openshift · openshift-merge-robot · Sep 8, 2022 · Sep 3, 2022
diff --git a/assets/bindata_timestamp.txt b/assets/bindata_timestamp.txt
@@ -1 +1 @@
-1658914160
+1654679854
diff --git a/assets/components/openshift-dns/dns/daemonset.yaml b/assets/components/openshift-dns/dns/daemonset.yaml
@@ -1,101 +1,93 @@
 kind: DaemonSet
 apiVersion: apps/v1
-metadata:
-  labels:
-    dns.operator.openshift.io/owning-dns: default
-  name: dns-default
-  namespace: openshift-dns
 spec:
-  selector:
-    matchLabels:
-      dns.operator.openshift.io/daemonset-dns: default
   template:
     metadata:
-      labels:
-        dns.operator.openshift.io/daemonset-dns: default
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+      labels:
+        dns.operator.openshift.io/daemonset-dns: default
     spec:
       serviceAccountName: dns
       priorityClassName: system-node-critical
       containers:
-      - name: dns
-        image: {{ .ReleaseImage.coredns }}
-        imagePullPolicy: IfNotPresent
-        terminationMessagePolicy: FallbackToLogsOnError
-        command: [ "coredns" ]
-        args: [ "-conf", "/etc/coredns/Corefile" ]
-        volumeMounts:
-        - name: config-volume
-          mountPath: /etc/coredns
-          readOnly: true
-        ports:
-        - containerPort: 5353
-          name: dns
-          protocol: UDP
-        - containerPort: 5353
-          name: dns-tcp
-          protocol: TCP
-        readinessProbe:
-          httpGet:
-            path: /ready
-            port: 8181
-            scheme: HTTP
-          initialDelaySeconds: 10
-          periodSeconds: 3
-          successThreshold: 1
-          failureThreshold: 3
-          timeoutSeconds: 3
-        livenessProbe:
-          httpGet:
-            path: /health
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 60
-          timeoutSeconds: 5
-          successThreshold: 1
-          failureThreshold: 5
-        resources:
-          requests:
-            cpu: 50m
-            memory: 70Mi
-      - name: kube-rbac-proxy
-        image: {{ .ReleaseImage.kube_rbac_proxy }}
-        imagePullPolicy: IfNotPresent
-        args:
-        - --secure-listen-address=:9154
-        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-        - --upstream=http://127.0.0.1:9153/
-        - --tls-cert-file=/etc/tls/private/tls.crt
-        - --tls-private-key-file=/etc/tls/private/tls.key
-        ports:
-        - containerPort: 9154
-          name: metrics
-        resources:
-          requests:
-            cpu: 10m
-            memory: 40Mi
-        volumeMounts:
-        - mountPath: /etc/tls/private
-          name: metrics-tls
-          readOnly: true
+        - name: dns
+          imagePullPolicy: IfNotPresent
+          terminationMessagePolicy: FallbackToLogsOnError
+          command: ["coredns"]
+          args: ["-conf", "/etc/coredns/Corefile"]
+          volumeMounts:
+            - name: config-volume
+              mountPath: /etc/coredns
+              readOnly: true
+          ports:
+            - containerPort: 5353
+              name: dns
+              protocol: UDP
+            - containerPort: 5353
+              name: dns-tcp
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8181
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 3
+            successThreshold: 1
+            failureThreshold: 3
+            timeoutSeconds: 3
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 60
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 5
+          resources:
+            requests:
+              cpu: 50m
+              memory: 70Mi
+          image: {{ .ReleaseImage.coredns }}
+        - name: kube-rbac-proxy
+          args:
+            - --logtostderr
+            - --secure-listen-address=:9154
+            - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+            - --upstream=http://127.0.0.1:9153/
+            - --tls-cert-file=/etc/tls/private/tls.crt
+            - --tls-private-key-file=/etc/tls/private/tls.key
+          ports:
+            - containerPort: 9154
+              name: metrics
+          resources:
+            requests:
+              cpu: 10m
+              memory: 40Mi
+          volumeMounts:
+            - mountPath: /etc/tls/private
+              name: metrics-tls
+              readOnly: true
+          image: {{ .ReleaseImage.kube_rbac_proxy }}
+          imagePullPolicy: IfNotPresent
       dnsPolicy: Default
-      nodeSelector:
-        kubernetes.io/os: linux      
       volumes:
-      - name: config-volume
-        configMap:
-          items:
-          - key: Corefile
-            path: Corefile
-          name: dns-default
-      - name: metrics-tls
-        secret:
-          defaultMode: 420
-          secretName: dns-default-metrics-tls
+        - name: config-volume
+          configMap:
+            items:
+              - key: Corefile
+                path: Corefile
+            name: dns-default
+        - name: metrics-tls
+          secret:
+            defaultMode: 420
+            secretName: dns-default-metrics-tls
+      nodeSelector:
+        kubernetes.io/os: linux
       tolerations:
-      # DNS needs to run everywhere. Tolerate all taints
-      - operator: Exists
+        - operator: Exists
   updateStrategy:
     type: RollingUpdate
     rollingUpdate:
@@ -104,3 +96,9 @@ spec:
       # Note: The daemon controller rounds the percentage up
       # (unlike the deployment controller, which rounds down).
       maxUnavailable: 10%
+  selector:
+    matchLabels:
+      dns.operator.openshift.io/daemonset-dns: default
+metadata:
+  name: dns-default
+  namespace: openshift-dns
diff --git a/assets/components/openshift-dns/dns/namespace.yaml b/assets/components/openshift-dns/dns/namespace.yaml
@@ -10,4 +10,8 @@ metadata:
     openshift.io/run-level: "0"
     # allow openshift-monitoring to look for ServiceMonitor objects in this namespace
     openshift.io/cluster-monitoring: "true"
-
+    # allow node-resolver daemonset to pass baseline pod security admission.
+    # It uses host networking, host path volumes, and is a privileged.
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
diff --git a/assets/components/openshift-dns/dns/service.yaml b/assets/components/openshift-dns/dns/service.yaml
@@ -1,30 +1,24 @@
 kind: Service
 apiVersion: v1
+spec:
+  ports:
+    - name: dns
+      port: 53
+      targetPort: dns
+      protocol: UDP
+    - name: dns-tcp
+      port: 53
+      targetPort: dns-tcp
+      protocol: TCP
+    - name: metrics
+      port: 9154
+      targetPort: metrics
+      protocol: TCP
+  clusterIP: {{.ClusterIP}}
+  selector:
+    dns.operator.openshift.io/daemonset-dns: default
 metadata:
   annotations:
     service.beta.openshift.io/serving-cert-secret-name: dns-default-metrics-tls
-  labels:
-      dns.operator.openshift.io/owning-dns: default
   name: dns-default
   namespace: openshift-dns
-spec:
-  clusterIP: {{.ClusterIP}}
-  selector:
-    dns.operator.openshift.io/daemonset-dns: default
-  ports:
-  - name: dns
-    port: 53
-    targetPort: dns
-    protocol: UDP
-  - name: dns-tcp
-    port: 53
-    targetPort: dns-tcp
-    protocol: TCP
-  - name: metrics
-    port: 9154
-    targetPort: metrics
-    protocol: TCP
-  # TODO: Uncomment when service topology feature gate is enabled.
-  #topologyKeys:
-  #  - "kubernetes.io/hostname"
-  #  - "*"