[bug] CoreDNS clusterrole is missing permissions

thecodeassassin commented 1 year ago

Is there an existing issue for this?

[X] I have searched the existing issues

Current Behavior

k describe clusterrole system:coredns -n kube-system Name: system:coredns Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: PolicyRule: Resources Non-Resource URLs Resource Names Verbs

endpoints [] [] [list watch] namespaces [] [] [list watch] pods [] [] [list watch] services [] [] [list watch]

Expected Behavior

k describe clusterrole system:coredns -n kube-system Name: system:coredns Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: PolicyRule: Resources Non-Resource URLs Resource Names Verbs

endpoints [] [] [list watch] namespaces [] [] [list watch] pods [] [] [list watch] services [] [] [list watch] nodes [] [] [get]

Steps To Reproduce

Create an omni cluster with the following versions:

Talos - 1.3.7 kubernetes - 1.26.2

One controller node (arm64) on Hetzner Cloud Two worker nodes (amd64) on Hetzner Cloud

Setup private networking between the nodes

Try to do an nslookup:

apiVersion: v1 kind: Pod metadata: name: dnsutils namespace: default spec: containers:

name: dnsutils image: registry.k8s.io/e2e-test-images/jessie-dnsutils:1.3 command:
- sleep
- "infinity" imagePullPolicy: IfNotPresent restartPolicy: Always

kubectl exec -it dnsutils -- nslookup kubernetes.default

What browsers are you seeing the problem on?

No response

Anything else?

No response

smira commented 1 year ago

As a workaround, you can update the ClusterRole using kubectl - the change won't be reverted. We'll look into fixing this, thank you!

smira commented 1 year ago

I don't see nodes in the default ClusterRole generated by Helm official CoreDNS repo, so I'm not sure whether it's something else

thecodeassassin commented 1 year ago

I don't see nodes in the default ClusterRole generated by Helm official CoreDNS repo, so I'm not sure whether it's something else

I followed the debugging steps here:

https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#does-coredns-have-sufficient-permissions

And it clearly states it needs those permissions. I can also confirm when I added them everything started working.

smira commented 1 year ago

Very interesting, it's not there in the upstream CoreDNS helm chart: https://github.com/coredns/helm/blob/master/charts/coredns/templates/clusterrole.yaml

I wonder if there's some kind of issue there.

smira commented 1 year ago

Created issue on Talos side for it: https://github.com/siderolabs/talos/issues/7113

smira commented 1 year ago

I can't reproduce the issue when using Talos and default installation:

$ kubectl exec -i -t dnsutils -- nslookup kubernetes
Server:     10.96.0.10
Address:    10.96.0.10#53

Name:   kubernetes.default.svc.cluster.local
Address: 10.96.0.1

The node scope was dropped long time ago, and probably the Kubernetes docs were never updated to reflect this.

smira commented 1 year ago

I'm going to close this issue, but if there's more info, happy to look more into it.

siderolabs / omni-feedback