Add expanded DNS configuration KEP

[gjkim42]

Enhancement issue: #2595

previous discussion: kubernetes/kubernetes#100583

[gjkim42]

/cc @aojea @thockin @liggitt

[aojea]

should we go to beta directly and enable it by default?

[gjkim42]

I think it would be ok to enable it by default.

[liggitt]

the relaxed validation cannot allow new expanded data into objects by default in the first release, since it would allow data the previous API server version would choke on

[gjkim42]

@liggitt
Isn't it enough to wrap the feature into the feature gate to make the user can disable it if there is such a case?

[liggitt]

no. that means that, by default, the first version of the API server including this feature allows storing unsafe data. we must default safe.

[gjkim42]

Ah... I think you are right. Let's go to alpha and disable the feature by default.

[thockin]

Agree. We can very likely skip beta, but we can't skip alpha

[aojea]

@claudiubelu do you know the implications of this resolv.conf changes in windows?

[aojea]

there should be no problem meanwhile they don't create pods with an expanded DNSConfig

[gjkim42]

I think we should avoid the situation that there is a HA cluster with 1.22 apiserver and 1.21 apiserver having a pod with expanded DNS configuration due to partial roll-back.
If a user updates the pod, it can be updated by 1.22 apiserver or blocked by 1.21 apiserver. That will be an inconsistent behavior.

[aojea]

LGTM, this was previously discussed here

the problem was discussed here kubernetes/kubernetes#100583
and the implementation is not a big change
kubernetes/kubernetes#100622

the KEP and the feature gate will help to document the feature and give us the possibility to avoid surprises :)

[thockin]

What does this need in terms of docs?

[gjkim42]

I think we need some documentation updates like

• adding a description of the feature gate
• (maybe) updating https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues

Linux's libc (a.k.a. glibc) has a limit for the DNS nameserver records to 3 by default. What's more, for the glibc versions which are older than glibc-2.17-222 (the new versions update see this issue), the allowed number of DNS search records has been limited to 6 (see this bug from 2005). Kubernetes needs to consume 1 nameserver record and 3 search records. This means that if a local installation already uses 3 nameservers or uses more than 3 searches while your glibc version is in the affected list, some of those settings will be lost. To work around the DNS nameserver records limit, the node can run dnsmasq, which will provide more nameserver entries. You can also use kubelet's --resolv-conf flag. To fix the DNS search records limit, consider upgrading your linux distribution or upgrading to an unaffected version of glibc.

[gjkim42]

Only updated the release signoff checklist to the desired state.

[thockin]

This is more about kubelets. It is valid to have kubelets be a (slightly) lower version than apiserver. Looking at kubelet code I can see this will throw warnings (pkg/kubelet/network/dns/dns.go Configurer.CheckLimitsForResolvConf()) but that does not hard-fail. Still worth noting here.

In the same file, Configurer.formDNSSearchFitsLimits(), it does truncate. That is what is important to note here (and to test-confirm) -- back-rev kubelet should be fine, it will just truncate the results.

[gjkim42]

Updated.

thanks @thockin

[gjkim42]

@johnbelamaric
Would you please take a look and give a PRR? I hope we can catch the v1.22 enhancement freeze date (May 13th).
Thanks :)

[gjkim42]

@johnbelamaric
Thanks!
Updated the PRR questionnaire section.

[gjkim42]

@thockin @johnbelamaric
Added graduation criteria for alpha.
Could you PTAL? Thanks

[johnbelamaric]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gjkim42, johnbelamaric, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS [johnbelamaric]
• keps/sig-network/OWNERS [johnbelamaric,thockin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[johnbelamaric]

/lgtm

[dcbw]

@gjkim42 what happens to existing pods in the API when the feature gate is disabled, and then something tries to update non-DNS podSpec fields? Do those things just their update denied, even though they didn't change any relevant fields?

[gjkim42]

what happens to existing pods in the API when the feature gate is disabled

The existing pods will be running with the expanded DNS config.

and then something tries to update non-DNS podSpec fields? Do those things just their update denied, even though they didn't change any relevant fields?

In v1.22 or higher, you can update non-DNSConfig podSpec fields, because we will add the exception.
(See the PR in progress.)
In v1.21 or lower(downgrade), any update requests will be denied, if the pod already had expanded DNS config.

[ritpanjw]

Hello @gjkim42 👋 , 1.22 Docs Shadow here.

This enhancement is marked as Needs Docs for 1.22 release.
Please follow the steps detailed in the documentation to open a PR against dev-1.22 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Fri July 9, 11:59 PM PDT.
Also, take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

Thank you!