Stop using ClusterFirstWithHostNet DNSPolicy for antrea-agent

build/charts/antrea/README.md

@@ -31,7 +31,7 @@ Kubernetes: `>= 1.16.0-0`
 | agent.antreaOVS.logFileMaxSize | int | `100` | Max size in MBs of any single log file. |
 | agent.antreaOVS.resources | object | `{"requests":{"cpu":"200m"}}` | Resource requests and limits for the antrea-ovs container. |
 | agent.apiPort | int | `10350` | Port for the antrea-agent APIServer to serve on. |
-| agent.dnsPolicy | string | `"ClusterFirstWithHostNet"` | DNS Policy for the antrea-agent Pods. |
+| agent.dnsPolicy | string | `""` | DNS Policy for the antrea-agent Pods. If empty, the Kubernetes default will be used. |
 | agent.enablePrometheusMetrics | bool | `true` | Enable metrics exposure via Prometheus. |
 | agent.extraVolumes | list | `[]` | Additional volumes for antrea-agent Pods. |
 | agent.installCNI.resources | object | `{"requests":{"cpu":"100m"}}` | Resource requests and limits for the install-cni initContainer. |
@@ -70,7 +70,7 @@ Kubernetes: `>= 1.16.0-0`
 | enableBridgingMode | bool | `false` | Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected to the OVS bridge. |
 | featureGates | object | `{}` | To explicitly enable or disable a FeatureGate and bypass the Antrea defaults, add an entry to the dictionary with the FeatureGate's name as the key and a boolean as the value. |
 | flowCollector.activeFlowExportTimeout | string | `"5s"` | timeout after which a flow record is sent to the collector for active flows. |
-| flowCollector.collectorAddr | string | `"flow-aggregator.flow-aggregator.svc:4739:tls"` | IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>]. |
+| flowCollector.collectorAddr | string | `"flow-aggregator/flow-aggregator:4739:tls"` | IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>]. If the collector is running in-cluster as a Service, set <HOST> to <Service namespace>/<Service name>. |
 | flowCollector.flowPollInterval | string | `"5s"` | Determines how often the flow exporter polls for new connections. |
 | flowCollector.idleFlowExportTimeout | string | `"15s"` | timeout after which a flow record is sent to the collector for idle flows. |
 | hostGateway | string | `"antrea-gw0"` | Name of the interface antrea-agent will create and use for host <-> Pod communication. |

build/charts/antrea/conf/antrea-agent.conf

@@ -191,10 +191,12 @@ apiPort: {{ .Values.agent.apiPort }}
 enablePrometheusMetrics: {{ .Values.agent.enablePrometheusMetrics }}
 
 # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
-# HOST can either be the DNS name or the IP of the Flow Collector. For example,
-# "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect
-# to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6.
-# However, IPv6 address should be wrapped with [].
+# HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
+# using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
+# wrapped with []. When the collector is running in-cluster as a Service, set
+# <HOST> to <Service namespace>/<Service name>. For example,
+# "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea
+# Flow Aggregator Service.
 # If PORT is empty, we default to 4739, the standard IPFIX port.
 # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
 # "udp" protocols. "tls" is used for securing communication between flow exporter and

build/charts/antrea/templates/agent/daemonset.yaml

@@ -37,7 +37,9 @@ spec:
         {{- end }}
     spec:
       hostNetwork: true
+      {{- if .Values.agent.dnsPolicy }}
       dnsPolicy: {{ .Values.agent.dnsPolicy }}
+      {{- end }}
       priorityClassName: {{ .Values.agent.priorityClassName }}
       {{- with .Values.agent.nodeSelector }}
       nodeSelector:

build/charts/antrea/values.yaml

@@ -192,8 +192,9 @@ agent:
   priorityClassName: "system-node-critical"
   # -- Affinity for the antrea-agent Pods.
   affinity: {}
-  # -- DNS Policy for the antrea-agent Pods.
-  dnsPolicy: "ClusterFirstWithHostNet"
+  # -- DNS Policy for the antrea-agent Pods. If empty, the Kubernetes default
+  # will be used.
+  dnsPolicy: ""
   # -- Update strategy for the antrea-agent DaemonSet.
   updateStrategy:
     type: RollingUpdate
@@ -286,7 +287,9 @@ controller:
 
 flowCollector:
   # -- IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
-  collectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
+  # If the collector is running in-cluster as a Service, set <HOST> to
+  # <Service namespace>/<Service name>.
+  collectorAddr: "flow-aggregator/flow-aggregator:4739:tls"
   # -- Determines how often the flow exporter polls for new connections.
   flowPollInterval: "5s"
   # -- timeout after which a flow record is sent to the collector for active

build/charts/flow-aggregator/README.md

@@ -29,7 +29,7 @@ Kubernetes: `>= 1.16.0-0`
 | clickHouse.databaseURL | string | `"tcp://clickhouse-clickhouse.flow-visibility.svc:9000"` | DatabaseURL is the url to the database. TCP protocol is required. |
 | clickHouse.debug | bool | `false` | Debug enables debug logs from ClickHouse sql driver. |
 | clickHouse.enable | bool | `false` | Determine whether to enable exporting flow records to ClickHouse. |
-| flowAggregatorAddress | string | `"flow-aggregator.flow-aggregator.svc"` | Provide DNS name or IP address of flow aggregator for generating TLS certificate. It must match the flowCollectorAddr parameter in the antrea-agent config. |
+| flowAggregatorAddress | string | `""` | Provide an extra DNS name or IP address of flow aggregator for generating TLS certificate. |
 | flowCollector.address | string | `""` | Provide the flow collector address as string with format <IP>:<port>[:<proto>],  where proto is tcp or udp. If no L4 transport proto is given, we consider tcp as default. |
 | flowCollector.enable | bool | `false` | Determine whether to enable exporting flow records to external flow collector. |
 | flowCollector.observationDomainID | string | `""` | Provide the 32-bit Observation Domain ID which will uniquely identify this instance of the flow aggregator to an external flow collector. If omitted, an Observation Domain ID will be generated from the persistent cluster UUID generated by Antrea. |

build/charts/flow-aggregator/conf/flow-aggregator.conf

@@ -16,8 +16,7 @@ inactiveFlowRecordTimeout: {{ .Values.inactiveFlowRecordTimeout }}
 # Provide the transport protocol for the flow aggregator collecting process, which is tls, tcp or udp.
 aggregatorTransportProtocol: {{ .Values.aggregatorTransportProtocol | quote }}
 
-# Provide DNS name or IP address of flow aggregator for generating TLS certificate. It must match
-# the flowCollectorAddr parameter in the antrea-agent config.
+# Provide an extra DNS name or IP address of flow aggregator for generating TLS certificate.
 flowAggregatorAddress: {{ .Values.flowAggregatorAddress | quote }}
 
 # recordContents enables configuring some fields in the flow records. Fields can

build/charts/flow-aggregator/values.yaml

@@ -12,9 +12,8 @@ activeFlowRecordTimeout: 60s
 inactiveFlowRecordTimeout: 90s
 # -- Provide the transport protocol for the flow aggregator collecting process, which is tls, tcp or udp.
 aggregatorTransportProtocol: "tls"
-# -- Provide DNS name or IP address of flow aggregator for generating TLS certificate. It must match
-# the flowCollectorAddr parameter in the antrea-agent config.
-flowAggregatorAddress: "flow-aggregator.flow-aggregator.svc"
+# -- Provide an extra DNS name or IP address of flow aggregator for generating TLS certificate.
+flowAggregatorAddress: ""
 # recordContents enables configuring some fields in the flow records.
 recordContents:
   # -- Determine whether source and destination Pod labels will be included in the flow records.

build/yamls/antrea-aks.yml

@@ -3107,15 +3107,17 @@ data:
     enablePrometheusMetrics: true
 
     # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
-    # HOST can either be the DNS name or the IP of the Flow Collector. For example,
-    # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect
-    # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6.
-    # However, IPv6 address should be wrapped with [].
+    # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
+    # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
+    # wrapped with []. When the collector is running in-cluster as a Service, set
+    # <HOST> to <Service namespace>/<Service name>. For example,
+    # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea
+    # Flow Aggregator Service.
     # If PORT is empty, we default to 4739, the standard IPFIX port.
     # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
     # "udp" protocols. "tls" is used for securing communication between flow exporter and
     # flow aggregator.
-    flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
+    flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls"
 
     # Provide flow poll interval as a duration string. This determines how often the
     # flow exporter dumps connections from the conntrack module. Flow poll interval
@@ -4291,7 +4293,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: c538ad921f7162e309b647e9de6e157b870cbee880c139994f62ab7f26a57bdc
+        checksum/config: a5cdb0e182ac7ccdd59fd7f435fa07bc90d48422fbdc98cdd53359aef80bf59a
       labels:
         app: antrea
         component: antrea-agent
@@ -4532,7 +4534,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: c538ad921f7162e309b647e9de6e157b870cbee880c139994f62ab7f26a57bdc
+        checksum/config: a5cdb0e182ac7ccdd59fd7f435fa07bc90d48422fbdc98cdd53359aef80bf59a
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -3107,15 +3107,17 @@ data:
     enablePrometheusMetrics: true
 
     # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
-    # HOST can either be the DNS name or the IP of the Flow Collector. For example,
-    # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect
-    # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6.
-    # However, IPv6 address should be wrapped with [].
+    # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
+    # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
+    # wrapped with []. When the collector is running in-cluster as a Service, set
+    # <HOST> to <Service namespace>/<Service name>. For example,
+    # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea
+    # Flow Aggregator Service.
     # If PORT is empty, we default to 4739, the standard IPFIX port.
     # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
     # "udp" protocols. "tls" is used for securing communication between flow exporter and
     # flow aggregator.
-    flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
+    flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls"
 
     # Provide flow poll interval as a duration string. This determines how often the
     # flow exporter dumps connections from the conntrack module. Flow poll interval
@@ -4291,13 +4293,12 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: c538ad921f7162e309b647e9de6e157b870cbee880c139994f62ab7f26a57bdc
+        checksum/config: a5cdb0e182ac7ccdd59fd7f435fa07bc90d48422fbdc98cdd53359aef80bf59a
       labels:
         app: antrea
         component: antrea-agent
     spec:
       hostNetwork: true
-      dnsPolicy: ClusterFirstWithHostNet
       priorityClassName: system-node-critical
       nodeSelector:
         kubernetes.io/os: linux
@@ -4534,7 +4535,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: c538ad921f7162e309b647e9de6e157b870cbee880c139994f62ab7f26a57bdc
+        checksum/config: a5cdb0e182ac7ccdd59fd7f435fa07bc90d48422fbdc98cdd53359aef80bf59a
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -3107,15 +3107,17 @@ data:
     enablePrometheusMetrics: true
 
     # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
-    # HOST can either be the DNS name or the IP of the Flow Collector. For example,
-    # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect
-    # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6.
-    # However, IPv6 address should be wrapped with [].
+    # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
+    # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
+    # wrapped with []. When the collector is running in-cluster as a Service, set
+    # <HOST> to <Service namespace>/<Service name>. For example,
+    # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea
+    # Flow Aggregator Service.
     # If PORT is empty, we default to 4739, the standard IPFIX port.
     # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
     # "udp" protocols. "tls" is used for securing communication between flow exporter and
     # flow aggregator.
-    flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
+    flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls"
 
     # Provide flow poll interval as a duration string. This determines how often the
     # flow exporter dumps connections from the conntrack module. Flow poll interval
@@ -4291,13 +4293,12 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 201c5cc90d0c06e5c9c81e672107cb0d7fe42c23ab6bf6fa5ea8524ee466b790
+        checksum/config: 0abb3d19aa5b5e3a83d4f46868d66f1904eab0572aed86ae91eb3c0e4d6cb75a
       labels:
         app: antrea
         component: antrea-agent
     spec:
       hostNetwork: true
-      dnsPolicy: ClusterFirstWithHostNet
       priorityClassName: system-node-critical
       nodeSelector:
         kubernetes.io/os: linux
@@ -4531,7 +4532,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 201c5cc90d0c06e5c9c81e672107cb0d7fe42c23ab6bf6fa5ea8524ee466b790
+        checksum/config: 0abb3d19aa5b5e3a83d4f46868d66f1904eab0572aed86ae91eb3c0e4d6cb75a
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -3120,15 +3120,17 @@ data:
     enablePrometheusMetrics: true
 
     # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
-    # HOST can either be the DNS name or the IP of the Flow Collector. For example,
-    # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect
-    # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6.
-    # However, IPv6 address should be wrapped with [].
+    # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
+    # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
+    # wrapped with []. When the collector is running in-cluster as a Service, set
+    # <HOST> to <Service namespace>/<Service name>. For example,
+    # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea
+    # Flow Aggregator Service.
     # If PORT is empty, we default to 4739, the standard IPFIX port.
     # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
     # "udp" protocols. "tls" is used for securing communication between flow exporter and
     # flow aggregator.
-    flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
+    flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls"
 
     # Provide flow poll interval as a duration string. This determines how often the
     # flow exporter dumps connections from the conntrack module. Flow poll interval
@@ -4304,14 +4306,13 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: aff479da82f04887a261b99e41e7272427a4057060c9b7cbd202efb055c0963e
+        checksum/config: 995b258674ed96418bc039673e5d725bf0dac26cabd1447bce5a995175f9a652
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
         component: antrea-agent
     spec:
       hostNetwork: true
-      dnsPolicy: ClusterFirstWithHostNet
       priorityClassName: system-node-critical
       nodeSelector:
         kubernetes.io/os: linux
@@ -4590,7 +4591,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: aff479da82f04887a261b99e41e7272427a4057060c9b7cbd202efb055c0963e
+        checksum/config: 995b258674ed96418bc039673e5d725bf0dac26cabd1447bce5a995175f9a652
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-windows-containerd.yml

@@ -83,13 +83,17 @@ data:
     #enablePrometheusMetrics: true
 
     # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
-    # HOST can only be IP right now because there is a DNS resolution issue in current Windows support.
-    # IP can be either IPv4 or IPv6. However, IPv6 address should be wrapped with [].
+    # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
+    # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
+    # wrapped with []. When the collector is running in-cluster as a Service, set
+    # <HOST> to <Service namespace>/<Service name>. For example,
+    # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea
+    # Flow Aggregator Service.
     # If PORT is empty, we default to 4739, the standard IPFIX port.
     # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
     # "udp" protocols. "tls" is used for securing communication between flow exporter and
     # flow aggregator.
-    #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
+    #flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls"
 
     # Provide flow poll interval as a duration string. This determines how often the
     # flow exporter dumps connections from the conntrack module. Flow poll interval