From ee4290f6849722af82db3f6a62039d9a3316f840 Mon Sep 17 00:00:00 2001 From: Andrey Smirnov Date: Mon, 19 Aug 2024 16:10:17 +0400 Subject: [PATCH] fix: bind HostDNS to 169.254.x link-local address This is an attempt to fix many issues related with trying to use Service IP for host DNS. Fixes #9196 Signed-off-by: Andrey Smirnov --- api/api.descriptors | Bin 90928 -> 90871 bytes api/resource/definitions/k8s/k8s.proto | 1 - hack/release.toml | 4 + .../pkg/controllers/k8s/control_plane.go | 18 - .../machined/pkg/controllers/k8s/manifest.go | 8 - .../machined/pkg/controllers/k8s/templates.go | 3 - .../talos-host-dns-svc-template.yaml | 33 - .../pkg/controllers/network/hostdns_config.go | 27 +- .../api/resource/definitions/k8s/k8s.pb.go | 653 +++++++++--------- .../definitions/k8s/k8s_vtproto.pb.go | 45 -- pkg/machinery/constants/constants.go | 5 + .../resources/k8s/manifests_config.go | 2 - website/content/v1.8/reference/api.md | 1 - .../v1.8/talos-guides/network/host-dns.md | 25 +- 14 files changed, 349 insertions(+), 476 deletions(-) delete mode 100644 internal/app/machined/pkg/controllers/k8s/templates/talos-host-dns-svc-template.yaml diff --git a/api/api.descriptors b/api/api.descriptors index 2c9be19ae7c51d3e9f5f5c27674a0725f485d02c..5859707e0c41a08183c8c13001ecca0d5204530d 100644 GIT binary patch delta 36 ucmV+<0Nekt#s&Aq1+anM1e7`oB9npD6| 0 { - i -= len(m.ServiceHostDnsAddress) - copy(dAtA[i:], m.ServiceHostDnsAddress) - i = protohelpers.EncodeVarint(dAtA, i, uint64(len(m.ServiceHostDnsAddress))) - i-- - dAtA[i] = 0x1 - i-- - dAtA[i] = 0x9a - } if len(m.FlannelKubeServicePort) > 0 { i -= len(m.FlannelKubeServicePort) copy(dAtA[i:], m.FlannelKubeServicePort) @@ -2510,10 +2501,6 @@ func (m *BootstrapManifestsConfigSpec) SizeVT() (n int) { if l > 0 { n += 2 + l + protohelpers.SizeOfVarint(uint64(l)) } - l = len(m.ServiceHostDnsAddress) - if l > 0 { - n += 2 + l + protohelpers.SizeOfVarint(uint64(l)) - } n += len(m.unknownFields) return n } @@ -4626,38 +4613,6 @@ func (m *BootstrapManifestsConfigSpec) UnmarshalVT(dAtA []byte) error { } m.FlannelKubeServicePort = string(dAtA[iNdEx:postIndex]) iNdEx = postIndex - case 19: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field ServiceHostDnsAddress", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return protohelpers.ErrIntOverflow - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return protohelpers.ErrInvalidLength - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return protohelpers.ErrInvalidLength - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.ServiceHostDnsAddress = string(dAtA[iNdEx:postIndex]) - iNdEx = postIndex default: iNdEx = preIndex skippy, err := protohelpers.Skip(dAtA[iNdEx:]) diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go index c29bd7f92a..2afa8b4917 100644 --- a/pkg/machinery/constants/constants.go +++ b/pkg/machinery/constants/constants.go @@ -1024,6 +1024,11 @@ const ( // ConsoleLogErrorSuppressThreshold is the threshold for suppressing console log errors. ConsoleLogErrorSuppressThreshold = 4 + + // HostDNSAddress is the address of the host DNS server. + // + // Note: 116 = 't' and 108 = 'l' in ASCII. + HostDNSAddress = "169.254.116.108" ) // See https://linux.die.net/man/3/klogctl diff --git a/pkg/machinery/resources/k8s/manifests_config.go b/pkg/machinery/resources/k8s/manifests_config.go index edd25f8792..c5c587fe95 100644 --- a/pkg/machinery/resources/k8s/manifests_config.go +++ b/pkg/machinery/resources/k8s/manifests_config.go @@ -51,8 +51,6 @@ type BootstrapManifestsConfigSpec struct { PodSecurityPolicyEnabled bool `yaml:"podSecurityPolicyEnabled" protobuf:"14"` TalosAPIServiceEnabled bool `yaml:"talosAPIServiceEnabled" protobuf:"15"` - - ServiceHostDNSAddress string `yaml:"serviceHostDNSAddress" protobuf:"19"` } // NewBootstrapManifestsConfig returns new BootstrapManifestsConfig resource. diff --git a/website/content/v1.8/reference/api.md b/website/content/v1.8/reference/api.md index a2dd307342..2dd4441f6e 100644 --- a/website/content/v1.8/reference/api.md +++ b/website/content/v1.8/reference/api.md @@ -2117,7 +2117,6 @@ BootstrapManifestsConfigSpec is configuration for bootstrap manifests. | flannel_extra_args | [string](#string) | repeated | | | flannel_kube_service_host | [string](#string) | | | | flannel_kube_service_port | [string](#string) | | | -| service_host_dns_address | [string](#string) | | | diff --git a/website/content/v1.8/talos-guides/network/host-dns.md b/website/content/v1.8/talos-guides/network/host-dns.md index 67579fb0a4..3f2263b390 100644 --- a/website/content/v1.8/talos-guides/network/host-dns.md +++ b/website/content/v1.8/talos-guides/network/host-dns.md @@ -57,30 +57,25 @@ NODE NAMESPACE TYPE ID VERSION HEALTHY ADDRESS ## Forwarding `kube-dns` to Host DNS -When host DNS is enabled, by default, `kube-dns` service (`CoreDNS` in Kubernetes) uses upstream DNS servers to resolve external names. -But Talos allows forwarding `kube-dns` to the host DNS resolver, so that the cache is shared between the host and `kube-dns`: +> Note: This feature is enabled by default for new clusters created with Talos 1.8.0 and later. + +When host DNS is enabled, by default, `kube-dns` service (`CoreDNS` in Kubernetes) uses host DNS server to resolve external names. +This way the cache is shared between the host DNS and `kube-dns`. + +Talos allows forwarding `kube-dns` to the host DNS resolver to be disabled with: ```yaml machine: features: hostDNS: enabled: true - forwardKubeDNSToHost: true + forwardKubeDNSToHost: false ``` -This configuration should be applied to all nodes in the cluster, if enabled after cluster creation, restart `coredns` pods in Kubernetes to pick up changes. - -When `forwardKubeDNSToHost` is enabled, Talos Linux allocates 9th IP address in the `serviceSubnet` range for host DNS server, and `kube-dns` service is configured to use this IP address as the upstream DNS server: - -```shell -$ kubectl get services -n kube-system host-dns -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -host-dns ClusterIP 10.96.0.9 53/UDP,53/TCP 27s -$ talosctl read /system/resolved/resolv.conf -nameserver 10.96.0.9 -``` +This configuration should be applied to all nodes in the cluster, if applied after cluster creation, restart `coredns` pods in Kubernetes to pick up changes. -With this configuration, `kube-dns` service forwards all DNS requests to the host DNS server, and the cache is shared between the host and `kube-dns`. +When `forwardKubeDNSToHost` is enabled, Talos Linux allocates IP address `169.254.116.108` for the host DNS server, and `kube-dns` service is configured to use this IP address as the upstream DNS server: +This way `kube-dns` service forwards all DNS requests to the host DNS server, and the cache is shared between the host and `kube-dns`. ## Resolving Talos Cluster Member Names