mirror of
https://github.com/tailscale/tailscale.git
synced 2025-10-30 00:29:48 +00:00
cmd/k8s-operator: add DNS policy and config support to ProxyClass (#16887)
DNS configuration support to ProxyClass, allowing users to customize DNS resolution for Tailscale proxy pods. Fixes #16886 Signed-off-by: Raj Singh <raj@tailscale.com>
This commit is contained in:
Raj Singh
@@ -1046,6 +1046,62 @@ spec:
|
||||
type: object
|
||||
additionalProperties:
|
||||
type: string
|
||||
dnsConfig:
|
||||
description: |-
|
||||
DNSConfig defines DNS parameters for the proxy Pod in addition to those generated from DNSPolicy.
|
||||
When DNSPolicy is set to "None", DNSConfig must be specified.
|
||||
https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
|
||||
type: object
|
||||
properties:
|
||||
nameservers:
|
||||
description: |-
|
||||
A list of DNS name server IP addresses.
|
||||
This will be appended to the base nameservers generated from DNSPolicy.
|
||||
Duplicated nameservers will be removed.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
x-kubernetes-list-type: atomic
|
||||
options:
|
||||
description: |-
|
||||
A list of DNS resolver options.
|
||||
This will be merged with the base options generated from DNSPolicy.
|
||||
Duplicated entries will be removed. Resolution options given in Options
|
||||
will override those that appear in the base DNSPolicy.
|
||||
type: array
|
||||
items:
|
||||
description: PodDNSConfigOption defines DNS resolver options of a pod.
|
||||
type: object
|
||||
properties:
|
||||
name:
|
||||
description: |-
|
||||
Name is this DNS resolver option's name.
|
||||
Required.
|
||||
type: string
|
||||
value:
|
||||
description: Value is this DNS resolver option's value.
|
||||
type: string
|
||||
x-kubernetes-list-type: atomic
|
||||
searches:
|
||||
description: |-
|
||||
A list of DNS search domains for host-name lookup.
|
||||
This will be appended to the base search paths generated from DNSPolicy.
|
||||
Duplicated search paths will be removed.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
x-kubernetes-list-type: atomic
|
||||
dnsPolicy:
|
||||
description: |-
|
||||
DNSPolicy defines how DNS will be configured for the proxy Pod.
|
||||
By default the Tailscale Kubernetes Operator does not set a DNS policy (uses cluster default).
|
||||
https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
|
||||
type: string
|
||||
enum:
|
||||
- ClusterFirstWithHostNet
|
||||
- ClusterFirst
|
||||
- Default
|
||||
- None
|
||||
imagePullSecrets:
|
||||
description: |-
|
||||
Proxy Pod's image pull Secrets.
|
||||
|
||||
@@ -1574,6 +1574,62 @@ spec:
|
||||
Annotations must be valid Kubernetes annotations.
|
||||
https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set
|
||||
type: object
|
||||
dnsConfig:
|
||||
description: |-
|
||||
DNSConfig defines DNS parameters for the proxy Pod in addition to those generated from DNSPolicy.
|
||||
When DNSPolicy is set to "None", DNSConfig must be specified.
|
||||
https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
|
||||
properties:
|
||||
nameservers:
|
||||
description: |-
|
||||
A list of DNS name server IP addresses.
|
||||
This will be appended to the base nameservers generated from DNSPolicy.
|
||||
Duplicated nameservers will be removed.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
options:
|
||||
description: |-
|
||||
A list of DNS resolver options.
|
||||
This will be merged with the base options generated from DNSPolicy.
|
||||
Duplicated entries will be removed. Resolution options given in Options
|
||||
will override those that appear in the base DNSPolicy.
|
||||
items:
|
||||
description: PodDNSConfigOption defines DNS resolver options of a pod.
|
||||
properties:
|
||||
name:
|
||||
description: |-
|
||||
Name is this DNS resolver option's name.
|
||||
Required.
|
||||
type: string
|
||||
value:
|
||||
description: Value is this DNS resolver option's value.
|
||||
type: string
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
searches:
|
||||
description: |-
|
||||
A list of DNS search domains for host-name lookup.
|
||||
This will be appended to the base search paths generated from DNSPolicy.
|
||||
Duplicated search paths will be removed.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
type: object
|
||||
dnsPolicy:
|
||||
description: |-
|
||||
DNSPolicy defines how DNS will be configured for the proxy Pod.
|
||||
By default the Tailscale Kubernetes Operator does not set a DNS policy (uses cluster default).
|
||||
https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
|
||||
enum:
|
||||
- ClusterFirstWithHostNet
|
||||
- ClusterFirst
|
||||
- Default
|
||||
- None
|
||||
type: string
|
||||
imagePullSecrets:
|
||||
description: |-
|
||||
Proxy Pod's image pull Secrets.
|
||||
|
||||
@@ -906,6 +906,12 @@ func applyProxyClassToStatefulSet(pc *tsapi.ProxyClass, ss *appsv1.StatefulSet,
|
||||
ss.Spec.Template.Spec.Tolerations = wantsPod.Tolerations
|
||||
ss.Spec.Template.Spec.PriorityClassName = wantsPod.PriorityClassName
|
||||
ss.Spec.Template.Spec.TopologySpreadConstraints = wantsPod.TopologySpreadConstraints
|
||||
if wantsPod.DNSPolicy != nil {
|
||||
ss.Spec.Template.Spec.DNSPolicy = *wantsPod.DNSPolicy
|
||||
}
|
||||
if wantsPod.DNSConfig != nil {
|
||||
ss.Spec.Template.Spec.DNSConfig = wantsPod.DNSConfig
|
||||
}
|
||||
|
||||
// Update containers.
|
||||
updateContainer := func(overlay *tsapi.Container, base corev1.Container) corev1.Container {
|
||||
|
||||
@@ -87,6 +87,15 @@ func Test_applyProxyClassToStatefulSet(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
DNSPolicy: ptr.To(corev1.DNSClusterFirstWithHostNet),
|
||||
DNSConfig: &corev1.PodDNSConfig{
|
||||
Nameservers: []string{"1.1.1.1", "8.8.8.8"},
|
||||
Searches: []string{"example.com", "test.local"},
|
||||
Options: []corev1.PodDNSConfigOption{
|
||||
{Name: "ndots", Value: ptr.To("2")},
|
||||
{Name: "edns0"},
|
||||
},
|
||||
},
|
||||
TailscaleContainer: &tsapi.Container{
|
||||
SecurityContext: &corev1.SecurityContext{
|
||||
Privileged: ptr.To(true),
|
||||
@@ -200,6 +209,8 @@ func Test_applyProxyClassToStatefulSet(t *testing.T) {
|
||||
wantSS.Spec.Template.Spec.InitContainers[0].Image = "ghcr.io/my-repo/tailscale:v0.01testsomething"
|
||||
wantSS.Spec.Template.Spec.InitContainers[0].ImagePullPolicy = "IfNotPresent"
|
||||
wantSS.Spec.Template.Spec.PriorityClassName = proxyClassAllOpts.Spec.StatefulSet.Pod.PriorityClassName
|
||||
wantSS.Spec.Template.Spec.DNSPolicy = corev1.DNSClusterFirstWithHostNet
|
||||
wantSS.Spec.Template.Spec.DNSConfig = proxyClassAllOpts.Spec.StatefulSet.Pod.DNSConfig
|
||||
|
||||
gotSS := applyProxyClassToStatefulSet(proxyClassAllOpts, nonUserspaceProxySS.DeepCopy(), new(tailscaleSTSConfig), zl.Sugar())
|
||||
if diff := cmp.Diff(gotSS, wantSS); diff != "" {
|
||||
@@ -239,6 +250,8 @@ func Test_applyProxyClassToStatefulSet(t *testing.T) {
|
||||
wantSS.Spec.Template.Spec.Containers[0].ImagePullPolicy = "IfNotPresent"
|
||||
wantSS.Spec.Template.Spec.Containers[0].Image = "ghcr.io/my-repo/tailscale:v0.01testsomething"
|
||||
wantSS.Spec.Template.Spec.PriorityClassName = proxyClassAllOpts.Spec.StatefulSet.Pod.PriorityClassName
|
||||
wantSS.Spec.Template.Spec.DNSPolicy = corev1.DNSClusterFirstWithHostNet
|
||||
wantSS.Spec.Template.Spec.DNSConfig = proxyClassAllOpts.Spec.StatefulSet.Pod.DNSConfig
|
||||
gotSS = applyProxyClassToStatefulSet(proxyClassAllOpts, userspaceProxySS.DeepCopy(), new(tailscaleSTSConfig), zl.Sugar())
|
||||
if diff := cmp.Diff(gotSS, wantSS); diff != "" {
|
||||
t.Errorf("Unexpected result applying ProxyClass with all options to a StatefulSet for a userspace proxy (-got +want):\n%s", diff)
|
||||
|
||||
Reference in New Issue
Block a user