Documentation ¶
Overview ¶
Package fqdn handles some of the DNS-based policy functions:
- A DNS lookup cache used to populate toFQDNs rules in the policy layer.
- A NameManager that coordinates distributing IPs to matching toFQDNs selectors.
- A DNS Proxy that applies L7 DNS rules and populates the lookup cache with IPs from allowed/successful DNS lookups.
- (deprecated) A DNS Poller that actively polls all L3 toFQDNs.MatchName entries and populates the DNS lookup cache.
Note: There are 2 different requests that are handled: the DNS lookup and the connection to the domain in the DNS lookup.
Proxy redirection and L3 policy calculations are handled by the datapath and policy layer, respectively.
DNS data is tracked per-endpoint but collected globally in each cilium-agent when calculating policy. This differs from toEndpoints rules, which use cluster-global information, and toCIDR rules, which use static information in the policy. toServices rules are similar but they are cluster-global and have no TTL nor a distinct lookup request from the endpoint. Furthermore, toFQDNs cannot handle in-cluster IPs but toServices can.
+-------------+ +----------------+ +---------+ +---------+ | | | | | | | | | +<--+ NameManager +<-------+ | | | | | | | Update | | | | | Policy | +-------+--------+ Trigger| DNS | | | | Selectors | ^ | Proxy +<--->+ Network | | | | | | | | | | +-------+--------+ | | | | | | | DNS | | | | | | | | Lookup Cache +<-------+ | | | +------+------+ | | DNS +----+----+ +----+----+ | +----------------+ Data ^ ^ v | | +------+------+--------------------+ | | | | | | | | Datapath | | | | | | | DNS Lookup| | +-------------+ +<------------+ | | | | | Pod | | | | HTTP etc. | | +<----------------------------+ | | +----------------------------------+
=== L7 DNS === L7 DNS is handled by the DNS Proxy. The proxy is always running within cilium-agent but traffic is only redirected to it when a L7 rule includes a DNS section such as:
--- - toEndpoints: toPorts: - ports: - port: "53" protocol: ANY rules: dns: - matchPattern: "*" - matchName: "cilium.io"
These redirects are implemented by the datapath and the management logic is shared with other proxies in cilium (envoy and kafka). L7 DNS rules can apply to an endpoint from various policies and, if any allow a request, it will be forwarded to the original target of the DNS packet. This is often configured in /etc/resolv.conf for a pod and k8s sets this automatically (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-config) In the example above `matchPattern: "*"` allows all requests and makes `matchName: "cilium.io"` redundant. Notes:
- The forwarded requests are sent from cilium-agent on the host interface and not from the endpoint.
- Users must explicitly allow `*.*.svc.cluster.local.` in k8s clusters. This is not automatic.
- L7 DNS rules are egress-only,
- The proxy emits L7 cilium-monitor events: one for the request, an accept/reject event, and the final response.
Apart from allowing or denying DNS requests, the DNS proxy is used to observe DNS lookups in order to then allow L3 connections with the response information. These must separately allowed with toFQDNs L3 rules. The example above is a common "visibility" policy that allows all requests but ensures that they traverse the proxy. This information is then placed in the per-Endpoint and global DNS lookup caches and propagates from there.
=== L3 DNS === L3 DNS rules control L3 connections and not the DNS requests themselves. They rely on DNS lookup cache information and it must come from the DNS proxy, or via a L7 DNS rule.
--- - toFQDNs: - matchName: "my-remote-service.com" - matchPattern: "bucket.*.my-remote-service.com"
IPs seen in a DNS response (i.e. the request was allowed by a L7 policy) that are also selected in a DNS L3 rule matchPattern or matchName have a /32 or /128 CIDR identity created. This occurs when they are first passed to the toFQDN selectors from NameManager. These identities are not special in any way and can overlap with toCIDR rules in policiies. They are placed in the node-local ipcache and in the policy map of each endpoint that is allowed to connect to them (i.e. defined in the L3 DNS rule). Notes:
- Generally speaking, toFQDNs can only handle non-cluster IPs. In-cluster policy should use toEndpoints and toServices. This is partly historical but is because of ipcache limitations when mapping ip->identity. Endpoint identities can clobber the FQDN IP identity.
- Despite being tracked per-Endpoint. DNS lookup IPs are collected into a global cache. This is historical and can be changed. The original implementation created policy documents in the policy repository to represent the IPs being allowed and could not distinguish between endpoints. The current implementation uses selectors that also do not distinguish between Endpoints. There is some provision for this, however, and it just requires better plumbing in how we place data in the Endpoint's datapath.
=== Caching, Long-Lived Connections & Garbage Collection === DNS requests are distinct traffic from the connections that pods make with the response information. This makes it difficult to correlate one DNS lookup to a later connection; a pod may reuse the IPs in a DNS response an arbitrary time after the lookup occurred, even past the DNS TTL. The solution is multi-layered for historical reasons:
- Keep a per-Endpoint cache that can be stored to disk and restored on startup. These caches apply TTL expiration and limit the IP count per domain.
- Keep a global cache to combine all this DNS information and send it to the policy system. This cache applies TTL but not per-domain limits. This causes a DNS lookup in one endpoint to leak to another!
- Track live connections allowed by DNS policy and delay expiring that data while the connection is open. If the policy itself is removed, however, the connection is interrupted.
The same DNSCache type is used in all cases. DNSCache instances remain consistent if the update order is different and merging multiple caches should be equivalent to applying the constituent updates individually. As a result, DNS data is all inserted into a single global cache from which the policy layer receives information. This is historic and per-Endpoint handling can be added. The data is internally tracked per IP because overlapping DNS responses may have different TTLs for IPs that appear in both. Notes:
- The default configurable minimum TTL in the caches is 1 hour. This is mostly for identity stability, as short TTLs would cause more identity churn. This is mostly history as CIDR identities now have a near-0 allocation overhead.
- DNSCache deletes only currently occur when the cilium API clears the cache or when the garbage collector evicts entries.
- The combination of caches: per-Endpoint and global must manage disparate behaviours of pods. The worst case scenario is one where one pod makes many requests to a target with changing IPs (like S3) but another makes few requests that are long-lived. We need to ensure "fairness" where one does not starve the other. The limits in the per-Endpoint caches allow this, and the global cache acts as a collector across different Endpoints (without restrictions).
Expiration of DNS data is handled by the dns-garbage-collector-job controller. Historically, the only expiration was TTL based and the per-Endpoint and global caches would expire data at the same time without added logic. This is not true when we apply per-host IP limits in the cache. These default to 50 IPs for a given domain, per Endpoint. To account for these evictions the controller handles TTL and IP limit evictions. This ensures that the global cache is consistent with the per-Endpoint caches. The result is that the actual expiration is imprecise (TTL especially). The caches mark to-evict data internally and only do so on GC method calls from the controller. When DNS data is evicted from any per-Endpoint cache, for any reason, each IP is retained as a "zombie" in type fqdn.DNSZombieMapping. These "zombies" represent IPs that were previously associated with a resolved DNS name, but the DNS name is no longer known (for example because of TTL expiry). However there may still be an active connection associated with the zombie IP. Externally, related options use the term "deferred connection delete". Zombies are tracked per IP for the endpoint they come from (with a default limit of 10000 set by defaults.ToFQDNsMaxDeferredConnectionDeletes). When the Connection Tracking garbage collector runs, it marks any zombie IP that correlates to a live connection by that endpoint as "alive". At the next iteration of the dns-garbage-collector-job controller, the not-live zombies are finally evicted. These IPs are then, finally, no longer placed into the global cache on behalf of this endpoint. Other endpoints may have live DNS TTLs or connections to the same IPs, however, so these IPs may be inserted into the global cache for the same domain or a different one (or both). Note: The CT GC has a variable run period. This ranges from 30s to 12 hours and is shorter when more connection churn is observed (the constants are ConntrackGCMinInterval and ConntrackGCMaxLRUInterval in package defaults).
=== Flow of DNS data ===
+---------------------+ | DNS Proxy | +----------+----------+ | v +----------+----------+ | per-EP Lookup Cache | +----------+----------+ | v +----------+----------+ | per-EP Zombie Cache | +----------+----------+ | v +----------+----------+ | Global DNS Cache | +----------+----------+ | v +----------+----------+ | NameManager | +----------+----------+ | v +----------+----------+ | Policy toFQDNs | | Selectors | +----------+----------+ | v +----------+----------+ | per-EP Datapath | +---------------------+
Index ¶
- Constants
- type CIDRMatcherFunc
- type Config
- type DNSCache
- func (c *DNSCache) Count() (uint64, uint64)
- func (c *DNSCache) DisableCleanupTrack()
- func (c *DNSCache) Dump() (lookups []*cacheEntry)
- func (c *DNSCache) ForceExpire(expireLookupsBefore time.Time, nameMatch *regexp.Regexp) (namesAffected []string)
- func (c *DNSCache) GC(now time.Time, zombies *DNSZombieMappings) (affectedNames []string)
- func (c *DNSCache) GetIPs() sets.Set[netip.Addr]
- func (c *DNSCache) Lookup(name string) (ips []netip.Addr)
- func (c *DNSCache) LookupByRegexp(re *regexp.Regexp) (matches map[string][]netip.Addr)
- func (c *DNSCache) LookupIP(ip netip.Addr) (names []string)
- func (c *DNSCache) MarshalJSON() ([]byte, error)
- func (c *DNSCache) ReplaceFromCacheByNames(namesToUpdate []string, updates ...*DNSCache)
- func (c *DNSCache) UnmarshalJSON(raw []byte) error
- func (c *DNSCache) Update(lookupTime time.Time, name string, ips []netip.Addr, ttl int) bool
- func (c *DNSCache) UpdateFromCache(update *DNSCache, namesToUpdate []string)
- type DNSIPRecords
- type DNSZombieMapping
- type DNSZombieMappings
- func (zombies *DNSZombieMappings) DumpAlive(cidrMatcher CIDRMatcherFunc) (alive []*DNSZombieMapping)
- func (zombies *DNSZombieMappings) ForceExpire(expireLookupsBefore time.Time, nameMatch *regexp.Regexp) (namesAffected []string)
- func (zombies *DNSZombieMappings) ForceExpireByNameIP(expireLookupsBefore time.Time, name string, ips ...net.IP) error
- func (zombies *DNSZombieMappings) GC() (alive, dead []*DNSZombieMapping)
- func (zombies *DNSZombieMappings) MarkAlive(now time.Time, ip netip.Addr)
- func (zombies *DNSZombieMappings) MarshalJSON() ([]byte, error)
- func (zombies *DNSZombieMappings) SetCTGCTime(ctGCStart time.Time)
- func (zombies *DNSZombieMappings) UnmarshalJSON(raw []byte) error
- func (zombies *DNSZombieMappings) Upsert(expiryTime time.Time, addr netip.Addr, qname ...string) (updatedExisting bool)
- type EndpointDNSInfo
- type IPCache
- type NameManager
- func (n *NameManager) CompleteBootstrap()
- func (n *NameManager) DeleteDNSLookups(expireLookupsBefore time.Time, matchPatternStr string) error
- func (n *NameManager) ForceGenerateDNS(ctx context.Context, namesToRegen []string) *sync.WaitGroup
- func (n *NameManager) GC(ctx context.Context) error
- func (n *NameManager) GetModel() *models.NameManager
- func (n *NameManager) Lock()
- func (n *NameManager) LockName(name string)
- func (n *NameManager) RegisterForIPUpdatesLocked(selector api.FQDNSelector) []netip.Addr
- func (n *NameManager) RestoreCache(preCachePath string, restoredEPs []EndpointDNSInfo)
- func (n *NameManager) StartGC(ctx context.Context)
- func (n *NameManager) Unlock()
- func (n *NameManager) UnlockName(name string)
- func (n *NameManager) UnregisterForIPUpdatesLocked(selector api.FQDNSelector)
- func (n *NameManager) UpdateGenerateDNS(ctx context.Context, lookupTime time.Time, ...) *sync.WaitGroup
Constants ¶
const DNSGCJobInterval = 1 * time.Minute
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CIDRMatcherFunc ¶
CIDRMatcherFunc is a function passed to (*DNSZombieMappings).DumpAlive, called on each zombie to determine whether it should be returned.
type Config ¶
type Config struct { // MinTTL is the time used by the poller to cache information. MinTTL int // Cache is where the poller stores DNS data used to generate rules. // When set to nil, it uses fqdn.DefaultDNSCache, a global cache instance. Cache *DNSCache // UpdateSelectors is a callback to update the mapping of FQDNSelector to // sets of IPs. UpdateSelectors func(ctx context.Context, selectorsToIPs map[api.FQDNSelector][]netip.Addr, ipcacheRevision uint64) *sync.WaitGroup // GetEndpointsDNSInfo is a function that returns a list of fqdn-relevant fields from all Endpoints known to the agent. // The endpoint's DNSHistory and DNSZombies are used as part of the garbage collection and restoration processes. GetEndpointsDNSInfo func() []EndpointDNSInfo IPCache IPCache // CheckpointSelectors enables a controller which writes all FQDN selectors to disk. This allows Cilium 1.16+ // (which has a new way of managing identities for FQDN selectors) to perform dropless upgrades. CheckpointSelectors bool }
Config is a simple configuration structure to set how pkg/fqdn subcomponents behave.
type DNSCache ¶
DNSCache manages DNS data that will expire after a certain TTL. Information is tracked per-IP address, retaining the latest-expiring DNS data for each address. For most real-world DNS data, the entry per name remains small because newer lookups replace older ones. Large TTLs may cause entries to grow if many unique IPs are returned in separate lookups. It is critical to run .GC periodically. This cleans up expired entries and steps forward the time used to determine that entries are expired. This means that the Lookup functions may return expired entries until GC is called. Redundant entries are removed on insert.
func NewDNSCache ¶
NewDNSCache returns an initialized DNSCache
func NewDNSCacheWithLimit ¶
NewDNSCache returns an initialized DNSCache and set the max host limit to the given argument
func (*DNSCache) Count ¶
Count returns two values, the count of still-valid FQDNs inside the DNS cache and the count of the still-valid entries (IPs) in the DNS cache.
The FQDN count returns the length of the DNS cache size.
The IP count is not deduplicated, see Dump(). In other words, this value represents an accurate tally of IPs associated with an FQDN in the DNS cache.
func (*DNSCache) DisableCleanupTrack ¶
func (c *DNSCache) DisableCleanupTrack()
func (*DNSCache) Dump ¶
func (c *DNSCache) Dump() (lookups []*cacheEntry)
Dump returns unexpired cache entries in the cache. They are deduplicated, but not usefully sorted. These objects should not be modified.
func (*DNSCache) ForceExpire ¶
func (c *DNSCache) ForceExpire(expireLookupsBefore time.Time, nameMatch *regexp.Regexp) (namesAffected []string)
ForceExpire is used to clear entries from the cache before their TTL is over. This operation does not keep previous guarantees that, for each IP, the most recent lookup to provide that IP is used. Note that all parameters must match, if provided. `time.Time{}` is the match-all time parameter. For example:
ForceExpire(time.Time{}, 'cilium.io') expires all entries for cilium.io. ForceExpire(time.Now(), 'cilium.io') expires all entries for cilium.io that expired before the current time.
expireLookupsBefore requires a lookup to have a LookupTime before it in order to remove it. nameMatch will remove any DNS names that match.
func (*DNSCache) GC ¶
func (c *DNSCache) GC(now time.Time, zombies *DNSZombieMappings) (affectedNames []string)
GC cleans TTL expired entries up to now, and overlimit entries, returning both sets. If zombies is passed in, expired IPs are inserted into it. GC and other management of zombies is left to the caller. Note: zombies use the original lookup's ExpirationTime for DeletePendingAt, not the now parameter. This allows better ordering in zombie GC.
func (*DNSCache) Lookup ¶
Lookup returns a set of unique IPs that are currently unexpired for name, if any exist. An empty list indicates no valid records exist. The IPs are returned unsorted.
func (*DNSCache) LookupByRegexp ¶
LookupByRegexp returns all non-expired cache entries that match re as a map of name -> IPs
func (*DNSCache) LookupIP ¶
LookupIP returns all DNS names in entries that include that IP. The cache maintains the latest-expiring entry per-name per-IP. This means that multiple names referrring to the same IP will expire from the cache at different times, and only 1 entry for each name-IP pair is internally retained.
func (*DNSCache) MarshalJSON ¶
MarshalJSON serialises the set of DNS lookup cacheEntries needed to reconstruct this cache instance. Note: Expiration times are honored and the reconstructed cache instance is expected to return the same values as the original at that point in time.
func (*DNSCache) ReplaceFromCacheByNames ¶
ReplaceFromCacheByNames operates as an atomic combination of ForceExpire and multiple UpdateFromCache invocations. The result is to collect all entries for DNS names in namesToUpdate from each DNSCache in updates, replacing the current entries for each of those names.
func (*DNSCache) UnmarshalJSON ¶
UnmarshalJSON rebuilds a DNSCache from serialized JSON. Note: This is destructive to any currect data. Use UpdateFromCache for bulk updates.
func (*DNSCache) Update ¶
Update inserts a new entry into the cache. After insertion cache entries for name are expired and redundant entries evicted. This is O(number of new IPs) for eviction, and O(number of IPs for name) for expiration. lookupTime is the time the DNS information began being valid. It should be in the past. name is used as is and may be an unqualified name (e.g. myservice.namespace). ips may be an IPv4 or IPv6 IP. Duplicates will be removed. ttl is the DNS TTL for ips and is a seconds value.
func (*DNSCache) UpdateFromCache ¶
UpdateFromCache is a utility function that allows updating a DNSCache instance with all the internal entries of another. Latest-Expiration still applies, thus the merged outcome is consistent with adding the entries individually. When namesToUpdate has non-zero length only those names are updated from update, otherwise all DNS names in update are used.
type DNSIPRecords ¶
type DNSIPRecords struct { // TTL is the time, in seconds, that these IPs are valid for TTL int // IPs are the IPs associated with a DNS Name IPs []net.IP }
DNSIPRecords mimics the RR data from an A or AAAA response. My kingdom for a DNS IP RR type that isn't hidden in the stdlib or has a million layers of type indirection.
type DNSZombieMapping ¶
type DNSZombieMapping struct { // Names is the list of names that had DNS lookups with this IP. These may // derive from unrelated DNS lookups. The list is maintained de-duplicated. Names []string `json:"names,omitempty"` // IP is an address that is pending for delete but may be in-use by a // connection. IP netip.Addr `json:"ip,omitempty"` // AliveAt is the last time this IP was marked alive via // DNSZombieMappings.MarkAlive. // When AliveAt is later than DNSZombieMappings.lastCTGCUpdate the zombie is // considered alive. AliveAt time.Time `json:"alive-at,omitempty"` // DeletePendingAt is the time at which this IP was most-recently scheduled // for deletion. This can be updated if an IP expires from the DNS caches // multiple times. // When DNSZombieMappings.lastCTGCUpdate is earlier than DeletePendingAt a // zombie is alive. DeletePendingAt time.Time `json:"delete-pending-at,omitempty"` // contains filtered or unexported fields }
DNSZombieMapping is an IP that has expired or been evicted from a DNS cache. It records the DNS name and IP, along with other bookkeeping timestamps that help determine when it can be finally deleted. Zombies are dead when they are not marked alive by CT GC. Special handling exists when the count of zombies is large. Overlimit zombies are deleted in GC with the following preferences (this is cumulative and in order of precedence):
- Zombies with zero AliveAt are evicted before those with a non-zero value (i.e. known connections marked by CT GC are evicted last)
- Zombies with an earlier DeletePendingAtTime are evicted first. Note: Upsert sets DeletePendingAt on every update, thus making GC prefer to evict IPs with less DNS churn on them.
- Zombies with the lowest count of DNS names in them are evicted first
func (*DNSZombieMapping) DeepCopy ¶
func (zombie *DNSZombieMapping) DeepCopy() *DNSZombieMapping
DeepCopy returns a copy of zombie that does not share any internal pointers or fields
type DNSZombieMappings ¶
DNSZombieMappings collects DNS Name->IP mappings that may be inactive and evicted, and so may be deleted. They are periodically marked alive by the CT GC goroutine. When .GC is called, alive and dead zombies are returned, allowing us to skip deleting an IP from the global DNS cache to avoid breaking connections that outlast the DNS TTL.
func NewDNSZombieMappings ¶
func NewDNSZombieMappings(max, perHostLimit int) *DNSZombieMappings
NewDNSZombieMappings constructs a DNSZombieMappings that is read to use
func (*DNSZombieMappings) DumpAlive ¶
func (zombies *DNSZombieMappings) DumpAlive(cidrMatcher CIDRMatcherFunc) (alive []*DNSZombieMapping)
DumpAlive returns copies of still-alive zombies matching cidrMatcher.
func (*DNSZombieMappings) ForceExpire ¶
func (zombies *DNSZombieMappings) ForceExpire(expireLookupsBefore time.Time, nameMatch *regexp.Regexp) (namesAffected []string)
ForceExpire is used to clear zombies irrespective of their alive status. Only zombies with DeletePendingAt times before expireLookupBefore are considered for deletion. Each name in an zombie is matched against nameMatcher (nil is match all) and when an zombie no longer has any valid names will it be removed outright. Note that all parameters must match, if provided. `time.Time{}` is the match-all time parameter. expireLookupsBefore requires an zombie to have been enqueued before the specified time in order to remove it. For example:
ForceExpire(time.Time{}, 'cilium.io') expires all entries for cilium.io. ForceExpire(time.Now(), 'cilium.io') expires all entries for cilium.io that expired before the current time.
nameMatch will remove that specific DNS name from zombies that include it, deleting it when no DNS names remain.
func (*DNSZombieMappings) ForceExpireByNameIP ¶
func (zombies *DNSZombieMappings) ForceExpireByNameIP(expireLookupsBefore time.Time, name string, ips ...net.IP) error
ForceExpireByNameIP wraps ForceExpire to simplify clearing all IPs from a new DNS lookup. The error return is for errors compiling the internal regexp. This should never happen.
func (*DNSZombieMappings) GC ¶
func (zombies *DNSZombieMappings) GC() (alive, dead []*DNSZombieMapping)
GC returns alive and dead DNSZombieMapping entries. This removes dead zombies interally, and repeated calls will return different data. Zombies are alive if they have been marked alive (with MarkAlive). When SetCTGCTime is called and an zombie not marked alive, it becomes dead. Calling Upsert on a dead zombie will make it alive again. Alive zombies are limited by zombies.max. 0 means no zombies are allowed, disabling the behavior. It is expected to be a large value and is in place to avoid runaway zombie growth when CT GC is at a large interval.
func (*DNSZombieMappings) MarkAlive ¶
func (zombies *DNSZombieMappings) MarkAlive(now time.Time, ip netip.Addr)
MarkAlive makes an zombie alive and not dead. When now is later than the time set with SetCTGCTime the zombie remains alive.
func (*DNSZombieMappings) MarshalJSON ¶
func (zombies *DNSZombieMappings) MarshalJSON() ([]byte, error)
MarshalJSON encodes DNSZombieMappings into JSON. Only the DNSZombieMapping entries are encoded.
func (*DNSZombieMappings) SetCTGCTime ¶
func (zombies *DNSZombieMappings) SetCTGCTime(ctGCStart time.Time)
SetCTGCTime marks the start of the most recent CT GC. This must be set after all MarkAlive calls complete to avoid a race between the DNS garbage collector and the CT GC. This would occur when a DNS zombie that has not been visited by the CT GC run is seen by a concurrent DNS garbage collector run, and then deleted. When 'ctGCStart' is later than an alive timestamp, set with MarkAlive, the zombie is no longer alive. Thus, this call acts as a gating function for what data is returned by GC.
func (*DNSZombieMappings) UnmarshalJSON ¶
func (zombies *DNSZombieMappings) UnmarshalJSON(raw []byte) error
UnmarshalJSON rebuilds a DNSZombieMappings from serialized JSON. It resets the AliveAt timestamps, requiring a CT GC cycle to occur before any zombies are deleted (by not being marked alive). Note: This is destructive to any currect data
func (*DNSZombieMappings) Upsert ¶
func (zombies *DNSZombieMappings) Upsert(expiryTime time.Time, addr netip.Addr, qname ...string) (updatedExisting bool)
Upsert enqueues the ip -> qname as a possible deletion updatedExisting is true when an earlier enqueue existed and was updated If an existing entry is updated, the later expiryTime is applied to the existing entry.
type EndpointDNSInfo ¶ added in v1.15.0
type EndpointDNSInfo struct { ID string DNSHistory *DNSCache DNSZombies *DNSZombieMappings }
type IPCache ¶ added in v1.15.0
type IPCache interface { UpsertPrefixes(prefixes []netip.Prefix, src source.Source, resource ipcacheTypes.ResourceID) uint64 RemovePrefixes(prefixes []netip.Prefix, src source.Source, resource ipcacheTypes.ResourceID) }
type NameManager ¶
NameManager maintains state DNS names, via FQDNSelector or exact match for polling, need to be tracked. It is the main structure which relates the FQDN subsystem to the policy subsystem for plumbing the relation between a DNS name and the corresponding IPs which have been returned via DNS lookups. When DNS updates are given to a NameManager it update cached selectors as required via UpdateSelectors. DNS information is cached, respecting TTL.
func NewNameManager ¶
func NewNameManager(config Config) *NameManager
NewNameManager creates an initialized NameManager. When config.Cache is nil, the global fqdn.DefaultDNSCache is used.
func (*NameManager) CompleteBootstrap ¶
func (n *NameManager) CompleteBootstrap()
func (*NameManager) DeleteDNSLookups ¶ added in v1.15.0
func (n *NameManager) DeleteDNSLookups(expireLookupsBefore time.Time, matchPatternStr string) error
DeleteDNSLookups force-removes any entries in *all* caches that are not currently actively passing traffic.
func (*NameManager) ForceGenerateDNS ¶
ForceGenerateDNS unconditionally regenerates all rules that refer to DNS names in namesToRegen. These names are FQDNs and toFQDNs.matchPatterns or matchNames that match them will cause these rules to regenerate. Note: This is used only when DNS entries are cleaned up, not when new results are ingested.
func (*NameManager) GC ¶ added in v1.15.0
func (n *NameManager) GC(ctx context.Context) error
GC cleans up TTL expired entries from the DNS policies. It removes stale or undesired entries from the DNS caches. This is done for all per-EP DNSCache instances (ep.DNSHistory) with evictions (whether due to TTL expiry or overlimit eviction) cascaded into ep.DNSZombies. Data in DNSHistory and DNSZombies is further collected into the global DNSCache instance. The data there drives toFQDNs policy via NameManager and ToFQDNs selectors. DNSCache entries expire data when the TTL elapses and when the entries for a DNS name are above a limit. The data is then placed into DNSZombieMappings instances. These rely on the CT GC loop to update liveness for each to-delete IP. When an IP is not in-use it is finally deleted from the global DNSCache. Until then, each of these IPs is inserted into the global cache as a synthetic DNS lookup.
func (*NameManager) GetModel ¶
func (n *NameManager) GetModel() *models.NameManager
GetModel returns the API model of the NameManager.
func (*NameManager) Lock ¶
func (n *NameManager) Lock()
Lock must be held during any calls to RegisterForIPUpdatesLocked or UnregisterForIPUpdatesLocked. Because the NameManager and SelectorCache have interleaving locks, we must ALWAYS lock the NameManager first before locking the SelectorCache.
func (*NameManager) LockName ¶ added in v1.15.0
func (n *NameManager) LockName(name string)
LockName is used to serialize parallel end-to-end updates to the same name.
It is needed due to some subtleties around NameManager locks and policy updates. Specifically, we unlock the NameManager after updates are queued to endpoints, but *before* changes are pushed to policy maps. So, if a second request comes in during this state, it may encounter policy drops until the policy updates are complete.
Serializing on names prevents this.
Rather than having a potentially unbounded set of per-name locks, this buckets names in to a set of locks. The lock count is configurable.
func (*NameManager) RegisterForIPUpdatesLocked ¶ added in v1.15.0
func (n *NameManager) RegisterForIPUpdatesLocked(selector api.FQDNSelector) []netip.Addr
RegisterForIPUpdatesLocked exposes this FQDNSelector so that updates to IPs for names that this selector maches can be propagated back to the SelectorCache via `UpdateFQDNSelector`. All DNS names contained within the NameManager's cache are iterated over to see if they match the FQDNSelector. All already-existing IPs which correspond to the DNS names which match this Selector will be returned so the selector is ready for updates.
Because this method is called by the SelectorCache, we cannot make any calls back in to the SelectorCache from this method.
func (*NameManager) RestoreCache ¶ added in v1.15.0
func (n *NameManager) RestoreCache(preCachePath string, restoredEPs []EndpointDNSInfo)
RestoreCache loads cache state from the restored system: - adds any pre-cached DNS entries - repopulates the cache from the (persisted) endpoint DNS cache and zombies
func (*NameManager) StartGC ¶ added in v1.15.0
func (n *NameManager) StartGC(ctx context.Context)
func (*NameManager) Unlock ¶
func (n *NameManager) Unlock()
Unlock must be called after calls to RegisterForIPUpdatesLocked or UnregisterForIPUpdatesLocked are done.
func (*NameManager) UnlockName ¶ added in v1.15.0
func (n *NameManager) UnlockName(name string)
UnlockName releases a lock previously acquired by LockName()
func (*NameManager) UnregisterForIPUpdatesLocked ¶ added in v1.15.0
func (n *NameManager) UnregisterForIPUpdatesLocked(selector api.FQDNSelector)
UnregisterForIPUpdatesLocked removes this FQDNSelector from the set of FQDNSelectors which are being tracked by the NameManager. No more updates for IPs which correspond to said selector are propagated.
func (*NameManager) UpdateGenerateDNS ¶
func (n *NameManager) UpdateGenerateDNS(ctx context.Context, lookupTime time.Time, updatedDNSIPs map[string]*DNSIPRecords) *sync.WaitGroup
UpdateGenerateDNS inserts the new DNS information into the cache. If the IPs have changed for a name they will be reflected in updatedDNSIPs.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package re provides a simple function to access compile regex objects for the FQDN subsystem.
|
Package re provides a simple function to access compile regex objects for the FQDN subsystem. |
The restore package provides data structures important to restoring DNS proxy rules.
|
The restore package provides data structures important to restoring DNS proxy rules. |