Add antctl get fqdncache

pkg/agent/apis/types.go

@@ -15,8 +15,10 @@
 package apis
 
 import (
+	"net"
 	"strconv"
 	"strings"
+	"time"
 
 	corev1 "k8s.io/api/core/v1"
 
@@ -72,6 +74,28 @@ func (r AntreaAgentInfoResponse) SortRows() bool {
 	return true
 }
 
+type FqdnCacheResponse struct {
+	fqdnName       string
+	ipAddress      net.IP
+	expirationTime time.Time
+}
+
+func (r FqdnCacheResponse) GetTableHeader() []string {
+	return []string{"FQDN", "ADDRESS", "EXPIRATION TIME"}
+}
+
+func (r FqdnCacheResponse) GetTableRow(maxColumn int) []string {
+	return []string{
+		r.fqdnName,
+		r.ipAddress.String(),
+		r.expirationTime.String(),
+	}
+}
+
+func (r FqdnCacheResponse) SortRows() bool {
+	return false
+}
+
 type FeatureGateResponse struct {
 	Component string `json:"component,omitempty"`
 	Name      string `json:"name,omitempty"`

pkg/agent/apiserver/apiserver.go

@@ -40,6 +40,7 @@ import (
 	"antrea.io/antrea/pkg/agent/apiserver/handlers/bgppolicy"
 	"antrea.io/antrea/pkg/agent/apiserver/handlers/bgproute"
 	"antrea.io/antrea/pkg/agent/apiserver/handlers/featuregates"
+	"antrea.io/antrea/pkg/agent/apiserver/handlers/fqdncache"
 	"antrea.io/antrea/pkg/agent/apiserver/handlers/memberlist"
 	"antrea.io/antrea/pkg/agent/apiserver/handlers/multicast"
 	"antrea.io/antrea/pkg/agent/apiserver/handlers/networkpolicy"
@@ -104,6 +105,7 @@ func installHandlers(aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolic
 	s.Handler.NonGoRestfulMux.HandleFunc("/bgppolicy", bgppolicy.HandleFunc(bgpq))
 	s.Handler.NonGoRestfulMux.HandleFunc("/bgppeers", bgppeer.HandleFunc(bgpq))
 	s.Handler.NonGoRestfulMux.HandleFunc("/bgproutes", bgproute.HandleFunc(bgpq))
+	s.Handler.NonGoRestfulMux.HandleFunc("/fqdncache", fqdncache.HandleFunc(aq))
 }
 
 func installAPIGroup(s *genericapiserver.GenericAPIServer, aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, v4Enabled, v6Enabled bool) error {

pkg/agent/apiserver/handlers/fqdncache/handler.go

@@ -0,0 +1,37 @@
+// Copyright 2025 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package fqdncache
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"k8s.io/klog/v2"
+
+	agentquerier "antrea.io/antrea/pkg/agent/querier"
+)
+
+func HandleFunc(aq agentquerier.AgentQuerier) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		dnsEntryCache := aq.GetFqdnCache()
+		if dnsEntryCache == nil {
+			return
+		}
+		if err := json.NewEncoder(w).Encode(dnsEntryCache); err != nil {
+			http.Error(w, "Failed to encode response: "+err.Error(), http.StatusInternalServerError)
+			klog.ErrorS(err, "Failed to encode response")
+		}
+	}
+}

pkg/agent/apiserver/handlers/fqdncache/handler_test.go

@@ -0,0 +1,125 @@
+// Copyright 2025 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package fqdncache
+
+import (
+	"encoding/json"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/mock/gomock"
+
+	queriertest "antrea.io/antrea/pkg/agent/querier/testing"
+	"antrea.io/antrea/pkg/agent/types"
+)
+
+func TestFqdnCacheQuery(t *testing.T) {
+	tests := []struct {
+		name             string
+		expectedStatus   int
+		expectedResponse []types.DnsCacheEntry
+	}{
+		{
+			name:           "FQDN cache exists",
+			expectedStatus: http.StatusOK,
+			expectedResponse: []types.DnsCacheEntry{
+				{
+					FqdnName:       "example.com",
+					IpAddress:      net.ParseIP("10.0.0.1"),
+					ExpirationTime: time.Date(2025, 12, 25, 15, 0, 0, 0, time.UTC),
+				},
+			},
+		},
+		{
+			name:           "FQDN cache exists - multiple addresses same domain",
+			expectedStatus: http.StatusOK,
+			expectedResponse: []types.DnsCacheEntry{
+				{
+					FqdnName:       "example.com",
+					IpAddress:      net.ParseIP("10.0.0.1"),
+					ExpirationTime: time.Date(2025, 12, 25, 15, 0, 0, 0, time.UTC),
+				},
+				{
+					FqdnName:       "example.com",
+					IpAddress:      net.ParseIP("10.0.0.2"),
+					ExpirationTime: time.Date(2025, 12, 25, 15, 0, 0, 0, time.UTC),
+				},
+				{
+					FqdnName:       "example.com",
+					IpAddress:      net.ParseIP("10.0.0.3"),
+					ExpirationTime: time.Date(2025, 12, 25, 15, 0, 0, 0, time.UTC),
+				},
+			},
+		},
+		{
+			name:           "FQDN cache exists - multiple addresses multiple domains",
+			expectedStatus: http.StatusOK,
+			expectedResponse: []types.DnsCacheEntry{
+				{
+					FqdnName:       "example.com",
+					IpAddress:      net.ParseIP("10.0.0.1"),
+					ExpirationTime: time.Date(2025, 12, 25, 15, 0, 0, 0, time.UTC),
+				},
+				{
+					FqdnName:       "foo.com",
+					IpAddress:      net.ParseIP("10.0.0.4"),
+					ExpirationTime: time.Date(2025, 12, 25, 15, 0, 0, 0, time.UTC),
+				},
+				{
+					FqdnName:       "bar.com",
+					IpAddress:      net.ParseIP("10.0.0.5"),
+					ExpirationTime: time.Date(2025, 12, 25, 15, 0, 0, 0, time.UTC),
+				},
+			},
+		},
+		{
+			name:             "FQDN cache does not exist",
+			expectedStatus:   http.StatusOK,
+			expectedResponse: []types.DnsCacheEntry{},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			q := queriertest.NewMockAgentQuerier(ctrl)
+			q.EXPECT().GetFqdnCache().Return(tt.expectedResponse)
+			handler := HandleFunc(q)
+			req, err := http.NewRequest(http.MethodGet, "", nil)
+			require.NoError(t, err)
+			recorder := httptest.NewRecorder()
+			handler.ServeHTTP(recorder, req)
+			assert.Equal(t, tt.expectedStatus, recorder.Code)
+			if tt.expectedStatus == http.StatusOK {
+				var receivedResponse []map[string]interface{}
+				err = json.Unmarshal(recorder.Body.Bytes(), &receivedResponse)
+				require.NoError(t, err)
+				for i, rec := range receivedResponse {
+					parsedTime, err := time.Parse(time.RFC3339, rec["expirationTime"].(string))
+					require.NoError(t, err)
+					assert.Equal(t, tt.expectedResponse[i], types.DnsCacheEntry{
+						FqdnName:       rec["fqdnName"].(string),
+						IpAddress:      net.ParseIP(rec["ipAddress"].(string)),
+						ExpirationTime: parsedTime,
+					})
+				}
+			}
+		})
+	}
+}

pkg/agent/controller/networkpolicy/networkpolicy_controller.go

@@ -538,6 +538,17 @@ func NewNetworkPolicyController(antreaClientGetter client.AntreaClientProvider,
 	return c, nil
 }
 
+func (c *Controller) GetFqdnCache() []types.DnsCacheEntry {
+	cacheEntryList := []types.DnsCacheEntry{}
+	for _, dnsMeta := range c.fqdnController.dnsEntryCache {
+		for fqdn, ipWithExpiration := range dnsMeta.responseIPs {
+			entry := types.DnsCacheEntry{FqdnName: fqdn, IpAddress: ipWithExpiration.ip, ExpirationTime: ipWithExpiration.expirationTime}
+			cacheEntryList = append(cacheEntryList, entry)
+		}
+	}
+	return cacheEntryList
+}
+
 func (c *Controller) GetNetworkPolicyNum() int {
 	return c.ruleCache.GetNetworkPolicyNum()
 }

pkg/agent/controller/networkpolicy/networkpolicy_controller_test.go

@@ -903,3 +903,61 @@ func TestValidate(t *testing.T) {
 		t.Fatalf("groupAddress %s expect %v, but got %v", groupAddress2, v1beta1.RuleActionDrop, item.RuleAction)
 	}
 }
+
+func TestGetFqdnCache(t *testing.T) {
+	controller, _, _ := newTestController()
+	expectedEntryList := []agenttypes.DnsCacheEntry{}
+	assert.Equal(t, expectedEntryList, controller.GetFqdnCache())
+
+	controller.fqdnController.dnsEntryCache = map[string]dnsMeta{
+		"*.example.com": {
+			responseIPs: map[string]ipWithExpiration{
+				"maps.example.com": {
+					ip:             net.ParseIP("10.0.0.1"),
+					expirationTime: time.Date(2025, 12, 25, 15, 0, 0, 0, time.UTC),
+				},
+				"mail.example.com": {
+					ip:             net.ParseIP("10.0.0.2"),
+					expirationTime: time.Date(2025, 12, 25, 15, 0, 0, 0, time.UTC),
+				},
+				"photos.example.com": {
+					ip:             net.ParseIP("10.0.0.3"),
+					expirationTime: time.Date(2025, 12, 25, 15, 0, 0, 0, time.UTC),
+				},
+			},
+		},
+		"antrea.io": {
+			responseIPs: map[string]ipWithExpiration{
+				"antrea.io": {
+					ip:             net.ParseIP("10.0.0.4"),
+					expirationTime: time.Date(2025, 12, 25, 15, 0, 0, 0, time.UTC),
+				},
+			},
+		},
+	}
+
+	expectedEntryList = []agenttypes.DnsCacheEntry{
+		{
+			FqdnName:       "maps.example.com",
+			IpAddress:      net.ParseIP("10.0.0.1"),
+			ExpirationTime: time.Date(2025, 12, 25, 15, 0, 0, 0, time.UTC),
+		},
+		{
+			FqdnName:       "mail.example.com",
+			IpAddress:      net.ParseIP("10.0.0.2"),
+			ExpirationTime: time.Date(2025, 12, 25, 15, 0, 0, 0, time.UTC),
+		},
+		{
+			FqdnName:       "photos.example.com",
+			IpAddress:      net.ParseIP("10.0.0.3"),
+			ExpirationTime: time.Date(2025, 12, 25, 15, 0, 0, 0, time.UTC),
+		},
+		{
+			FqdnName:       "antrea.io",
+			IpAddress:      net.ParseIP("10.0.0.4"),
+			ExpirationTime: time.Date(2025, 12, 25, 15, 0, 0, 0, time.UTC),
+		},
+	}
+	returnedList := controller.GetFqdnCache()
+	assert.ElementsMatch(t, expectedEntryList, returnedList)
+}

pkg/agent/querier/querier.go

@@ -26,6 +26,7 @@ import (
 	"antrea.io/antrea/pkg/agent/memberlist"
 	"antrea.io/antrea/pkg/agent/openflow"
 	"antrea.io/antrea/pkg/agent/proxy"
+	"antrea.io/antrea/pkg/agent/types"
 	"antrea.io/antrea/pkg/apis/crd/v1beta1"
 	"antrea.io/antrea/pkg/ovs/ovsconfig"
 	"antrea.io/antrea/pkg/ovs/ovsctl"
@@ -47,6 +48,7 @@ type AgentQuerier interface {
 	GetMemberlistCluster() memberlist.Interface
 	GetNodeLister() corelisters.NodeLister
 	GetBGPPolicyInfoQuerier() querier.AgentBGPPolicyInfoQuerier
+	GetFqdnCache() []types.DnsCacheEntry
 }
 
 type agentQuerier struct {
@@ -97,6 +99,11 @@ func NewAgentQuerier(
 	}
 }
 
+// GetFQDNCache returns dnsEntryCache within fqdnController
+func (aq agentQuerier) GetFqdnCache() []types.DnsCacheEntry {
+	return aq.networkPolicyInfoQuerier.GetFqdnCache()
+}
+
 // GetNodeLister returns NodeLister.
 func (aq agentQuerier) GetNodeLister() corelisters.NodeLister {
 	return aq.nodeLister

pkg/agent/types/networkpolicy.go

@@ -15,13 +15,22 @@
 package types
 
 import (
+	"net"
+	"time"
+
 	"k8s.io/apimachinery/pkg/util/sets"
 
 	"antrea.io/antrea/pkg/apis/controlplane/v1beta2"
 	secv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1"
 	binding "antrea.io/antrea/pkg/ovs/openflow"
 )
 
+type DnsCacheEntry struct {
+	FqdnName       string    `json:"fqdnName,omitempty"`
+	IpAddress      net.IP    `json:"ipAddress,omitempty"`
+	ExpirationTime time.Time `json:"expirationTime,omitempty"`
+}
+
 type MatchKey struct {
 	ofProtocol    binding.Protocol
 	valueCategory AddressCategory