From 136107b448437042168b2217e290b29ae8d91d58 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Fri, 10 Dec 2021 08:22:30 -0800 Subject: [PATCH] Set Kubelet resolver config to /run/systemd/resolve/resolv.conf * Both Flatcar Linux and Fedora CoreOS use systemd-resolved, but they setup /etc/resolv.conf symlinks differently * Prefer using /run/systemd/resolve/resolv.conf directly, which also updates to reflect runtime changes (e.g. resolvectl) --- CHANGES.md | 1 + aws/fedora-coreos/kubernetes/fcc/controller.yaml | 1 + aws/fedora-coreos/kubernetes/workers/fcc/worker.yaml | 1 + aws/flatcar-linux/kubernetes/cl/controller.yaml | 1 + aws/flatcar-linux/kubernetes/workers/cl/worker.yaml | 1 + azure/fedora-coreos/kubernetes/fcc/controller.yaml | 1 + azure/fedora-coreos/kubernetes/workers/fcc/worker.yaml | 1 + azure/flatcar-linux/kubernetes/cl/controller.yaml | 1 + azure/flatcar-linux/kubernetes/workers/cl/worker.yaml | 1 + bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml | 1 + bare-metal/fedora-coreos/kubernetes/fcc/worker.yaml | 1 + bare-metal/flatcar-linux/kubernetes/cl/controller.yaml | 1 + bare-metal/flatcar-linux/kubernetes/cl/worker.yaml | 1 + digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml | 1 + digital-ocean/fedora-coreos/kubernetes/fcc/worker.yaml | 1 + digital-ocean/flatcar-linux/kubernetes/cl/controller.yaml | 1 + digital-ocean/flatcar-linux/kubernetes/cl/worker.yaml | 1 + google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml | 1 + google-cloud/fedora-coreos/kubernetes/workers/fcc/worker.yaml | 1 + google-cloud/flatcar-linux/kubernetes/cl/controller.yaml | 1 + google-cloud/flatcar-linux/kubernetes/workers/cl/worker.yaml | 1 + 21 files changed, 21 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index ef0872d2..066254eb 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -6,6 +6,7 @@ Notable changes between versions. * Kubernetes [v1.23.0](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#v1230) * Normalize CA certs mounts in static Pods and kube-proxy +* Set Kubelet resolver config to `/run/systemd/resolve/resolv.conf` * With Calico, add missing `caliconodestatuses` CRD ([#289](https://github.com/poseidon/terraform-render-bootstrap/pull/289)) * Change `enable_aggregation` default to true ([#279](https://github.com/poseidon/terraform-render-bootstrap/pull/279)) diff --git a/aws/fedora-coreos/kubernetes/fcc/controller.yaml b/aws/fedora-coreos/kubernetes/fcc/controller.yaml index 98b4b72c..01f4cda7 100644 --- a/aws/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/aws/fedora-coreos/kubernetes/fcc/controller.yaml @@ -97,6 +97,7 @@ systemd: --pod-manifest-path=/etc/kubernetes/manifests \ --provider-id=aws:///$${AFTERBURN_AWS_AVAILABILITY_ZONE}/$${AFTERBURN_AWS_INSTANCE_ID} \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins diff --git a/aws/fedora-coreos/kubernetes/workers/fcc/worker.yaml b/aws/fedora-coreos/kubernetes/workers/fcc/worker.yaml index 1c35b15b..27ccde8d 100644 --- a/aws/fedora-coreos/kubernetes/workers/fcc/worker.yaml +++ b/aws/fedora-coreos/kubernetes/workers/fcc/worker.yaml @@ -76,6 +76,7 @@ systemd: --pod-manifest-path=/etc/kubernetes/manifests \ --provider-id=aws:///$${AFTERBURN_AWS_AVAILABILITY_ZONE}/$${AFTERBURN_AWS_INSTANCE_ID} \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStop=-/usr/bin/podman stop kubelet diff --git a/aws/flatcar-linux/kubernetes/cl/controller.yaml b/aws/flatcar-linux/kubernetes/cl/controller.yaml index 701ed69e..3e03e1b9 100644 --- a/aws/flatcar-linux/kubernetes/cl/controller.yaml +++ b/aws/flatcar-linux/kubernetes/cl/controller.yaml @@ -98,6 +98,7 @@ systemd: --pod-manifest-path=/etc/kubernetes/manifests \ --provider-id=aws:///$${COREOS_EC2_AVAILABILITY_ZONE}/$${COREOS_EC2_INSTANCE_ID} \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins diff --git a/aws/flatcar-linux/kubernetes/workers/cl/worker.yaml b/aws/flatcar-linux/kubernetes/workers/cl/worker.yaml index 6f6714cf..30dada94 100644 --- a/aws/flatcar-linux/kubernetes/workers/cl/worker.yaml +++ b/aws/flatcar-linux/kubernetes/workers/cl/worker.yaml @@ -79,6 +79,7 @@ systemd: --pod-manifest-path=/etc/kubernetes/manifests \ --provider-id=aws:///$${COREOS_EC2_AVAILABILITY_ZONE}/$${COREOS_EC2_INSTANCE_ID} \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStart=docker logs -f kubelet diff --git a/azure/fedora-coreos/kubernetes/fcc/controller.yaml b/azure/fedora-coreos/kubernetes/fcc/controller.yaml index 4031ff15..ab945a69 100644 --- a/azure/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/azure/fedora-coreos/kubernetes/fcc/controller.yaml @@ -92,6 +92,7 @@ systemd: --node-labels=node.kubernetes.io/controller="true" \ --pod-manifest-path=/etc/kubernetes/manifests \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins diff --git a/azure/fedora-coreos/kubernetes/workers/fcc/worker.yaml b/azure/fedora-coreos/kubernetes/workers/fcc/worker.yaml index b4c9e1d1..9e1bc462 100644 --- a/azure/fedora-coreos/kubernetes/workers/fcc/worker.yaml +++ b/azure/fedora-coreos/kubernetes/workers/fcc/worker.yaml @@ -71,6 +71,7 @@ systemd: %{~ endfor ~} --pod-manifest-path=/etc/kubernetes/manifests \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStop=-/usr/bin/podman stop kubelet diff --git a/azure/flatcar-linux/kubernetes/cl/controller.yaml b/azure/flatcar-linux/kubernetes/cl/controller.yaml index a7aecf0e..5f7f8fcc 100644 --- a/azure/flatcar-linux/kubernetes/cl/controller.yaml +++ b/azure/flatcar-linux/kubernetes/cl/controller.yaml @@ -94,6 +94,7 @@ systemd: --node-labels=node.kubernetes.io/controller="true" \ --pod-manifest-path=/etc/kubernetes/manifests \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins diff --git a/azure/flatcar-linux/kubernetes/workers/cl/worker.yaml b/azure/flatcar-linux/kubernetes/workers/cl/worker.yaml index 32a08c09..934f0ae3 100644 --- a/azure/flatcar-linux/kubernetes/workers/cl/worker.yaml +++ b/azure/flatcar-linux/kubernetes/workers/cl/worker.yaml @@ -75,6 +75,7 @@ systemd: %{~ endfor ~} --pod-manifest-path=/etc/kubernetes/manifests \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStart=docker logs -f kubelet diff --git a/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml b/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml index 64a789bf..4f6dd2e7 100644 --- a/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml @@ -92,6 +92,7 @@ systemd: --node-labels=node.kubernetes.io/controller="true" \ --pod-manifest-path=/etc/kubernetes/manifests \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins diff --git a/bare-metal/fedora-coreos/kubernetes/fcc/worker.yaml b/bare-metal/fedora-coreos/kubernetes/fcc/worker.yaml index 171cade1..59055c78 100644 --- a/bare-metal/fedora-coreos/kubernetes/fcc/worker.yaml +++ b/bare-metal/fedora-coreos/kubernetes/fcc/worker.yaml @@ -71,6 +71,7 @@ systemd: %{~ endfor ~} --pod-manifest-path=/etc/kubernetes/manifests \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStop=-/usr/bin/podman stop kubelet diff --git a/bare-metal/flatcar-linux/kubernetes/cl/controller.yaml b/bare-metal/flatcar-linux/kubernetes/cl/controller.yaml index a1b52873..dffe158c 100644 --- a/bare-metal/flatcar-linux/kubernetes/cl/controller.yaml +++ b/bare-metal/flatcar-linux/kubernetes/cl/controller.yaml @@ -103,6 +103,7 @@ systemd: --node-labels=node.kubernetes.io/controller="true" \ --pod-manifest-path=/etc/kubernetes/manifests \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins diff --git a/bare-metal/flatcar-linux/kubernetes/cl/worker.yaml b/bare-metal/flatcar-linux/kubernetes/cl/worker.yaml index 06f0bbea..067740c3 100644 --- a/bare-metal/flatcar-linux/kubernetes/cl/worker.yaml +++ b/bare-metal/flatcar-linux/kubernetes/cl/worker.yaml @@ -84,6 +84,7 @@ systemd: %{~ endfor ~} --pod-manifest-path=/etc/kubernetes/manifests \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStart=docker logs -f kubelet diff --git a/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml b/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml index fc35ece3..45c4be70 100644 --- a/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml @@ -95,6 +95,7 @@ systemd: --node-labels=node.kubernetes.io/controller="true" \ --pod-manifest-path=/etc/kubernetes/manifests \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins diff --git a/digital-ocean/fedora-coreos/kubernetes/fcc/worker.yaml b/digital-ocean/fedora-coreos/kubernetes/fcc/worker.yaml index 1821d1f7..1daa432e 100644 --- a/digital-ocean/fedora-coreos/kubernetes/fcc/worker.yaml +++ b/digital-ocean/fedora-coreos/kubernetes/fcc/worker.yaml @@ -69,6 +69,7 @@ systemd: --node-labels=node.kubernetes.io/node \ --pod-manifest-path=/etc/kubernetes/manifests \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStop=-/usr/bin/podman stop kubelet diff --git a/digital-ocean/flatcar-linux/kubernetes/cl/controller.yaml b/digital-ocean/flatcar-linux/kubernetes/cl/controller.yaml index 047adf72..ef56f1ec 100644 --- a/digital-ocean/flatcar-linux/kubernetes/cl/controller.yaml +++ b/digital-ocean/flatcar-linux/kubernetes/cl/controller.yaml @@ -106,6 +106,7 @@ systemd: --node-labels=node.kubernetes.io/controller="true" \ --pod-manifest-path=/etc/kubernetes/manifests \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins diff --git a/digital-ocean/flatcar-linux/kubernetes/cl/worker.yaml b/digital-ocean/flatcar-linux/kubernetes/cl/worker.yaml index 0889b867..e87efd5a 100644 --- a/digital-ocean/flatcar-linux/kubernetes/cl/worker.yaml +++ b/digital-ocean/flatcar-linux/kubernetes/cl/worker.yaml @@ -81,6 +81,7 @@ systemd: --node-labels=node.kubernetes.io/node \ --pod-manifest-path=/etc/kubernetes/manifests \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStart=docker logs -f kubelet diff --git a/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml b/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml index 80f95035..6b349373 100644 --- a/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml @@ -92,6 +92,7 @@ systemd: --node-labels=node.kubernetes.io/controller="true" \ --pod-manifest-path=/etc/kubernetes/manifests \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins diff --git a/google-cloud/fedora-coreos/kubernetes/workers/fcc/worker.yaml b/google-cloud/fedora-coreos/kubernetes/workers/fcc/worker.yaml index 0498f335..2c0f70e4 100644 --- a/google-cloud/fedora-coreos/kubernetes/workers/fcc/worker.yaml +++ b/google-cloud/fedora-coreos/kubernetes/workers/fcc/worker.yaml @@ -71,6 +71,7 @@ systemd: %{~ endfor ~} --pod-manifest-path=/etc/kubernetes/manifests \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStop=-/usr/bin/podman stop kubelet diff --git a/google-cloud/flatcar-linux/kubernetes/cl/controller.yaml b/google-cloud/flatcar-linux/kubernetes/cl/controller.yaml index 2aa484e3..b10136a0 100644 --- a/google-cloud/flatcar-linux/kubernetes/cl/controller.yaml +++ b/google-cloud/flatcar-linux/kubernetes/cl/controller.yaml @@ -95,6 +95,7 @@ systemd: --pod-manifest-path=/etc/kubernetes/manifests \ --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStart=docker logs -f kubelet diff --git a/google-cloud/flatcar-linux/kubernetes/workers/cl/worker.yaml b/google-cloud/flatcar-linux/kubernetes/workers/cl/worker.yaml index 32a08c09..934f0ae3 100644 --- a/google-cloud/flatcar-linux/kubernetes/workers/cl/worker.yaml +++ b/google-cloud/flatcar-linux/kubernetes/workers/cl/worker.yaml @@ -75,6 +75,7 @@ systemd: %{~ endfor ~} --pod-manifest-path=/etc/kubernetes/manifests \ --read-only-port=0 \ + --resolv-conf=/run/systemd/resolve/resolv.conf \ --rotate-certificates \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStart=docker logs -f kubelet