Stop using ClusterFirstWithHostNet DNSPolicy for antrea-agent #4548
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
@@ Coverage Diff @@
## main #4548 +/- ##
==========================================
- Coverage 68.51% 68.49% -0.03%
==========================================
Files 400 400
Lines 58216 58192 -24
==========================================
- Hits 39887 39858 -29
- Misses 15564 15582 +18
+ Partials 2765 2752 -13
|
antoninbas
force-pushed
the
stop-using-ClusterFirstWithHostNet-dnsPolicy-for-antrea-agent
branch
3 times, most recently
from
8df0283
to
ffaa9ec
Compare
antoninbas
added
the
action/release-note
antoninbas
force-pushed
the
stop-using-ClusterFirstWithHostNet-dnsPolicy-for-antrea-agent
branch
from
ffaa9ec
to
d3292b5
Compare
|
/test-all |
heanlan
previously approved these changes
Jan 14, 2023
The DaemonSet for a CNI should not use ClusterFirstWithHostNet and should not have a dependency on cluster DNS, since cluster DNS itself depends on the CNI. Therefore, we revert to the "default" DNSPolicy for host-network Pods. The only dependency we had on cluster DNS was in the Flow Exporter, where we would try to connect to the Flow Aggregator using DNS name "flow-aggregator.flow-aggregator.svc" (by default). This would only work on Linux, and not on Windows (for Windows Nodes, the Cluster IP had to be provided instead). We update the Flow Exporter to resolve the Service Cluster IP using the K8s API instead. Notable changes: * go-ipfix is upgraded to v0.6.0 to support configuring the server name for Flow Aggregator certificate verification in the Flow Exporter * the flowAggregatorAddress parameter is no longer required in the Flow Aggregator configuration * the format for the flowCollectorAddr parameter in the Flow Exporter configuration (antrea-agent) is changed in a non backwards-compatible way. The "host" name must be provided as "flow-aggregator/flow-aggregator" instead of "flow-aggregator.flow-aggregator.svc". Fixes antrea-io#3279 Signed-off-by: Antonin Bas <abas@vmware.com>
Signed-off-by: Antonin Bas <abas@vmware.com>
antoninbas
force-pushed
the
stop-using-ClusterFirstWithHostNet-dnsPolicy-for-antrea-agent
branch
from
d3292b5
to
a33037b
Compare
|
/test-all |
antoninbas
deleted the
stop-using-ClusterFirstWithHostNet-dnsPolicy-for-antrea-agent
branch
GraysonWu
pushed a commit
to GraysonWu/antrea
that referenced
this pull request
Jan 27, 2023
…-io#4548) The DaemonSet for a CNI should not use ClusterFirstWithHostNet and should not have a dependency on cluster DNS, since cluster DNS itself depends on the CNI. Therefore, we revert to the "default" DNSPolicy for host-network Pods. The only dependency we had on cluster DNS was in the Flow Exporter, where we would try to connect to the Flow Aggregator using DNS name "flow-aggregator.flow-aggregator.svc" (by default). This would only work on Linux, and not on Windows (for Windows Nodes, the Cluster IP had to be provided instead). We update the Flow Exporter to resolve the Service Cluster IP using the K8s API instead. Notable changes: * go-ipfix is upgraded to v0.6.0 to support configuring the server name for Flow Aggregator certificate verification in the Flow Exporter * the flowAggregatorAddress parameter is no longer required in the Flow Aggregator configuration * the format for the flowCollectorAddr parameter in the Flow Exporter configuration (antrea-agent) is changed in a non backwards-compatible way. The "host" name must be provided as "flow-aggregator/flow-aggregator" instead of "flow-aggregator.flow-aggregator.svc". Fixes antrea-io#3279 Signed-off-by: Antonin Bas <abas@vmware.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The DaemonSet for a CNI should not use ClusterFirstWithHostNet and should not have a dependency on cluster DNS, since cluster DNS itself depends on the CNI. Therefore, we revert to the "default" DNSPolicy for host-network Pods.
The only dependency we had on cluster DNS was in the Flow Exporter, where we would try to connect to the Flow Aggregator using DNS name "flow-aggregator.flow-aggregator.svc" (by default). This would only work on Linux, and not on Windows (for Windows Nodes, the Cluster IP had to be provided instead). We update the Flow Exporter to resolve the Service Cluster IP using the K8s API instead.
Notable changes:
Fixes #3279
Signed-off-by: Antonin Bas abas@vmware.com