kubernetes: Kubelet didn't respect --resolv-conf when resolv.conf is empty or full of comments
What happened?
When I passing --resolv-conf to kubelet, it did not respect the option, and still copy the /etc/resolv.conf to the pod.
What makes it special is that the resolv.conf provided by myself is empty.
https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
After skimming the code, I found the logic here is problematic:
https://github.com/kubernetes/kubernetes/blob/v1.28.2/pkg/kubelet/network/dns/dns.go#L225-L274
Because resolv.conf is empty, an empty array and no error is returned. Then, if the dnsPolicy is default (that is the default config for CoreDNS deployment), the podDNSType turns to be podDNSHost:
https://github.com/kubernetes/kubernetes/blob/v1.28.2/pkg/kubelet/network/dns/dns.go#L316-L317
Then, containerd will get an empty dns_config, so it will copy /etc/resolv.conf from the host to the container:
https://github.com/containerd/containerd/blob/v1.7.6/pkg/cri/server/sandbox_run_linux.go#L282-L287
Finally, CoreDNS reports forwarding loop error.
What did you expect to happen?
Kubelet should refuse to use the wrong empty resolv.conf to create a pod, and complains with errors.
How can we reproduce it (as minimally and precisely as possible)?
- Pass
--resolv-confto kubelet, and make sure the specifiedresolv.conffile is empty. - Check the output of CoreDNS, and its
/etc/resolv.conf.
Anything else we need to know?
No response
Kubernetes version
k8s v1.28.2 containerd v1.7.6
Cloud provider
None
OS version
Any major Linux distribution.
Install tools
Container runtime (CRI) and version (if applicable)
Related plugins (CNI, CSI, …) and versions (if applicable)
About this issue
- Original URL
- State: open
- Created 9 months ago
- Reactions: 1
- Comments: 15 (13 by maintainers)
It is suggesting to change the behavior to stop the pod creation