | ||
} | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -155,6 +155,10 @@ type AgentConfig struct { | |
// Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, | ||
// 10.96.0.10:53, [fd00:10:96::a]:53). | ||
DNSServerOverride string `yaml:"dnsServerOverride,omitempty"` | ||
// The minTTL setting helps address the problem of applications caching DNS response IPs indefinitely. | ||
// The Cluster administrators should configure this value, ideally setting it to be equal to or greater than the maximum TTL | ||
// value of the application's DNS cache. | ||
FqdnCacheMinTTL int `yaml:"fqdnCacheMinTTL,omitempty"` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think the field name here should be There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. comment not addressed |
||
// Cipher suites to use. | ||
TLSCipherSuites string `yaml:"tlsCipherSuites,omitempty"` | ||
// TLS min version. | ||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -5270,8 +5270,12 @@ func testAntreaClusterNetworkPolicyStats(t *testing.T, data *TestData) { | |||||
k8sUtils.Cleanup(namespaces) | ||||||
} | ||||||
|
||||||
// TestFQDNCacheMinTTL tests stable FQDN access for applications with cached DNS resolutions | ||||||
// when FQDN NetworkPolicy are in use and the FQDN-to-IP resolution changes frequently. | ||||||
// TestFQDNCacheMinTTL ensures stable FQDN access for applications that cache DNS resolutions, | ||||||
// even when FQDN-to-IP mappings change frequently, and FQDN-based NetworkPolicies are in use. | ||||||
// It validates the functionality of the new minTTL configuration, which is used for scenarios | ||||||
// where applications may cache DNS responses beyond the TTL defined in original DNS response. | ||||||
// The minTTL value enforces that resolved IPs remain in datapath rules for as long as | ||||||
// applications might cache them, thereby preventing intermittent network connectivity issues to the FQDN concerned. | ||||||
func TestFQDNCacheMinTTL(t *testing.T) { | ||||||
antoninbas marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
const ( | ||||||
testFQDN = "fqdn-test-pod.lfx.test" | ||||||
|
@@ -5368,14 +5372,13 @@ func TestFQDNCacheMinTTL(t *testing.T) { | |||||
require.NoError(t, data.setPodAnnotation(data.testNamespace, "custom-dns-server", "test.antrea.io/random-value", | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. not introduced in this PR, but I just noticed the following assertion above:
1ms is much too frequent to be executing the condition function. Please update to 100ms. |
||||||
randSeq(8)), "failed to update custom DNS Pod annotation.") | ||||||
|
||||||
// finally verify that Curling the previously cached IP fails after DNS update. | ||||||
// finally verify that Curling the previously cached IP does not fail after DNS update. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
// The wait time here should be slightly longer than the reload value specified in the custom DNS configuration. | ||||||
// TODO: This assertion currently verifies the issue described in https://github.com/antrea-io/antrea/issues/6229. | ||||||
// It will need to be updated once minTTL support is implemented. | ||||||
// TODO: This assertion verifies the fix to the issue described in https://github.com/antrea-io/antrea/issues/6229. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this is no longer a TODO There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. not addressed |
||||||
t.Logf("Trying to curl the existing cached IP of the domain: %s", fqdnIP) | ||||||
assert.EventuallyWithT(t, func(t *assert.CollectT) { | ||||||
_, err := curlFQDN(fqdnIP) | ||||||
assert.Error(t, err) | ||||||
assert.NoError(t, err) | ||||||
}, 10*time.Second, 1*time.Second) | ||||||
} | ||||||
|
||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/The fqdnCacheMinTTL setting helps address/fqdnCacheMinTTL helps address
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hkiiita not addressed correctly, the current sentence is not grammatically correct