From 0c75f1ab9c956099e85126645c1c55f1bb5165d5 Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Thu, 10 Aug 2017 12:29:23 -0500 Subject: [PATCH] Update DNS policy for pods in host network namespace This PS updates the DNS policy for pods that run in the hosts network namespace. Change-Id: I5ff11985459c967e5248d1ce9f62ebfc578e3afb --- neutron/templates/configmap-etc.yaml | 2 -- neutron/templates/daemonset-dhcp-agent.yaml | 6 +----- neutron/templates/daemonset-l3-agent.yaml | 6 +----- .../templates/daemonset-metadata-agent.yaml | 6 +----- neutron/templates/daemonset-ovs-agent.yaml | 8 +------ neutron/templates/daemonset-ovs-db.yaml | 6 +----- neutron/templates/daemonset-ovs-vswitchd.yaml | 2 +- neutron/templates/etc/_resolv.conf.tpl | 21 ------------------- neutron/values.yaml | 7 ------- nova/templates/configmap-etc.yaml | 2 -- nova/templates/daemonset-compute.yaml | 10 +-------- nova/templates/daemonset-libvirt.yaml | 6 +----- nova/templates/deployment-novncproxy.yaml | 6 +----- nova/templates/etc/_resolv.conf.tpl | 21 ------------------- nova/values.yaml | 6 ------ 15 files changed, 9 insertions(+), 106 deletions(-) delete mode 100644 neutron/templates/etc/_resolv.conf.tpl delete mode 100644 nova/templates/etc/_resolv.conf.tpl diff --git a/neutron/templates/configmap-etc.yaml b/neutron/templates/configmap-etc.yaml index 3357a76a0c..c1b98af7f1 100644 --- a/neutron/templates/configmap-etc.yaml +++ b/neutron/templates/configmap-etc.yaml @@ -241,7 +241,5 @@ data: {{- if .Values.conf.sriov_agent.append -}} {{ .Values.conf.sriov_agent.append | indent 4 }} {{- end }} - resolv.conf: |+ -{{ tuple "etc/_resolv.conf.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} dnsmasq.conf: "" {{- end }} diff --git a/neutron/templates/daemonset-dhcp-agent.yaml b/neutron/templates/daemonset-dhcp-agent.yaml index 04152b04c1..5ff0f4f43d 100644 --- a/neutron/templates/daemonset-dhcp-agent.yaml +++ b/neutron/templates/daemonset-dhcp-agent.yaml @@ -38,7 +38,7 @@ spec: {{ .Values.labels.agent.dhcp.node_selector_key }}: {{ .Values.labels.agent.dhcp.node_selector_value }} securityContext: runAsUser: 0 - dnsPolicy: ClusterFirst + dnsPolicy: ClusterFirstWithHostNet hostNetwork: true initContainers: {{ tuple $envAll $dependencies $mounts_neutron_dhcp_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} @@ -76,10 +76,6 @@ spec: mountPath: /etc/neutron/dnsmasq.conf subPath: dnsmasq.conf readOnly: true - - name: neutron-etc - mountPath: /etc/resolv.conf - subPath: resolv.conf - readOnly: true - name: runopenvswitch mountPath: /run/openvswitch - name: socket diff --git a/neutron/templates/daemonset-l3-agent.yaml b/neutron/templates/daemonset-l3-agent.yaml index 0603de8200..fa13d12e07 100644 --- a/neutron/templates/daemonset-l3-agent.yaml +++ b/neutron/templates/daemonset-l3-agent.yaml @@ -38,7 +38,7 @@ spec: {{ .Values.labels.agent.l3.node_selector_key }}: {{ .Values.labels.agent.l3.node_selector_value }} securityContext: runAsUser: 0 - dnsPolicy: ClusterFirst + dnsPolicy: ClusterFirstWithHostNet hostNetwork: true initContainers: {{ tuple $envAll $dependencies $mounts_neutron_l3_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} @@ -72,10 +72,6 @@ spec: mountPath: /etc/neutron/l3_agent.ini subPath: l3_agent.ini readOnly: true - - name: neutron-etc - mountPath: /etc/resolv.conf - subPath: resolv.conf - readOnly: true - name: runopenvswitch mountPath: /run/openvswitch - name: libmodules diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml index 51e146e324..8cf6b890c9 100644 --- a/neutron/templates/daemonset-metadata-agent.yaml +++ b/neutron/templates/daemonset-metadata-agent.yaml @@ -38,7 +38,7 @@ spec: {{ .Values.labels.agent.metadata.node_selector_key }}: {{ .Values.labels.agent.metadata.node_selector_value }} securityContext: runAsUser: 0 - dnsPolicy: ClusterFirst + dnsPolicy: ClusterFirstWithHostNet hostNetwork: true initContainers: {{ tuple $envAll $dependencies $mounts_neutron_metadata_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} @@ -74,10 +74,6 @@ spec: mountPath: /etc/neutron/metadata_agent.ini subPath: metadata_agent.ini readOnly: true - - name: neutron-etc - mountPath: /etc/resolv.conf - subPath: resolv.conf - readOnly: true - name: runopenvswitch mountPath: /run/openvswitch - name: socket diff --git a/neutron/templates/daemonset-ovs-agent.yaml b/neutron/templates/daemonset-ovs-agent.yaml index e6b0b99818..3b1a1d3edb 100644 --- a/neutron/templates/daemonset-ovs-agent.yaml +++ b/neutron/templates/daemonset-ovs-agent.yaml @@ -36,7 +36,7 @@ spec: spec: nodeSelector: {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }} - dnsPolicy: ClusterFirst + dnsPolicy: ClusterFirstWithHostNet hostNetwork: true initContainers: {{ tuple $envAll $dependencies $mounts_neutron_ovs_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} @@ -73,9 +73,6 @@ spec: readOnly: true - name: run mountPath: /run - - name: neutron-etc - mountPath: /etc/resolv.conf - subPath: resolv.conf {{- if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }} containers: - name: ovs-agent @@ -118,9 +115,6 @@ spec: readOnly: true - name: run mountPath: /run - - name: neutron-etc - mountPath: /etc/resolv.conf - subPath: resolv.conf {{- if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }} volumes: - name: varlibopenvswitch diff --git a/neutron/templates/daemonset-ovs-db.yaml b/neutron/templates/daemonset-ovs-db.yaml index c392814603..db1cfea7d3 100644 --- a/neutron/templates/daemonset-ovs-db.yaml +++ b/neutron/templates/daemonset-ovs-db.yaml @@ -35,7 +35,7 @@ spec: {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }} securityContext: runAsUser: 0 - dnsPolicy: ClusterFirst + dnsPolicy: ClusterFirstWithHostNet hostNetwork: true containers: - name: ovs-db @@ -51,10 +51,6 @@ spec: mountPath: /tmp/openvswitch-db-server.sh subPath: openvswitch-db-server.sh readOnly: true - - name: neutron-etc - mountPath: /etc/resolv.conf - subPath: resolv.conf - readOnly: true - name: varlibopenvswitch mountPath: /var/lib/openvswitch/ - name: run diff --git a/neutron/templates/daemonset-ovs-vswitchd.yaml b/neutron/templates/daemonset-ovs-vswitchd.yaml index 1220004a5b..ab617861e5 100644 --- a/neutron/templates/daemonset-ovs-vswitchd.yaml +++ b/neutron/templates/daemonset-ovs-vswitchd.yaml @@ -35,7 +35,7 @@ spec: {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }} securityContext: runAsUser: 0 - dnsPolicy: ClusterFirst + dnsPolicy: ClusterFirstWithHostNet hostNetwork: true containers: - name: ovs-vswitchd diff --git a/neutron/templates/etc/_resolv.conf.tpl b/neutron/templates/etc/_resolv.conf.tpl deleted file mode 100644 index 885e2dc305..0000000000 --- a/neutron/templates/etc/_resolv.conf.tpl +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -search {{ .Release.Namespace }}.svc.{{ .Values.network.dns.kubernetes_domain }} svc.{{ .Values.network.dns.kubernetes_domain }} {{ .Values.network.dns.kubernetes_domain }} -{{- range .Values.network.dns.servers }} -nameserver {{ . | title }} -{{- end }} -options ndots:5 diff --git a/neutron/values.yaml b/neutron/values.yaml index ee38cd3db8..6890e371ea 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -60,13 +60,6 @@ labels: node_selector_value: enabled network: - dns: - kubernetes_domain: cluster.local - # this must list the skydns server first, and in calico - # this is consistently 10.96.0.10 - servers: - - 10.96.0.10 - - 8.8.8.8 external_bridge: br-ex ip_address: 0.0.0.0 interface: diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml index bbc4527ea1..659836e9e7 100644 --- a/nova/templates/configmap-etc.yaml +++ b/nova/templates/configmap-etc.yaml @@ -125,8 +125,6 @@ data: {{- else -}} {{ tuple "etc/_policy.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{- end }} - resolv.conf: |+ -{{ tuple "etc/_resolv.conf.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} libvirtd.conf: |+ {{ tuple "etc/_libvirtd.conf.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} qemu.conf: |+ diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml index 7c72b6e791..8333674614 100644 --- a/nova/templates/daemonset-compute.yaml +++ b/nova/templates/daemonset-compute.yaml @@ -40,7 +40,7 @@ spec: runAsUser: 0 hostNetwork: true hostPID: true - dnsPolicy: ClusterFirst + dnsPolicy: ClusterFirstWithHostNet initContainers: {{ tuple $envAll $dependencies $mounts_nova_compute_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} {{- if .Values.ceph.enabled }} @@ -81,10 +81,6 @@ spec: mountPath: /etc/nova/api-paste.ini subPath: api-paste.ini readOnly: true - - name: nova-etc - mountPath: /etc/resolv.conf - subPath: resolv.conf - readOnly: true - name: nova-etc mountPath: /etc/ceph/ceph.conf subPath: ceph.conf @@ -132,10 +128,6 @@ spec: mountPath: /etc/nova/policy.yaml subPath: policy.yaml readOnly: true - - name: nova-etc - mountPath: /etc/resolv.conf - subPath: resolv.conf - readOnly: true {{- if .Values.ceph.enabled }} - name: etcceph mountPath: /etc/ceph diff --git a/nova/templates/daemonset-libvirt.yaml b/nova/templates/daemonset-libvirt.yaml index d2e6bba9cc..0c8c86bd83 100644 --- a/nova/templates/daemonset-libvirt.yaml +++ b/nova/templates/daemonset-libvirt.yaml @@ -40,7 +40,7 @@ spec: runAsUser: 0 hostNetwork: true hostPID: true - dnsPolicy: ClusterFirst + dnsPolicy: ClusterFirstWithHostNet initContainers: {{ tuple $envAll $dependencies $mounts_nova_libvirt_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} {{- if .Values.ceph.enabled }} @@ -98,10 +98,6 @@ spec: mountPath: /etc/nova/api-paste.ini subPath: api-paste.ini readOnly: true - - name: nova-etc - mountPath: /etc/resolv.conf - subPath: resolv.conf - readOnly: true - mountPath: /lib/modules name: libmodules readOnly: true diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml index e9822d4475..fd9fb626b0 100644 --- a/nova/templates/deployment-novncproxy.yaml +++ b/nova/templates/deployment-novncproxy.yaml @@ -41,7 +41,7 @@ spec: nodeSelector: {{ .Values.labels.novncproxy.node_selector_key }}: {{ .Values.labels.novncproxy.node_selector_value }} hostNetwork: true - dnsPolicy: ClusterFirst + dnsPolicy: ClusterFirstWithHostNet initContainers: {{ tuple $envAll $dependencies $mounts_nova_novncproxy_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: nova-novncproxy-init @@ -77,10 +77,6 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true - - name: nova-etc - mountPath: /etc/resolv.conf - subPath: resolv.conf - readOnly: true - name: pod-shared mountPath: /tmp/pod-shared {{- if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }} diff --git a/nova/templates/etc/_resolv.conf.tpl b/nova/templates/etc/_resolv.conf.tpl deleted file mode 100644 index 885e2dc305..0000000000 --- a/nova/templates/etc/_resolv.conf.tpl +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -search {{ .Release.Namespace }}.svc.{{ .Values.network.dns.kubernetes_domain }} svc.{{ .Values.network.dns.kubernetes_domain }} {{ .Values.network.dns.kubernetes_domain }} -{{- range .Values.network.dns.servers }} -nameserver {{ . | title }} -{{- end }} -options ndots:5 diff --git a/nova/values.yaml b/nova/values.yaml index 4459c65b39..032b07c8c3 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -105,12 +105,6 @@ bootstrap: vcpus: 8 network: - dns: - servers: - - "10.96.0.10" - - "8.8.8.8" - kubernetes_domain: "cluster.local" - other_domains: "" osapi: port: 8774 ingress: