dnscache: use nameservers from cli (remove node/proxy)

cmd/kindnetd/main.go

@@ -28,6 +28,7 @@ import (
 	"os"
 	"os/signal"
 	"runtime/debug"
+	"strings"
 	"time"
 
 	"sigs.k8s.io/kindnet/pkg/conntrack"
@@ -97,13 +98,15 @@ var (
 	disableNRI                 bool
 	nflogLevel                 int
 	ipsecOverlay               bool
+	nameServers                string
 )
 
 func init() {
 	flag.BoolVar(&disableCNI, "disable-cni", false, "If set, disable the CNI functionality to add IPs to Pods and routing between nodes (default false)")
 	flag.BoolVar(&disableNRI, "disable-nri", false, "If set, disable the NRI functionality to get Pod IP information from the container runtime directly (default false)")
 	flag.BoolVar(&networkpolicies, "network-policy", true, "If set, enable Network Policy GA APIs (default true)")
-	flag.BoolVar(&dnsCaching, "dns-caching", true, "If set, enable Kubernetes DNS caching (default true)")
+	flag.BoolVar(&dnsCaching, "dns-caching", false, "If set, enable Kubernetes DNS caching (default false)")
+	flag.StringVar(&nameServers, "dns-caching-nameservers", "", "Comma separated list of DNS server IP addresses to use for DNS caching.")
 	flag.BoolVar(&nat64, "nat64", true, "If set, enable NAT64 using the reserved prefix 64:ff9b::/96 on IPv6 only clusters (default true)")
 	flag.StringVar(&hostnameOverride, "hostname-override", "", "If non-empty, will be used as the name of the Node that kube-network-policies is running on. If unset, the node name is assumed to be the same as the node's hostname.")
 	flag.BoolVar(&masquerading, "masquerading", true, "masquerade with the Node IP the cluster to external traffic (default true)")
@@ -279,7 +282,17 @@ func main() {
 	// create a dnsCacheAgent
 	if dnsCaching {
 		klog.Infof("caching DNS cluster traffic")
-		dnsCacheAgent, err := dnscache.NewDNSCacheAgent(nodeName, nodeInformer)
+		var nameServersList []string
+		if nameServers != "" {
+			nameServersList = strings.Split(nameServers, ",")
+		}
+		for _, ns := range nameServersList {
+			_, err := netip.ParseAddr(ns)
+			if err != nil {
+				klog.Fatalf("can not parse ip %s , invalid nameserver: %v", ns, err)
+			}
+		}
+		dnsCacheAgent, err := dnscache.NewDNSCacheAgent(nodeName, nameServersList, nodeInformer)
 		if err != nil {
 			klog.Fatalf("error creating dnsCacheAgent agent: %v", err)
 		}

go.mod

@@ -25,7 +25,6 @@ require (
 	k8s.io/cri-api v0.34.1
 	k8s.io/cri-client v0.34.1
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/kubelet v0.34.1
 	sigs.k8s.io/kube-network-policies v0.9.2
 )
 
@@ -55,7 +54,6 @@ require (
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
-	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/knqyf263/go-plugin v0.9.0 // indirect
 	github.com/mdlayher/socket v0.5.1 // indirect
 	github.com/opencontainers/runtime-spec v1.2.1 // indirect
@@ -65,7 +63,6 @@ require (
 	github.com/prometheus/common v0.66.1 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/spf13/cobra v1.9.1 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/tetratelabs/wazero v1.9.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect

go.sum

@@ -44,7 +44,6 @@ github.com/containerd/nri v0.10.0 h1:bt2NzfvlY6OJE0i+fB5WVeGQEycxY7iFVQpEbh7J3Go
 github.com/containerd/nri v0.10.0/go.mod h1:5VyvLa/4uL8FjyO8nis1UjbCutXDpngil17KvBSL6BU=
 github.com/containerd/ttrpc v1.2.7 h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRqQ=
 github.com/containerd/ttrpc v1.2.7/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=
-github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -147,7 +146,6 @@ github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzM
 github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
@@ -296,8 +294,6 @@ k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
 k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/kubelet v0.34.1 h1:doAaTA9/Yfzbdq/u/LveZeONp96CwX9giW6b+oHn4m4=
-k8s.io/kubelet v0.34.1/go.mod h1:PtV3Ese8iOM19gSooFoQT9iyRisbmJdAPuDImuccbbA=
 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=

install-kindnet.yaml

@@ -12,13 +12,6 @@ rules:
       - list
       - watch
       - patch
-  - apiGroups:
-      - ""
-    resources:
-      - nodes/proxy
-      - nodes/configz
-    verbs:
-      - get
   - apiGroups:
      - ""
     resources:

pkg/dnscache/agent.go

@@ -62,11 +62,12 @@ const (
 
 // NewDNSCacheAgent caches all DNS traffic from Pods with network based on the PodCIDR of the node they are running.
 // Cache logic is very specific to Kubernetes,
-func NewDNSCacheAgent(nodeName string, nodeInformer coreinformers.NodeInformer) (*DNSCacheAgent, error) {
+func NewDNSCacheAgent(nodeName string, nameServersList []string, nodeInformer coreinformers.NodeInformer) (*DNSCacheAgent, error) {
 	d := &DNSCacheAgent{
 		nodeName:    nodeName,
 		nodeLister:  nodeInformer.Lister(),
 		nodesSynced: nodeInformer.Informer().HasSynced,
+		nameServers: nameServersList,
 		interval:    5 * time.Minute,
 		cache:       newIPCache(),
 		tcpPool:     NewPools(),
@@ -83,11 +84,9 @@ type DNSCacheAgent struct {
 	nodesSynced cache.InformerSynced
 	interval    time.Duration
 
-	podCIDRv4     string
-	podCIDRv6     string
-	nameServers   []string
-	searches      []string
-	clusterDomain string
+	podCIDRv4   string
+	podCIDRv6   string
+	nameServers []string
 
 	nfq *nfqueue.Nfqueue
 
@@ -123,36 +122,6 @@ func (d *DNSCacheAgent) Run(ctx context.Context) error {
 		return fmt.Errorf("failed to get Node PodCIDRs: %w", err)
 	}
 
-	// kubelet config clusterDNS
-	// clusterDNS is a list of IP addresses for the cluster DNS server.
-	// If set, kubelet will configure all containers to use this for DNS resolution instead of the host's DNS servers.
-
-	klog.Info("Configuring upstream DNS resolver")
-	kubeletConfig, err := getKubeletConfigz(ctx, d.nodeName)
-	if err != nil {
-		klog.ErrorS(err, "Could not obtain local Kubelet config")
-		return err
-	}
-	klog.InfoS("Obtained DNS config from kubelet", "nameservers", kubeletConfig.ClusterDNS, "search", kubeletConfig.ClusterDomain, "resolver", kubeletConfig.ResolverConfig)
-
-	if len(kubeletConfig.ClusterDNS) > 0 {
-		d.nameServers = kubeletConfig.ClusterDNS
-	}
-
-	d.clusterDomain = kubeletConfig.ClusterDomain
-	resolvPath := "/etc/resolv.conf"
-	if kubeletConfig.ResolverConfig != nil {
-		resolvPath = *kubeletConfig.ResolverConfig
-	}
-
-	hostDNS, hostSearch, hostOptions, err := parseResolvConf(resolvPath)
-	if err != nil {
-		klog.ErrorS(err, "Could not parse resolv conf file", "path", resolvPath)
-	} else {
-		d.searches = hostSearch
-		klog.Infof("Resolv.conf from %s: nameservers: %v search: %v options: %v", resolvPath, hostDNS, hostSearch, hostOptions)
-	}
-
 	// https://netfilter.org/projects/libnetfilter_queue/doxygen/html/group__Queue.html
 	// the kernel will not normalize offload packets,
 	// i.e. your application will need to be able to handle packets larger than the mtu.