Skip to content

Commit

Permalink
Small doc improvements for FQDN policies (#5994)
Browse files Browse the repository at this point in the history 
* Do not use db-svc.default.svc.cluster.local as an exammple in the API
  documentation, as it only works for headless Services and not for
  Services in general.
* Indicate in log message that cluster DNS names are not supported when
  falling back to local resolver (which should pretty much never happen).

Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
  • Loading branch information
@antoninbas
antoninbas authored Feb 16, 2024
1 parent 1fa4883 commit 2d8ddfe
Show file tree
Hide file tree
Showing 8 changed files with 56 additions and 52 deletions.
4 changes: 4 additions & 0 deletions docs/antrea-network-policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1398,6 +1398,10 @@ spec:
- fqdn: "svcA.default.svc.cluster.local"
```

More generally speaking, it is not recommended to use the FQDN selector for DNS
names created by Kubernetes, as label-based selectors are more appropriate for
Kubernetes workloads.

### Node Selector

NodeSelector selects certain Nodes which match the label selector.
Expand Down
32 changes: 16 additions & 16 deletions multicluster/build/yamls/antrea-multicluster-leader-global.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1058,8 +1058,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -1465,8 +1465,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -2022,8 +2022,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -2429,8 +2429,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -3969,8 +3969,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -4376,8 +4376,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -4933,8 +4933,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -5340,8 +5340,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down
32 changes: 16 additions & 16 deletions multicluster/build/yamls/antrea-multicluster-leader.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1058,8 +1058,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -1465,8 +1465,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -2022,8 +2022,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -2429,8 +2429,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -3969,8 +3969,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -4376,8 +4376,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -4933,8 +4933,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -5340,8 +5340,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down
16 changes: 8 additions & 8 deletions multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -648,8 +648,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -1055,8 +1055,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -1612,8 +1612,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -2019,8 +2019,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down
16 changes: 8 additions & 8 deletions multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -646,8 +646,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -1053,8 +1053,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -1610,8 +1610,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down Expand Up @@ -2017,8 +2017,8 @@ spec:
Qualified Domain Names prescribed by name or by
wildcard match patterns. This field can only be
set for NetworkPolicyPeer of egress rules. Supported
formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
Wildcard expressions, i.e. "*wayfair.com".'
formats are: Exact FQDNs such as "google.com". Wildcard
expressions such as "*wayfair.com".'
type: string
group:
description: Group is the name of the ClusterGroup
Expand Down
2 changes: 1 addition & 1 deletion pkg/agent/controller/networkpolicy/fqdn.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,7 @@ func newFQDNController(client openflow.Client, allocator *idAllocator, dnsServer
} else {
host, port := os.Getenv(kubeDNSServiceHost), os.Getenv(kubeDNSServicePort)
if host == "" || port == "" {
klog.InfoS("Unable to derive DNS server from the kube-dns Service, will fall back to local resolver")
klog.InfoS("Unable to derive DNS server from the kube-dns Service, will fall back to local resolver and DNS names matching the configured cluster domain suffix are not supported")
controller.dnsServerAddr = ""
} else {
controller.dnsServerAddr = net.JoinHostPort(host, port)
Expand Down
Loading

0 comments on commit 2d8ddfe

Please sign in to comment.