github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add feature gate ExpandedDNSConfig

Browse Source 
ExpandedDNSConfig allows kubernetes to have expanded DNS(Domain Name
System) configuration
This commit is contained in:
Gunju Kim
2021-05-24 20:10:02 +09:00
parent 819059f641
commit 6317ce63c6
6 changed files with 296 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
pkg/apis/core/validation/validation.go
View File

@@ -2961,10 +2961,14 @@ const (
// restrictions in Linux libc name resolution handling.
// Max number of DNS name servers.
MaxDNSNameservers = 3
// Max number of domains in search path.
MaxDNSSearchPaths = 6
// Max number of characters in search path.
MaxDNSSearchListChars = 256
// Expanded max number of domains in the search path list.
MaxDNSSearchPathsExpanded = 32
// Expanded max number of characters in the search path.
MaxDNSSearchListCharsExpanded = 2048
// Max number of domains in the search path list.
MaxDNSSearchPathsLegacy = 6
// Max number of characters in the search path list.
MaxDNSSearchListCharsLegacy = 256
)
func validateReadinessGates(readinessGates []core.PodReadinessGate, fldPath *field.Path) field.ErrorList {
@@ -2977,7 +2981,7 @@ func validateReadinessGates(readinessGates []core.PodReadinessGate, fldPath *fie
return allErrs
}
func validatePodDNSConfig(dnsConfig *core.PodDNSConfig, dnsPolicy *core.DNSPolicy, fldPath *field.Path) field.ErrorList {
func validatePodDNSConfig(dnsConfig *core.PodDNSConfig, dnsPolicy *core.DNSPolicy, fldPath *field.Path, opts PodValidationOptions) field.ErrorList {
allErrs := field.ErrorList{}
// Validate DNSNone case. Must provide at least one DNS name server.
@@ -3001,12 +3005,16 @@ func validatePodDNSConfig(dnsConfig *core.PodDNSConfig, dnsPolicy *core.DNSPolic
}
}
// Validate searches.
if len(dnsConfig.Searches) > MaxDNSSearchPaths {
allErrs = append(allErrs, field.Invalid(fldPath.Child("searches"), dnsConfig.Searches, fmt.Sprintf("must not have more than %v search paths", MaxDNSSearchPaths)))
maxDNSSearchPaths, maxDNSSearchListChars := MaxDNSSearchPathsLegacy, MaxDNSSearchListCharsLegacy
if opts.AllowExpandedDNSConfig {
maxDNSSearchPaths, maxDNSSearchListChars = MaxDNSSearchPathsExpanded, MaxDNSSearchListCharsExpanded
}
if len(dnsConfig.Searches) > maxDNSSearchPaths {
allErrs = append(allErrs, field.Invalid(fldPath.Child("searches"), dnsConfig.Searches, fmt.Sprintf("must not have more than %v search paths", maxDNSSearchPaths)))
}
// Include the space between search paths.
if len(strings.Join(dnsConfig.Searches, " ")) > MaxDNSSearchListChars {
allErrs = append(allErrs, field.Invalid(fldPath.Child("searches"), dnsConfig.Searches, "must not have more than 256 characters (including spaces) in the search list"))
if len(strings.Join(dnsConfig.Searches, " ")) > maxDNSSearchListChars {
allErrs = append(allErrs, field.Invalid(fldPath.Child("searches"), dnsConfig.Searches, fmt.Sprintf("must not have more than %v characters (including spaces) in the search list", maxDNSSearchListChars)))
}
for i, search := range dnsConfig.Searches {
// it is fine to have a trailing dot
@@ -3206,6 +3214,8 @@ type PodValidationOptions struct {
AllowIndivisibleHugePagesValues bool
// Allow hostProcess field to be set in windows security context
AllowWindowsHostProcessField bool
// Allow more DNSSearchPaths and longer DNSSearchListChars
AllowExpandedDNSConfig bool
}
// ValidatePodSingleHugePageResources checks if there are multiple huge
@@ -3326,7 +3336,7 @@ func ValidatePodSpec(spec *core.PodSpec, podMeta *metav1.ObjectMeta, fldPath *fi
allErrs = append(allErrs, ValidatePodSecurityContext(spec.SecurityContext, spec, fldPath, fldPath.Child("securityContext"))...)
allErrs = append(allErrs, validateImagePullSecrets(spec.ImagePullSecrets, fldPath.Child("imagePullSecrets"))...)
allErrs = append(allErrs, validateAffinity(spec.Affinity, fldPath.Child("affinity"))...)
allErrs = append(allErrs, validatePodDNSConfig(spec.DNSConfig, &spec.DNSPolicy, fldPath.Child("dnsConfig"))...)
allErrs = append(allErrs, validatePodDNSConfig(spec.DNSConfig, &spec.DNSPolicy, fldPath.Child("dnsConfig"), opts)...)
allErrs = append(allErrs, validateReadinessGates(spec.ReadinessGates, fldPath.Child("readinessGates"))...)
allErrs = append(allErrs, validateTopologySpreadConstraints(spec.TopologySpreadConstraints, fldPath.Child("topologySpreadConstraints"))...)
allErrs = append(allErrs, validateWindowsHostProcessPod(spec, fldPath, opts)...)

118
pkg/apis/core/validation/validation_test.go
View File

@@ -6562,6 +6562,7 @@ func TestValidatePodDNSConfig(t *testing.T) {
desc string
dnsConfig *core.PodDNSConfig
dnsPolicy *core.DNSPolicy
opts PodValidationOptions
expectedError bool
}{
{
@@ -6608,7 +6609,7 @@ func TestValidatePodDNSConfig(t *testing.T) {
expectedError: false,
},
{
desc: "valid: 3 nameservers and 6 search paths",
desc: "valid: 3 nameservers and 6 search paths(legacy)",
dnsConfig: &core.PodDNSConfig{
Nameservers: []string{"127.0.0.1", "10.0.0.10", "8.8.8.8"},
Searches: []string{"custom", "mydomain.com", "local", "cluster.local", "svc.cluster.local", "default.svc.cluster.local."},
@@ -6616,7 +6617,18 @@ func TestValidatePodDNSConfig(t *testing.T) {
expectedError: false,
},
{
desc: "valid: 256 characters in search path list",
desc: "valid: 3 nameservers and 32 search paths",
dnsConfig: &core.PodDNSConfig{
Nameservers: []string{"127.0.0.1", "10.0.0.10", "8.8.8.8"},
Searches: []string{"custom", "mydomain.com", "local", "cluster.local", "svc.cluster.local", "default.svc.cluster.local.", "7", "8", "9", "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "20", "21", "22", "23", "24", "25", "26", "27", "28", "29", "30", "31", "32"},
},
opts: PodValidationOptions{
AllowExpandedDNSConfig: true,
},
expectedError: false,
},
{
desc: "valid: 256 characters in search path list(legacy)",
dnsConfig: &core.PodDNSConfig{
// We can have 256 - (6 - 1) = 251 characters in total for 6 search paths.
Searches: []string{
@@ -6630,6 +6642,50 @@ func TestValidatePodDNSConfig(t *testing.T) {
},
expectedError: false,
},
{
desc: "valid: 2048 characters in search path list",
dnsConfig: &core.PodDNSConfig{
// We can have 2048 - (32 - 1) = 2017 characters in total for 32 search paths.
Searches: []string{
generateTestSearchPathFunc(64),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
},
},
opts: PodValidationOptions{
AllowExpandedDNSConfig: true,
},
expectedError: false,
},
{
desc: "valid: ipv6 nameserver",
dnsConfig: &core.PodDNSConfig{
@@ -6645,12 +6701,22 @@ func TestValidatePodDNSConfig(t *testing.T) {
expectedError: true,
},
{
desc: "invalid: 7 search paths",
desc: "invalid: 7 search paths(legacy)",
dnsConfig: &core.PodDNSConfig{
Searches: []string{"custom", "mydomain.com", "local", "cluster.local", "svc.cluster.local", "default.svc.cluster.local", "exceeded"},
},
expectedError: true,
},
{
desc: "invalid: 33 search paths",
dnsConfig: &core.PodDNSConfig{
Searches: []string{"custom", "mydomain.com", "local", "cluster.local", "svc.cluster.local", "default.svc.cluster.local.", "7", "8", "9", "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "20", "21", "22", "23", "24", "25", "26", "27", "28", "29", "30", "31", "32", "33"},
},
opts: PodValidationOptions{
AllowExpandedDNSConfig: true,
},
expectedError: true,
},
{
desc: "invalid: 257 characters in search path list",
dnsConfig: &core.PodDNSConfig{
@@ -6666,6 +6732,50 @@ func TestValidatePodDNSConfig(t *testing.T) {
},
expectedError: true,
},
{
desc: "invalid: 2049 characters in search path list",
dnsConfig: &core.PodDNSConfig{
// We can have 2048 - (32 - 1) = 2017 characters in total for 32 search paths.
Searches: []string{
generateTestSearchPathFunc(65),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
generateTestSearchPathFunc(63),
},
},
opts: PodValidationOptions{
AllowExpandedDNSConfig: true,
},
expectedError: true,
},
{
desc: "invalid search path",
dnsConfig: &core.PodDNSConfig{
@@ -6704,7 +6814,7 @@ func TestValidatePodDNSConfig(t *testing.T) {
tc.dnsPolicy = &testDNSClusterFirst
}
errs := validatePodDNSConfig(tc.dnsConfig, tc.dnsPolicy, field.NewPath("dnsConfig"))
errs := validatePodDNSConfig(tc.dnsConfig, tc.dnsPolicy, field.NewPath("dnsConfig"), tc.opts)
if len(errs) != 0 && !tc.expectedError {
t.Errorf("%v: validatePodDNSConfig(%v) = %v, want nil", tc.desc, tc.dnsConfig, errs)
} else if len(errs) == 0 && tc.expectedError {