ndots-admission-controller

command module

v0.3.0 Latest Latest Go to latest Published: Jan 8, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/maxlaverse/ndots-admission-controller

Links

Open Source Insights

README ¶

ndots-admission-controller

Go Version Releases

A Kubernetes Admission Controller that injects spec.dnsConfig.options.ndots:1 inside Pods upon creation (if not present). This prevents most of the DNS resolvers from issuing extra DNS requests based on the local search list, which improves performance at the expense of portability.

Supported Versions

The controller has been tested and built with the following components:

Kubernetes >= 1.19
Cert-Manager >= 1.4.0

Installation

helm repo add maxlaverse https://maxlaverse.github.io/helm-charts/
helm repo update
helm install ndots-admission-controller maxlaverse/ndots-admission-controller

What is ndots ?

From man resolv.conf

ndots:n

Sets a threshold for the number of dots which must appear in a name [...] before an initial absolute query will be made. The default for n is 1, meaning that if there are any dots in a name, the name will be tried first as an absolute name before any search list elements are appended to it. The value for this option is silently capped to 15.

By default, Kubernetes sets ndots:5 with at least <namespace>.svc.cluster.local, svc.cluster.local, and cluster.local as search items (see author's explanation on the number 5)

Example: For a Pod running in the default Kubernetes namespace, when trying to resolve google.com the DNS resolver would make the following requests:

google.com.default.svc.cluster.local
google.com.svc.cluster.local
google.com.cluster.local
google.com

The first 3 requests are unnecessary as we know the exact name of the domain we want to reach. To prevent this behavior, we have two possibilities:

append a final dot to the hostname, making it fully qualified: google.com => google.com..
set ndots to 1 or 0.

The first solution is inconvenient:

it requires appending the final dot in a lot of different places that are not always easily accessible (e.g. libraries of SaaS providers).
some load-balancers return SSL errors because the Common Name doesn't match anymore.
monitoring tools would often treat both google.com and google.com. as separate domains.

The ndots-admission-controller is an implementation of the second solution.

License

Distributed under the Apache License. See LICENSE for more information.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
pkg

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL