Merge pull request #43368 from feiskyer/dns-policy

Automatic merge from submit-queue (batch tested with PRs 43398, 43368)

CRI: add support for dns cluster first policy

**What this PR does / why we need it**:

PR #29378 introduces ClusterFirstWithHostNet policy but only dockertools was updated to support the feature. 

This PR updates kuberuntime to support it for all runtimes.


**Which issue this PR fixes** 

fixes #43352

**Special notes for your reviewer**:

Candidate for v1.6.

**Release note**:

```release-note
NONE
```

cc @thockin @luxas @vefimova @Random-Liu

pkg/kubelet/dockershim/docker_sandbox.go

@@ -92,6 +92,25 @@ func (ds *dockerService) RunPodSandbox(config *runtimeapi.PodSandboxConfig) (str
 	if err != nil {
 		return createResp.ID, fmt.Errorf("failed to start sandbox container for pod %q: %v", config.Metadata.Name, err)
 	}
+
+	// Rewrite resolv.conf file generated by docker.
+	// NOTE: cluster dns settings aren't passed anymore to docker api in all cases,
+	// not only for pods with host network: the resolver conf will be overwritten
+	// after sandbox creation to override docker's behaviour. This resolv.conf
+	// file is shared by all containers of the same pod, and needs to be modified
+	// only once per pod.
+	if dnsConfig := config.GetDnsConfig(); dnsConfig != nil {
+		containerInfo, err := ds.client.InspectContainer(createResp.ID)
+		if err != nil {
+			return createResp.ID, fmt.Errorf("failed to inspect sandbox container for pod %q: %v", config.Metadata.Name, err)
+		}
+
+		if err := dockertools.RewriteResolvFile(containerInfo.ResolvConfPath, dnsConfig.Servers, dnsConfig.Searches, len(dnsConfig.Options) > 0); err != nil {
+			return createResp.ID, fmt.Errorf("rewrite resolf.conf faield for pod %q: %v", config.Metadata.Name, err)
+		}
+	}
+
+	// Do not invoke network plugins if in hostNetwork mode.
 	if nsOptions := config.GetLinux().GetSecurityContext().GetNamespaceOptions(); nsOptions != nil && nsOptions.HostNetwork {
 		return createResp.ID, nil
 	}
@@ -486,13 +505,6 @@ func (ds *dockerService) makeSandboxDockerConfig(c *runtimeapi.PodSandboxConfig,
 	createConfig.Config.ExposedPorts = exposedPorts
 	hc.PortBindings = portBindings
 
-	// Set DNS options.
-	if dnsConfig := c.GetDnsConfig(); dnsConfig != nil {
-		hc.DNS = dnsConfig.Servers
-		hc.DNSSearch = dnsConfig.Searches
-		hc.DNSOptions = dnsConfig.Options
-	}
-
 	// Apply resource options.
 	setSandboxResources(hc)
 

pkg/kubelet/dockertools/docker_manager.go

@@ -1834,7 +1834,7 @@ func (dm *DockerManager) runContainerInPod(pod *v1.Pod, container *v1.Container,
 	// we modify it when the pause container is created since it is the first container created in the pod since it holds
 	// the networking namespace.
 	if container.Name == PodInfraContainerName {
-		if err := rewriteResolvFile(containerInfo.ResolvConfPath, opts.DNS, opts.DNSSearch, useClusterFirstPolicy); err != nil {
+		if err := RewriteResolvFile(containerInfo.ResolvConfPath, opts.DNS, opts.DNSSearch, useClusterFirstPolicy); err != nil {
 			return kubecontainer.ContainerID{}, err
 		}
 	}
@@ -1900,7 +1900,9 @@ func (dm *DockerManager) checkDockerAPIVersion(expectedVersion string) (int, err
 	return result, nil
 }
 
-func rewriteResolvFile(resolvFilePath string, dns []string, dnsSearch []string, useClusterFirstPolicy bool) error {
+// RewriteResolvFile rewrites resolv.conf file generated by docker.
+// Exported for reusing in dockershim.
+func RewriteResolvFile(resolvFilePath string, dns []string, dnsSearch []string, useClusterFirstPolicy bool) error {
 	if len(resolvFilePath) == 0 {
 		glog.Errorf("ResolvConfPath is empty.")
 		return nil

pkg/kubelet/kuberuntime/kuberuntime_sandbox.go

@@ -74,16 +74,19 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxConfig(pod *v1.Pod, attemp
 		Annotations: newPodAnnotations(pod),
 	}
 
+	dnsServers, dnsSearches, useClusterFirstPolicy, err := m.runtimeHelper.GetClusterDNS(pod)
+	if err != nil {
+		return nil, err
+	}
+	podSandboxConfig.DnsConfig = &runtimeapi.DNSConfig{
+		Servers:  dnsServers,
+		Searches: dnsSearches,
+	}
+	if useClusterFirstPolicy {
+		podSandboxConfig.DnsConfig.Options = defaultDNSOptions
+	}
+
 	if !kubecontainer.IsHostNetworkPod(pod) {
-		dnsServers, dnsSearches, _, err := m.runtimeHelper.GetClusterDNS(pod)
-		if err != nil {
-			return nil, err
-		}
-		podSandboxConfig.DnsConfig = &runtimeapi.DNSConfig{
-			Servers:  dnsServers,
-			Searches: dnsSearches,
-			Options:  defaultDNSOptions,
-		}
 		// TODO: Add domain support in new runtime interface
 		hostname, _, err := m.runtimeHelper.GeneratePodHostNameAndDomain(pod)
 		if err != nil {