All Policies

Change DNS Config and Policy

The Default DNS policy in Kubernetes gives the flexibility of service access; however, it costs some latency on a high scale, and it needs to be optimized. This policy helps us to optimize the performance of DNS queries by setting DNS Options, nodelocalDNS IP, and search Domains. This policy can be applied for the clusters provisioned by kubeadm.

Policy Definition

/other/dns-policy-and-dns-config/dns-policy-and-dns-config.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: change-dns-config-policy
 5  annotations:
 6    policies.kyverno.io/title: Change DNS Config and Policy
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.8.1
10    kyverno.io/kubernetes-version: "1.23"
11    policies.kyverno.io/subject: Pod
12    policies.kyverno.io/description: >-
13      The Default DNS policy in Kubernetes gives the flexibility of service 
14      access; however, it costs some latency on a high scale, and it needs to 
15      be optimized. This policy helps us to optimize the performance of DNS 
16      queries by setting DNS Options, nodelocalDNS IP, and search Domains.
17      This policy can be applied for the clusters provisioned by kubeadm.      
18spec:
19  rules:
20  - name: dns-policy
21    context:
22    - name: dictionary
23      configMap:
24        # kubelet-config cm would also works by using clusterDomain 
25        # instead of clusterName; but kubeadm-config sounds more reliable
26        # when considering kubelet-config is changed every cluster upgrade, etc.
27        name: kubeadm-config 
28        namespace: kube-system
29    match:
30      any:
31      - resources:
32          kinds:
33          - Pod
34    preconditions:
35      any:
36      - key: "{{ request.object.spec.dnsPolicy || '' }}"
37        operator: AnyIn
38        value: 
39        - ClusterFirst
40        - ClusterFirstWithHostNet
41        - None
42    mutate:
43      patchStrategicMerge:
44        spec:
45          dnsConfig:
46            nameservers:
47            # NodelocalDNS IP
48            - 169.254.25.10 
49            options:
50            - name: timeout
51              value: "1"
52            - name: ndots
53              value: "2"
54            - name: attempts
55              value: "1"
56            searches:
57            - svc.{{dictionary.data.ClusterConfiguration | parse_yaml(@).clusterName}}
58            - "{{ request.namespace }}.svc.{{ dictionary.data.ClusterConfiguration | parse_yaml(@).clusterName }}"
59          dnsPolicy: None
Create policy issue