Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 0e291a193cbfd0b169e749e7f28adc954a58f560^! / . / metropolis / node / kubernetes / service_worker.go
commit0e291a193cbfd0b169e749e7f28adc954a58f560[log] [tgz]
authorLorenz Brun <lorenz@monogon.tech>Thu Jun 01 12:22:45 2023 +0200
committerLorenz Brun <lorenz@monogon.tech>Tue Jun 13 13:03:53 2023 +0000
tree01b7ad51279b9060c3c967a0061826d37dbfaf01
parent4264b8c641109c05c4828b40cd2e01e686890903 [diff] [blame]
m/node: clean up DNS service

The primary change in here is that CoreDNS now only listens on the
loopback interface by default.
This fixes #217 as it cannot be accessed from the outside anymore.
Since the containers do not share the host network namespace, they can
now no longer access the DNS service. This is solved by introducing a
new Network Service API to add listener IPs and using a link-local IP,
169.254.77.53 for the container DNS.
While at it, I cleaned up various parts of the DNS code.

Change-Id: Id7b618f62690032db335e8478b9de84410c210a1
Reviewed-on: https://review.monogon.dev/c/monogon/+/1759
Tested-by: Jenkins CI
Reviewed-by: Serge Bazanski <serge@monogon.tech>

diff --git a/metropolis/node/kubernetes/service_worker.go b/metropolis/node/kubernetes/service_worker.go
index d9f333e..2572dfa 100644
--- a/metropolis/node/kubernetes/service_worker.go
+++ b/metropolis/node/kubernetes/service_worker.go

@@ -86,6 +86,7 @@
 		ClusterDomain:      s.c.ClusterDomain,
 		KubeletDirectory:   &s.c.Root.Data.Kubernetes.Kubelet,
 		EphemeralDirectory: &s.c.Root.Ephemeral,
+		ClusterDNS:         []net.IP{node.ContainerDNSIP},
 	}
 
 	// Gather all required material to send over for certficiate issuance to the
@@ -177,43 +178,6 @@
 		c.informers = informers
 	}
 
-	// Sub-runnable which starts all parts of Kubernetes that depend on the
-	// machine's external IP address. If it changes, the runnable will exit.
-	// TODO(q3k): test this
-	supervisor.Run(ctx, "networked", func(ctx context.Context) error {
-		networkWatch := s.c.Network.Watch()
-		defer networkWatch.Close()
-
-		var status *network.Status
-
-		supervisor.Logger(ctx).Info("Waiting for node networking...")
-		for status == nil || status.ExternalAddress == nil {
-			status, err = networkWatch.Get(ctx)
-			if err != nil {
-				return fmt.Errorf("failed to get network status: %w", err)
-			}
-		}
-		address := status.ExternalAddress
-		supervisor.Logger(ctx).Info("Node has active networking, starting apiserver/kubelet")
-		kubelet.ClusterDNS = []net.IP{address}
-		err := supervisor.RunGroup(ctx, map[string]supervisor.Runnable{
-			"kubelet": kubelet.Run,
-		})
-		if err != nil {
-			return fmt.Errorf("when starting kubelet: %w", err)
-		}
-
-		supervisor.Signal(ctx, supervisor.SignalHealthy)
-
-		for status.ExternalAddress.Equal(address) {
-			status, err = networkWatch.Get(ctx)
-			if err != nil {
-				return fmt.Errorf("when watching for network changes: %w", err)
-			}
-		}
-		return fmt.Errorf("network configuration changed (%s -> %s)", address.String(), status.ExternalAddress.String())
-	})
-
 	csiPlugin := csiPluginServer{
 		KubeletDirectory: &s.c.Root.Data.Kubernetes.Kubelet,
 		VolumesDirectory: &s.c.Root.Data.Volumes,
@@ -250,6 +214,7 @@
 		{"clusternet", clusternet.Run},
 		{"nfproxy", nfproxy.Run},
 		{"kvmdeviceplugin", kvmDevicePlugin.Run},
+		{"kubelet", kubelet.Run},
 	} {
 		err := supervisor.Run(ctx, sub.name, sub.runnable)
 		if err != nil {