Commits on Apr 8, 2024

1. Avoid unnecessary DNS queries for FQDN rule of NetworkPolicy …

   The agent maintains DNS cache for FQDNs matching any FQDN rule of
   NetworkPolicy in two ways, one of which is that it periodically queries
   these FQDNs. However, it turned out that the current implementation made
   more queries than needed, for several reasons:
   
   1. addFQDNRule() always triggered a DNS query immediately even if the
      FQDN was already tracked, and the function was called by
      podReconciler every time the rule was updated. This means if a FQDN's
      resolution is changed by a proactive query or a packet-in event, the
      FQDN would always be queried another time immediately.
   2. When calculating the expiration time for proactively queried records
      and the delay for next query, the pre-query timestamp was used as the
      base. This caused the next query to likely return the same record
      with a very small TTL, leading to another unnecessary query
      eventually. Besides, this is inconsistent with the base timestamp
      used for records received from packet-in events.
   
   The patch makes the following improvements:
   
   1. Do not trigger an immediate query if the FQDN added by addFQDNRule()
      is already tracked.
   2. Do not traverse dnsEntryCache when processing a FQDN matching name in
      addFQDNSelector().
   3. Use post-response timestamp as the base of expiration time
      consistently.
   4. Make logs about DNS query failure concentrated and clear.
   
   Signed-off-by: Quan Tian <[email protected]>

   

   tnqn committed Apr 8, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 7330be4
   • Browse repository at this point

   Copy the full SHA

   7330be4 View commit details

   Browse the repository at this point in the history