diff --git a/features.md b/features.md
index 5259884ec63..623d74ab140 100644
--- a/features.md
+++ b/features.md
@@ -8,6 +8,7 @@
| ShortCertRotation| | | | | | | | |
| ClusterAPIComputeInstall| | | Enabled | Enabled | | | | |
| ClusterAPIControlPlaneInstall| | | Enabled | Enabled | | | | |
+| DNSTemplatePlugin| | | Enabled | Enabled | | | | |
| Example2| | | Enabled | Enabled | | | | |
| ExternalSnapshotMetadata| | | Enabled | Enabled | | | | |
| KMSEncryptionProvider| | | Enabled | Enabled | | | | |
diff --git a/features/features.go b/features/features.go
index 3ba5f3113e9..28b2be492b7 100644
--- a/features/features.go
+++ b/features/features.go
@@ -257,6 +257,14 @@ var (
enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
mustRegister()
+ FeatureGateDNSTemplatePlugin = newFeatureGate("DNSTemplatePlugin").
+ reportProblemsToJiraComponent("dns").
+ contactPerson("grzpiotrowski").
+ productScope(ocpSpecific).
+ enhancementPR("https://github.com/openshift/enhancements/pull/1936").
+ enable(inDevPreviewNoUpgrade()).
+ mustRegister()
+
FeatureGateMachineConfigNodes = newFeatureGate("MachineConfigNodes").
reportProblemsToJiraComponent("MachineConfigOperator").
contactPerson("ijanssen").
diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go
index afbc328037c..9035a654766 100644
--- a/openapi/generated_openapi/zz_generated.openapi.go
+++ b/openapi/generated_openapi/zz_generated.openapi.go
@@ -1175,6 +1175,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
"github.com/openshift/api/operator/v1.ReloadService": schema_openshift_api_operator_v1_ReloadService(ref),
"github.com/openshift/api/operator/v1.ResourceAttributesAccessReview": schema_openshift_api_operator_v1_ResourceAttributesAccessReview(ref),
"github.com/openshift/api/operator/v1.RestartService": schema_openshift_api_operator_v1_RestartService(ref),
+ "github.com/openshift/api/operator/v1.ReturnEmptyAction": schema_openshift_api_operator_v1_ReturnEmptyAction(ref),
"github.com/openshift/api/operator/v1.RouteAdmissionPolicy": schema_openshift_api_operator_v1_RouteAdmissionPolicy(ref),
"github.com/openshift/api/operator/v1.SFlowConfig": schema_openshift_api_operator_v1_SFlowConfig(ref),
"github.com/openshift/api/operator/v1.Server": schema_openshift_api_operator_v1_Server(ref),
@@ -1204,6 +1205,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
"github.com/openshift/api/operator/v1.StorageSpec": schema_openshift_api_operator_v1_StorageSpec(ref),
"github.com/openshift/api/operator/v1.StorageStatus": schema_openshift_api_operator_v1_StorageStatus(ref),
"github.com/openshift/api/operator/v1.SyslogLoggingDestinationParameters": schema_openshift_api_operator_v1_SyslogLoggingDestinationParameters(ref),
+ "github.com/openshift/api/operator/v1.Template": schema_openshift_api_operator_v1_Template(ref),
+ "github.com/openshift/api/operator/v1.TemplateAction": schema_openshift_api_operator_v1_TemplateAction(ref),
"github.com/openshift/api/operator/v1.Theme": schema_openshift_api_operator_v1_Theme(ref),
"github.com/openshift/api/operator/v1.Upstream": schema_openshift_api_operator_v1_Upstream(ref),
"github.com/openshift/api/operator/v1.UpstreamResolvers": schema_openshift_api_operator_v1_UpstreamResolvers(ref),
@@ -52597,11 +52600,17 @@ func schema_openshift_api_operator_v1_DNSSpec(ref common.ReferenceCallback) comm
Ref: ref("github.com/openshift/api/operator/v1.DNSCache"),
},
},
+ "template": {
+ SchemaProps: spec.SchemaProps{
+ Description: "template is an optional configuration for custom DNS query handling via the CoreDNS template plugin. The template defines how to handle queries matching specific zones and query types.\n\nThe template is injected into ALL Corefile server blocks (both custom servers from spec.servers and the default .:5353 block). This ensures consistent behavior across all DNS resolution paths.\n\nAAAA filtering is intended for IPv4-only clusters. In IPv6 or dual-stack clusters, use specific zones instead of \".\" to avoid filtering internal IPv6 service addresses (e.g., cluster.local).\n\nWhen this field is not set, no template plugin configuration is added to CoreDNS.",
+ Ref: ref("github.com/openshift/api/operator/v1.Template"),
+ },
+ },
},
},
},
Dependencies: []string{
- "github.com/openshift/api/operator/v1.DNSCache", "github.com/openshift/api/operator/v1.DNSNodePlacement", "github.com/openshift/api/operator/v1.Server", "github.com/openshift/api/operator/v1.UpstreamResolvers"},
+ "github.com/openshift/api/operator/v1.DNSCache", "github.com/openshift/api/operator/v1.DNSNodePlacement", "github.com/openshift/api/operator/v1.Server", "github.com/openshift/api/operator/v1.Template", "github.com/openshift/api/operator/v1.UpstreamResolvers"},
}
}
@@ -60010,6 +60019,28 @@ func schema_openshift_api_operator_v1_RestartService(ref common.ReferenceCallbac
}
}
+func schema_openshift_api_operator_v1_ReturnEmptyAction(ref common.ReferenceCallback) common.OpenAPIDefinition {
+ return common.OpenAPIDefinition{
+ Schema: spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Description: "ReturnEmptyAction configures the template to return empty DNS responses. This is used for query filtering, such as AAAA filtering in IPv4-only clusters.",
+ Type: []string{"object"},
+ Properties: map[string]spec.Schema{
+ "rcode": {
+ SchemaProps: spec.SchemaProps{
+ Description: "rcode is the DNS response code to return in the empty response. Valid values are \"NOERROR\".\n\nNOERROR indicates a successful query with no answer records. This is the standard response for AAAA filtering - the query succeeds but returns no IPv6 addresses, causing clients to fall back to A record (IPv4) queries.",
+ Default: "",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ },
+ Required: []string{"rcode"},
+ },
+ },
+ }
+}
+
func schema_openshift_api_operator_v1_RouteAdmissionPolicy(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
@@ -61589,6 +61620,98 @@ func schema_openshift_api_operator_v1_SyslogLoggingDestinationParameters(ref com
}
}
+func schema_openshift_api_operator_v1_Template(ref common.ReferenceCallback) common.OpenAPIDefinition {
+ return common.OpenAPIDefinition{
+ Schema: spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Description: "Template defines a template for custom DNS query handling via the CoreDNS template plugin. Templates enable filtering or custom responses for DNS queries matching specific zones and query types.",
+ Type: []string{"object"},
+ Properties: map[string]spec.Schema{
+ "zones": {
+ SchemaProps: spec.SchemaProps{
+ Description: "zones specifies the DNS zones this template applies to. Each zone must be a valid DNS name as defined in RFC 1123. The special zone \".\" matches all domains (catch-all). Multiple zones can be specified to apply the same template actions to multiple domains.\n\nExamples: - [\".\"] matches all domains (catch-all for global AAAA filtering) - [\"example.com\"] matches only example.com and its subdomains - [\"example.com\", \"test.com\"] matches both domains and their subdomains",
+ Type: []string{"array"},
+ Items: &spec.SchemaOrArray{
+ Schema: &spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Default: "",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ },
+ },
+ },
+ "queryType": {
+ SchemaProps: spec.SchemaProps{
+ Description: "queryType specifies the DNS query type to match.",
+ Default: "",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ "queryClass": {
+ SchemaProps: spec.SchemaProps{
+ Description: "queryClass specifies the DNS query class to match.",
+ Default: "",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ "actions": {
+ SchemaProps: spec.SchemaProps{
+ Description: "actions defines a list of actions to apply to matching queries.",
+ Type: []string{"array"},
+ Items: &spec.SchemaOrArray{
+ Schema: &spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Default: map[string]interface{}{},
+ Ref: ref("github.com/openshift/api/operator/v1.TemplateAction"),
+ },
+ },
+ },
+ },
+ },
+ },
+ Required: []string{"zones", "queryType", "queryClass", "actions"},
+ },
+ },
+ Dependencies: []string{
+ "github.com/openshift/api/operator/v1.TemplateAction"},
+ }
+}
+
+func schema_openshift_api_operator_v1_TemplateAction(ref common.ReferenceCallback) common.OpenAPIDefinition {
+ return common.OpenAPIDefinition{
+ Schema: spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Description: "TemplateAction defines the action taken by the template for matching queries. This is a discriminated union - exactly one action type must be specified.",
+ Type: []string{"object"},
+ Properties: map[string]spec.Schema{
+ "returnEmpty": {
+ SchemaProps: spec.SchemaProps{
+ Description: "returnEmpty returns an empty DNS response with the specified response code. This is useful for filtering queries (e.g., AAAA filtering in IPv4-only clusters).\n\nWhen set, the template returns a response with no answer records. For AAAA filtering, this means IPv6 address queries return successfully but with no IPv6 addresses, causing clients to fall back to IPv4 (A record) queries.",
+ Ref: ref("github.com/openshift/api/operator/v1.ReturnEmptyAction"),
+ },
+ },
+ },
+ },
+ VendorExtensible: spec.VendorExtensible{
+ Extensions: spec.Extensions{
+ "x-kubernetes-unions": []interface{}{
+ map[string]interface{}{
+ "discriminator": "returnEmpty",
+ "fields-to-discriminateBy": map[string]interface{}{},
+ },
+ },
+ },
+ },
+ },
+ Dependencies: []string{
+ "github.com/openshift/api/operator/v1.ReturnEmptyAction"},
+ }
+}
+
func schema_openshift_api_operator_v1_Theme(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
diff --git a/operator/v1/types_dns.go b/operator/v1/types_dns.go
index 25880478684..44e4049585b 100644
--- a/operator/v1/types_dns.go
+++ b/operator/v1/types_dns.go
@@ -116,6 +116,21 @@ type DNSSpec struct {
// 30 seconds or as noted in the respective Corefile for your version of OpenShift.
// +optional
Cache DNSCache `json:"cache,omitempty"`
+
+ // template is an optional configuration for custom DNS query handling via the CoreDNS template plugin.
+ // The template defines how to handle queries matching specific zones and query types.
+ //
+ // The template is injected into ALL Corefile server blocks (both custom servers from spec.servers
+ // and the default .:5353 block). This ensures consistent behavior across all DNS resolution paths.
+ //
+ // AAAA filtering is intended for IPv4-only clusters. In IPv6 or dual-stack clusters, use specific
+ // zones instead of "." to avoid filtering internal IPv6 service addresses (e.g., cluster.local).
+ //
+ // When this field is not set, no template plugin configuration is added to CoreDNS.
+ //
+ // +optional
+ // +openshift:enable:FeatureGate=DNSTemplatePlugin
+ Template *Template `json:"template,omitempty"`
}
// DNSCache defines the fields for configuring DNS caching.
@@ -467,6 +482,112 @@ const (
DNSAvailable = "Available"
)
+// QueryType represents DNS query types supported by templates.
+// +kubebuilder:validation:Enum=AAAA
+type QueryType string
+
+const (
+ // QueryTypeAAAA represents IPv6 address records (AAAA).
+ QueryTypeAAAA QueryType = "AAAA"
+)
+
+// QueryClass represents DNS query classes supported by templates.
+// Valid value is "IN".
+// +kubebuilder:validation:Enum=IN
+type QueryClass string
+
+const (
+ // QueryClassIN represents the Internet class.
+ QueryClassIN QueryClass = "IN"
+)
+
+// ResponseCode represents DNS response codes.
+// +kubebuilder:validation:Enum=NOERROR
+type ResponseCode string
+
+const (
+ // ResponseCodeNOERROR indicates a successful DNS query with or without answer records.
+ // When used with returnEmpty action, this returns an empty response (no AAAA records)
+ // without indicating an error, which is the standard behavior for AAAA filtering.
+ ResponseCodeNOERROR ResponseCode = "NOERROR"
+)
+
+// Template defines a template for custom DNS query handling via the CoreDNS template plugin.
+// Templates enable filtering or custom responses for DNS queries matching specific zones and query types.
+// +openshift:enable:FeatureGate=DNSTemplatePlugin
+type Template struct {
+ // zones specifies the DNS zones this template applies to.
+ // Each zone must be a valid DNS name as defined in RFC 1123.
+ // The special zone "." matches all domains (catch-all).
+ // Multiple zones can be specified to apply the same template actions to multiple domains.
+ //
+ // Examples:
+ // - ["."] matches all domains (catch-all for global AAAA filtering)
+ // - ["example.com"] matches only example.com and its subdomains
+ // - ["example.com", "test.com"] matches both domains and their subdomains
+ //
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:MinItems=1
+ // +required
+ Zones []string `json:"zones"`
+
+ // queryType specifies the DNS query type to match.
+ //
+ // +kubebuilder:validation:Required
+ // +kubebuilder:default=AAAA
+ // +required
+ QueryType QueryType `json:"queryType"`
+
+ // queryClass specifies the DNS query class to match.
+ //
+ // +kubebuilder:validation:Required
+ // +kubebuilder:default=IN
+ // +required
+ QueryClass QueryClass `json:"queryClass"`
+
+ // actions defines a list of actions to apply to matching queries.
+ //
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:MinItems=1
+ // +required
+ Actions []TemplateAction `json:"actions"`
+}
+
+// TemplateAction defines the action taken by the template for matching queries.
+// This is a discriminated union - exactly one action type must be specified.
+//
+// +union
+// +kubebuilder:validation:XValidation:rule="has(self.returnEmpty)",message="only returnEmpty action is supported"
+type TemplateAction struct {
+ // returnEmpty returns an empty DNS response with the specified response code.
+ // This is useful for filtering queries (e.g., AAAA filtering in IPv4-only clusters).
+ //
+ // When set, the template returns a response with no answer records. For AAAA filtering,
+ // this means IPv6 address queries return successfully but with no IPv6 addresses,
+ // causing clients to fall back to IPv4 (A record) queries.
+ //
+ // +optional
+ // +unionDiscriminator
+ ReturnEmpty *ReturnEmptyAction `json:"returnEmpty,omitempty"`
+}
+
+// ReturnEmptyAction configures the template to return empty DNS responses.
+// This is used for query filtering, such as AAAA filtering in IPv4-only clusters.
+type ReturnEmptyAction struct {
+ // rcode is the DNS response code to return in the empty response.
+ // Valid values are "NOERROR".
+ //
+ // NOERROR indicates a successful query with no answer records. This is the standard
+ // response for AAAA filtering - the query succeeds but returns no IPv6 addresses,
+ // causing clients to fall back to A record (IPv4) queries.
+ //
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:Enum=NOERROR
+ // +kubebuilder:default=NOERROR
+ // +required
+ Rcode ResponseCode `json:"rcode"`
+}
+
// DNSStatus defines the observed status of the DNS.
type DNSStatus struct {
// clusterIP is the service IP through which this DNS is made available.
diff --git a/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-CustomNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-CustomNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..96b74c61a7a
--- /dev/null
+++ b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-CustomNoUpgrade.crd.yaml
@@ -0,0 +1,699 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/475
+ api.openshift.io/merged-by-featuregates: "true"
+ include.release.openshift.io/ibm-cloud-managed: "true"
+ include.release.openshift.io/self-managed-high-availability: "true"
+ release.openshift.io/feature-set: CustomNoUpgrade
+ name: dnses.operator.openshift.io
+spec:
+ group: operator.openshift.io
+ names:
+ kind: DNS
+ listKind: DNSList
+ plural: dnses
+ singular: dns
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ DNS manages the CoreDNS component to provide a name resolution service
+ for pods and services in the cluster.
+
+ This supports the DNS-based service discovery specification:
+ https://github.com/kubernetes/dns/blob/master/docs/specification.md
+
+ More details: https://kubernetes.io/docs/tasks/administer-cluster/coredns
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec is the specification of the desired behavior of the
+ DNS.
+ properties:
+ cache:
+ description: |-
+ cache describes the caching configuration that applies to all server blocks listed in the Corefile.
+ This field allows a cluster admin to optionally configure:
+ * positiveTTL which is a duration for which positive responses should be cached.
+ * negativeTTL which is a duration for which negative responses should be cached.
+ If this is not configured, OpenShift will configure positive and negative caching with a default value that is
+ subject to change. At the time of writing, the default positiveTTL is 900 seconds and the default negativeTTL is
+ 30 seconds or as noted in the respective Corefile for your version of OpenShift.
+ properties:
+ negativeTTL:
+ description: |-
+ negativeTTL is optional and specifies the amount of time that a negative response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 30 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 30 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ positiveTTL:
+ description: |-
+ positiveTTL is optional and specifies the amount of time that a positive response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 900 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 900 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ type: object
+ logLevel:
+ default: Normal
+ description: |-
+ logLevel describes the desired logging verbosity for CoreDNS.
+ Any one of the following values may be specified:
+ * Normal logs errors from upstream resolvers.
+ * Debug logs errors, NXDOMAIN responses, and NODATA responses.
+ * Trace logs errors and all responses.
+ Setting logLevel: Trace will produce extremely verbose logs.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ managementState:
+ description: |-
+ managementState indicates whether the DNS operator should manage cluster
+ DNS
+ pattern: ^(Managed|Unmanaged|Force|Removed)$
+ type: string
+ nodePlacement:
+ description: |-
+ nodePlacement provides explicit control over the scheduling of DNS
+ pods.
+
+ Generally, it is useful to run a DNS pod on every node so that DNS
+ queries are always handled by a local DNS pod instead of going over
+ the network to a DNS pod on another node. However, security policies
+ may require restricting the placement of DNS pods to specific nodes.
+ For example, if a security policy prohibits pods on arbitrary nodes
+ from communicating with the API, a node selector can be specified to
+ restrict DNS pods to nodes that are permitted to communicate with the
+ API. Conversely, if running DNS pods on nodes with a particular
+ taint is desired, a toleration can be specified for that taint.
+
+ If unset, defaults are used. See nodePlacement for more details.
+ properties:
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ nodeSelector is the node selector applied to DNS pods.
+
+ If empty, the default is used, which is currently the following:
+
+ kubernetes.io/os: linux
+
+ This default is subject to change.
+
+ If set, the specified selector is used and replaces the default.
+ type: object
+ tolerations:
+ description: |-
+ tolerations is a list of tolerations applied to DNS pods.
+
+ If empty, the DNS operator sets a toleration for the
+ "node-role.kubernetes.io/master" taint. This default is subject to
+ change. Specifying tolerations without including a toleration for
+ the "node-role.kubernetes.io/master" taint may be risky as it could
+ lead to an outage if all worker nodes become unavailable.
+
+ Note that the daemon controller adds some tolerations as well. See
+ https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ operatorLogLevel:
+ default: Normal
+ description: |-
+ operatorLogLevel controls the logging level of the DNS Operator.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ setting operatorLogLevel: Trace will produce extremely verbose logs.
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ servers:
+ description: |-
+ servers is a list of DNS resolvers that provide name query delegation for one or
+ more subdomains outside the scope of the cluster domain. If servers consists of
+ more than one Server, longest suffix match will be used to determine the Server.
+
+ For example, if there are two Servers, one for "foo.com" and another for "a.foo.com",
+ and the name query is for "www.a.foo.com", it will be routed to the Server with Zone
+ "a.foo.com".
+
+ If this field is nil, no servers are created.
+ items:
+ description: Server defines the schema for a server that runs per
+ instance of CoreDNS.
+ properties:
+ forwardPlugin:
+ description: |-
+ forwardPlugin defines a schema for configuring CoreDNS to proxy DNS messages
+ to upstream resolvers.
+ properties:
+ policy:
+ default: Random
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Random"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration
+ options to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the
+ referenced config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ description: |-
+ upstreams is a list of resolvers to forward name queries for subdomains of Zones.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy. Each upstream is represented
+ by an IP address or IP:port if the upstream listens on a port other than 53.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ items:
+ type: string
+ maxItems: 15
+ type: array
+ type: object
+ name:
+ description: |-
+ name is required and specifies a unique name for the server. Name must comply
+ with the Service Name Syntax of rfc6335.
+ type: string
+ zones:
+ description: |-
+ zones is required and specifies the subdomains that Server is authoritative for.
+ Zones must conform to the rfc1123 definition of a subdomain. Specifying the
+ cluster domain (i.e., "cluster.local") is invalid.
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ template:
+ description: |-
+ template is an optional configuration for custom DNS query handling via the CoreDNS template plugin.
+ The template defines how to handle queries matching specific zones and query types.
+
+ The template is injected into ALL Corefile server blocks (both custom servers from spec.servers
+ and the default .:5353 block). This ensures consistent behavior across all DNS resolution paths.
+
+ AAAA filtering is intended for IPv4-only clusters. In IPv6 or dual-stack clusters, use specific
+ zones instead of "." to avoid filtering internal IPv6 service addresses (e.g., cluster.local).
+
+ When this field is not set, no template plugin configuration is added to CoreDNS.
+ properties:
+ actions:
+ description: actions defines a list of actions to apply to matching
+ queries.
+ items:
+ description: |-
+ TemplateAction defines the action taken by the template for matching queries.
+ This is a discriminated union - exactly one action type must be specified.
+ properties:
+ returnEmpty:
+ description: |-
+ returnEmpty returns an empty DNS response with the specified response code.
+ This is useful for filtering queries (e.g., AAAA filtering in IPv4-only clusters).
+
+ When set, the template returns a response with no answer records. For AAAA filtering,
+ this means IPv6 address queries return successfully but with no IPv6 addresses,
+ causing clients to fall back to IPv4 (A record) queries.
+ properties:
+ rcode:
+ default: NOERROR
+ description: |-
+ rcode is the DNS response code to return in the empty response.
+ Valid values are "NOERROR".
+
+ NOERROR indicates a successful query with no answer records. This is the standard
+ response for AAAA filtering - the query succeeds but returns no IPv6 addresses,
+ causing clients to fall back to A record (IPv4) queries.
+ enum:
+ - NOERROR
+ type: string
+ required:
+ - rcode
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: only returnEmpty action is supported
+ rule: has(self.returnEmpty)
+ minItems: 1
+ type: array
+ queryClass:
+ default: IN
+ description: queryClass specifies the DNS query class to match.
+ enum:
+ - IN
+ type: string
+ queryType:
+ default: AAAA
+ description: queryType specifies the DNS query type to match.
+ enum:
+ - AAAA
+ type: string
+ zones:
+ description: |-
+ zones specifies the DNS zones this template applies to.
+ Each zone must be a valid DNS name as defined in RFC 1123.
+ The special zone "." matches all domains (catch-all).
+ Multiple zones can be specified to apply the same template actions to multiple domains.
+
+ Examples:
+ - ["."] matches all domains (catch-all for global AAAA filtering)
+ - ["example.com"] matches only example.com and its subdomains
+ - ["example.com", "test.com"] matches both domains and their subdomains
+ items:
+ type: string
+ minItems: 1
+ type: array
+ required:
+ - actions
+ - queryClass
+ - queryType
+ - zones
+ type: object
+ upstreamResolvers:
+ default: {}
+ description: |-
+ upstreamResolvers defines a schema for configuring CoreDNS
+ to proxy DNS messages to upstream resolvers for the case of the
+ default (".") server
+
+ If this field is not specified, the upstream used will default to
+ /etc/resolv.conf, with policy "sequential"
+ properties:
+ policy:
+ default: Sequential
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Sequential"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration options
+ to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the referenced
+ config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ default:
+ - type: SystemResolvConf
+ description: |-
+ upstreams is a list of resolvers to forward name queries for the "." domain.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ If no Upstreams are specified, /etc/resolv.conf is used by default
+ items:
+ anyOf:
+ - not:
+ required:
+ - address
+ - port
+ properties:
+ type:
+ enum:
+ - ""
+ - SystemResolvConf
+ - optional:
+ - port
+ properties:
+ type:
+ enum:
+ - Network
+ required:
+ - address
+ description: |-
+ Upstream can either be of type SystemResolvConf, or of type Network.
+
+ - For an Upstream of type SystemResolvConf, no further fields are necessary:
+ The upstream will be configured to use /etc/resolv.conf.
+ - For an Upstream of type Network, a NetworkResolver field needs to be defined
+ with an IP address or IP:port if the upstream listens on a port other than 53.
+ properties:
+ address:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ description: |-
+ address must be defined when Type is set to Network. It will be ignored otherwise.
+ It must be a valid ipv4 or ipv6 address.
+ type: string
+ port:
+ default: 53
+ description: |-
+ port may be defined when Type is set to Network. It will be ignored otherwise.
+ Port must be between 65535
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ type:
+ description: |-
+ type defines whether this upstream contains an IP/IP:port resolver or the local /etc/resolv.conf.
+ Type accepts 2 possible values: SystemResolvConf or Network.
+
+ * When SystemResolvConf is used, the Upstream structure does not require any further fields to be defined:
+ /etc/resolv.conf will be used
+ * When Network is used, the Upstream structure must contain at least an Address
+ enum:
+ - SystemResolvConf
+ - Network
+ - ""
+ type: string
+ required:
+ - type
+ type: object
+ maxItems: 15
+ type: array
+ type: object
+ type: object
+ status:
+ description: status is the most recently observed status of the DNS.
+ properties:
+ clusterDomain:
+ description: |-
+ clusterDomain is the local cluster DNS domain suffix for DNS services.
+ This will be a subdomain as defined in RFC 1034,
+ section 3.5: https://tools.ietf.org/html/rfc1034#section-3.5
+ Example: "cluster.local"
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service
+ type: string
+ clusterIP:
+ description: |-
+ clusterIP is the service IP through which this DNS is made available.
+
+ In the case of the default DNS, this will be a well known IP that is used
+ as the default nameserver for pods that are using the default ClusterFirst DNS policy.
+
+ In general, this IP can be specified in a pod's spec.dnsConfig.nameservers list
+ or used explicitly when performing name resolution from within the cluster.
+ Example: dig foo.com @
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+ type: string
+ conditions:
+ description: |-
+ conditions provide information about the state of the DNS on the cluster.
+
+ These are the supported DNS conditions:
+
+ * Available
+ - True if the following conditions are met:
+ * DNS controller daemonset is available.
+ - False if any of those conditions are unsatisfied.
+ items:
+ description: OperatorCondition is just the standard condition fields.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - status
+ - type
+ type: object
+ type: array
+ required:
+ - clusterDomain
+ - clusterIP
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-Default.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-Default.crd.yaml
new file mode 100644
index 00000000000..1c69cb8477f
--- /dev/null
+++ b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-Default.crd.yaml
@@ -0,0 +1,615 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/475
+ api.openshift.io/merged-by-featuregates: "true"
+ include.release.openshift.io/ibm-cloud-managed: "true"
+ include.release.openshift.io/self-managed-high-availability: "true"
+ release.openshift.io/feature-set: Default
+ name: dnses.operator.openshift.io
+spec:
+ group: operator.openshift.io
+ names:
+ kind: DNS
+ listKind: DNSList
+ plural: dnses
+ singular: dns
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ DNS manages the CoreDNS component to provide a name resolution service
+ for pods and services in the cluster.
+
+ This supports the DNS-based service discovery specification:
+ https://github.com/kubernetes/dns/blob/master/docs/specification.md
+
+ More details: https://kubernetes.io/docs/tasks/administer-cluster/coredns
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec is the specification of the desired behavior of the
+ DNS.
+ properties:
+ cache:
+ description: |-
+ cache describes the caching configuration that applies to all server blocks listed in the Corefile.
+ This field allows a cluster admin to optionally configure:
+ * positiveTTL which is a duration for which positive responses should be cached.
+ * negativeTTL which is a duration for which negative responses should be cached.
+ If this is not configured, OpenShift will configure positive and negative caching with a default value that is
+ subject to change. At the time of writing, the default positiveTTL is 900 seconds and the default negativeTTL is
+ 30 seconds or as noted in the respective Corefile for your version of OpenShift.
+ properties:
+ negativeTTL:
+ description: |-
+ negativeTTL is optional and specifies the amount of time that a negative response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 30 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 30 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ positiveTTL:
+ description: |-
+ positiveTTL is optional and specifies the amount of time that a positive response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 900 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 900 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ type: object
+ logLevel:
+ default: Normal
+ description: |-
+ logLevel describes the desired logging verbosity for CoreDNS.
+ Any one of the following values may be specified:
+ * Normal logs errors from upstream resolvers.
+ * Debug logs errors, NXDOMAIN responses, and NODATA responses.
+ * Trace logs errors and all responses.
+ Setting logLevel: Trace will produce extremely verbose logs.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ managementState:
+ description: |-
+ managementState indicates whether the DNS operator should manage cluster
+ DNS
+ pattern: ^(Managed|Unmanaged|Force|Removed)$
+ type: string
+ nodePlacement:
+ description: |-
+ nodePlacement provides explicit control over the scheduling of DNS
+ pods.
+
+ Generally, it is useful to run a DNS pod on every node so that DNS
+ queries are always handled by a local DNS pod instead of going over
+ the network to a DNS pod on another node. However, security policies
+ may require restricting the placement of DNS pods to specific nodes.
+ For example, if a security policy prohibits pods on arbitrary nodes
+ from communicating with the API, a node selector can be specified to
+ restrict DNS pods to nodes that are permitted to communicate with the
+ API. Conversely, if running DNS pods on nodes with a particular
+ taint is desired, a toleration can be specified for that taint.
+
+ If unset, defaults are used. See nodePlacement for more details.
+ properties:
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ nodeSelector is the node selector applied to DNS pods.
+
+ If empty, the default is used, which is currently the following:
+
+ kubernetes.io/os: linux
+
+ This default is subject to change.
+
+ If set, the specified selector is used and replaces the default.
+ type: object
+ tolerations:
+ description: |-
+ tolerations is a list of tolerations applied to DNS pods.
+
+ If empty, the DNS operator sets a toleration for the
+ "node-role.kubernetes.io/master" taint. This default is subject to
+ change. Specifying tolerations without including a toleration for
+ the "node-role.kubernetes.io/master" taint may be risky as it could
+ lead to an outage if all worker nodes become unavailable.
+
+ Note that the daemon controller adds some tolerations as well. See
+ https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ operatorLogLevel:
+ default: Normal
+ description: |-
+ operatorLogLevel controls the logging level of the DNS Operator.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ setting operatorLogLevel: Trace will produce extremely verbose logs.
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ servers:
+ description: |-
+ servers is a list of DNS resolvers that provide name query delegation for one or
+ more subdomains outside the scope of the cluster domain. If servers consists of
+ more than one Server, longest suffix match will be used to determine the Server.
+
+ For example, if there are two Servers, one for "foo.com" and another for "a.foo.com",
+ and the name query is for "www.a.foo.com", it will be routed to the Server with Zone
+ "a.foo.com".
+
+ If this field is nil, no servers are created.
+ items:
+ description: Server defines the schema for a server that runs per
+ instance of CoreDNS.
+ properties:
+ forwardPlugin:
+ description: |-
+ forwardPlugin defines a schema for configuring CoreDNS to proxy DNS messages
+ to upstream resolvers.
+ properties:
+ policy:
+ default: Random
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Random"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration
+ options to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the
+ referenced config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ description: |-
+ upstreams is a list of resolvers to forward name queries for subdomains of Zones.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy. Each upstream is represented
+ by an IP address or IP:port if the upstream listens on a port other than 53.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ items:
+ type: string
+ maxItems: 15
+ type: array
+ type: object
+ name:
+ description: |-
+ name is required and specifies a unique name for the server. Name must comply
+ with the Service Name Syntax of rfc6335.
+ type: string
+ zones:
+ description: |-
+ zones is required and specifies the subdomains that Server is authoritative for.
+ Zones must conform to the rfc1123 definition of a subdomain. Specifying the
+ cluster domain (i.e., "cluster.local") is invalid.
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ upstreamResolvers:
+ default: {}
+ description: |-
+ upstreamResolvers defines a schema for configuring CoreDNS
+ to proxy DNS messages to upstream resolvers for the case of the
+ default (".") server
+
+ If this field is not specified, the upstream used will default to
+ /etc/resolv.conf, with policy "sequential"
+ properties:
+ policy:
+ default: Sequential
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Sequential"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration options
+ to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the referenced
+ config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ default:
+ - type: SystemResolvConf
+ description: |-
+ upstreams is a list of resolvers to forward name queries for the "." domain.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ If no Upstreams are specified, /etc/resolv.conf is used by default
+ items:
+ anyOf:
+ - not:
+ required:
+ - address
+ - port
+ properties:
+ type:
+ enum:
+ - ""
+ - SystemResolvConf
+ - optional:
+ - port
+ properties:
+ type:
+ enum:
+ - Network
+ required:
+ - address
+ description: |-
+ Upstream can either be of type SystemResolvConf, or of type Network.
+
+ - For an Upstream of type SystemResolvConf, no further fields are necessary:
+ The upstream will be configured to use /etc/resolv.conf.
+ - For an Upstream of type Network, a NetworkResolver field needs to be defined
+ with an IP address or IP:port if the upstream listens on a port other than 53.
+ properties:
+ address:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ description: |-
+ address must be defined when Type is set to Network. It will be ignored otherwise.
+ It must be a valid ipv4 or ipv6 address.
+ type: string
+ port:
+ default: 53
+ description: |-
+ port may be defined when Type is set to Network. It will be ignored otherwise.
+ Port must be between 65535
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ type:
+ description: |-
+ type defines whether this upstream contains an IP/IP:port resolver or the local /etc/resolv.conf.
+ Type accepts 2 possible values: SystemResolvConf or Network.
+
+ * When SystemResolvConf is used, the Upstream structure does not require any further fields to be defined:
+ /etc/resolv.conf will be used
+ * When Network is used, the Upstream structure must contain at least an Address
+ enum:
+ - SystemResolvConf
+ - Network
+ - ""
+ type: string
+ required:
+ - type
+ type: object
+ maxItems: 15
+ type: array
+ type: object
+ type: object
+ status:
+ description: status is the most recently observed status of the DNS.
+ properties:
+ clusterDomain:
+ description: |-
+ clusterDomain is the local cluster DNS domain suffix for DNS services.
+ This will be a subdomain as defined in RFC 1034,
+ section 3.5: https://tools.ietf.org/html/rfc1034#section-3.5
+ Example: "cluster.local"
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service
+ type: string
+ clusterIP:
+ description: |-
+ clusterIP is the service IP through which this DNS is made available.
+
+ In the case of the default DNS, this will be a well known IP that is used
+ as the default nameserver for pods that are using the default ClusterFirst DNS policy.
+
+ In general, this IP can be specified in a pod's spec.dnsConfig.nameservers list
+ or used explicitly when performing name resolution from within the cluster.
+ Example: dig foo.com @
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+ type: string
+ conditions:
+ description: |-
+ conditions provide information about the state of the DNS on the cluster.
+
+ These are the supported DNS conditions:
+
+ * Available
+ - True if the following conditions are met:
+ * DNS controller daemonset is available.
+ - False if any of those conditions are unsatisfied.
+ items:
+ description: OperatorCondition is just the standard condition fields.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - status
+ - type
+ type: object
+ type: array
+ required:
+ - clusterDomain
+ - clusterIP
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-DevPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-DevPreviewNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..e1ea8c950b7
--- /dev/null
+++ b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-DevPreviewNoUpgrade.crd.yaml
@@ -0,0 +1,699 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/475
+ api.openshift.io/merged-by-featuregates: "true"
+ include.release.openshift.io/ibm-cloud-managed: "true"
+ include.release.openshift.io/self-managed-high-availability: "true"
+ release.openshift.io/feature-set: DevPreviewNoUpgrade
+ name: dnses.operator.openshift.io
+spec:
+ group: operator.openshift.io
+ names:
+ kind: DNS
+ listKind: DNSList
+ plural: dnses
+ singular: dns
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ DNS manages the CoreDNS component to provide a name resolution service
+ for pods and services in the cluster.
+
+ This supports the DNS-based service discovery specification:
+ https://github.com/kubernetes/dns/blob/master/docs/specification.md
+
+ More details: https://kubernetes.io/docs/tasks/administer-cluster/coredns
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec is the specification of the desired behavior of the
+ DNS.
+ properties:
+ cache:
+ description: |-
+ cache describes the caching configuration that applies to all server blocks listed in the Corefile.
+ This field allows a cluster admin to optionally configure:
+ * positiveTTL which is a duration for which positive responses should be cached.
+ * negativeTTL which is a duration for which negative responses should be cached.
+ If this is not configured, OpenShift will configure positive and negative caching with a default value that is
+ subject to change. At the time of writing, the default positiveTTL is 900 seconds and the default negativeTTL is
+ 30 seconds or as noted in the respective Corefile for your version of OpenShift.
+ properties:
+ negativeTTL:
+ description: |-
+ negativeTTL is optional and specifies the amount of time that a negative response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 30 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 30 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ positiveTTL:
+ description: |-
+ positiveTTL is optional and specifies the amount of time that a positive response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 900 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 900 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ type: object
+ logLevel:
+ default: Normal
+ description: |-
+ logLevel describes the desired logging verbosity for CoreDNS.
+ Any one of the following values may be specified:
+ * Normal logs errors from upstream resolvers.
+ * Debug logs errors, NXDOMAIN responses, and NODATA responses.
+ * Trace logs errors and all responses.
+ Setting logLevel: Trace will produce extremely verbose logs.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ managementState:
+ description: |-
+ managementState indicates whether the DNS operator should manage cluster
+ DNS
+ pattern: ^(Managed|Unmanaged|Force|Removed)$
+ type: string
+ nodePlacement:
+ description: |-
+ nodePlacement provides explicit control over the scheduling of DNS
+ pods.
+
+ Generally, it is useful to run a DNS pod on every node so that DNS
+ queries are always handled by a local DNS pod instead of going over
+ the network to a DNS pod on another node. However, security policies
+ may require restricting the placement of DNS pods to specific nodes.
+ For example, if a security policy prohibits pods on arbitrary nodes
+ from communicating with the API, a node selector can be specified to
+ restrict DNS pods to nodes that are permitted to communicate with the
+ API. Conversely, if running DNS pods on nodes with a particular
+ taint is desired, a toleration can be specified for that taint.
+
+ If unset, defaults are used. See nodePlacement for more details.
+ properties:
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ nodeSelector is the node selector applied to DNS pods.
+
+ If empty, the default is used, which is currently the following:
+
+ kubernetes.io/os: linux
+
+ This default is subject to change.
+
+ If set, the specified selector is used and replaces the default.
+ type: object
+ tolerations:
+ description: |-
+ tolerations is a list of tolerations applied to DNS pods.
+
+ If empty, the DNS operator sets a toleration for the
+ "node-role.kubernetes.io/master" taint. This default is subject to
+ change. Specifying tolerations without including a toleration for
+ the "node-role.kubernetes.io/master" taint may be risky as it could
+ lead to an outage if all worker nodes become unavailable.
+
+ Note that the daemon controller adds some tolerations as well. See
+ https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ operatorLogLevel:
+ default: Normal
+ description: |-
+ operatorLogLevel controls the logging level of the DNS Operator.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ setting operatorLogLevel: Trace will produce extremely verbose logs.
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ servers:
+ description: |-
+ servers is a list of DNS resolvers that provide name query delegation for one or
+ more subdomains outside the scope of the cluster domain. If servers consists of
+ more than one Server, longest suffix match will be used to determine the Server.
+
+ For example, if there are two Servers, one for "foo.com" and another for "a.foo.com",
+ and the name query is for "www.a.foo.com", it will be routed to the Server with Zone
+ "a.foo.com".
+
+ If this field is nil, no servers are created.
+ items:
+ description: Server defines the schema for a server that runs per
+ instance of CoreDNS.
+ properties:
+ forwardPlugin:
+ description: |-
+ forwardPlugin defines a schema for configuring CoreDNS to proxy DNS messages
+ to upstream resolvers.
+ properties:
+ policy:
+ default: Random
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Random"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration
+ options to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the
+ referenced config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ description: |-
+ upstreams is a list of resolvers to forward name queries for subdomains of Zones.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy. Each upstream is represented
+ by an IP address or IP:port if the upstream listens on a port other than 53.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ items:
+ type: string
+ maxItems: 15
+ type: array
+ type: object
+ name:
+ description: |-
+ name is required and specifies a unique name for the server. Name must comply
+ with the Service Name Syntax of rfc6335.
+ type: string
+ zones:
+ description: |-
+ zones is required and specifies the subdomains that Server is authoritative for.
+ Zones must conform to the rfc1123 definition of a subdomain. Specifying the
+ cluster domain (i.e., "cluster.local") is invalid.
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ template:
+ description: |-
+ template is an optional configuration for custom DNS query handling via the CoreDNS template plugin.
+ The template defines how to handle queries matching specific zones and query types.
+
+ The template is injected into ALL Corefile server blocks (both custom servers from spec.servers
+ and the default .:5353 block). This ensures consistent behavior across all DNS resolution paths.
+
+ AAAA filtering is intended for IPv4-only clusters. In IPv6 or dual-stack clusters, use specific
+ zones instead of "." to avoid filtering internal IPv6 service addresses (e.g., cluster.local).
+
+ When this field is not set, no template plugin configuration is added to CoreDNS.
+ properties:
+ actions:
+ description: actions defines a list of actions to apply to matching
+ queries.
+ items:
+ description: |-
+ TemplateAction defines the action taken by the template for matching queries.
+ This is a discriminated union - exactly one action type must be specified.
+ properties:
+ returnEmpty:
+ description: |-
+ returnEmpty returns an empty DNS response with the specified response code.
+ This is useful for filtering queries (e.g., AAAA filtering in IPv4-only clusters).
+
+ When set, the template returns a response with no answer records. For AAAA filtering,
+ this means IPv6 address queries return successfully but with no IPv6 addresses,
+ causing clients to fall back to IPv4 (A record) queries.
+ properties:
+ rcode:
+ default: NOERROR
+ description: |-
+ rcode is the DNS response code to return in the empty response.
+ Valid values are "NOERROR".
+
+ NOERROR indicates a successful query with no answer records. This is the standard
+ response for AAAA filtering - the query succeeds but returns no IPv6 addresses,
+ causing clients to fall back to A record (IPv4) queries.
+ enum:
+ - NOERROR
+ type: string
+ required:
+ - rcode
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: only returnEmpty action is supported
+ rule: has(self.returnEmpty)
+ minItems: 1
+ type: array
+ queryClass:
+ default: IN
+ description: queryClass specifies the DNS query class to match.
+ enum:
+ - IN
+ type: string
+ queryType:
+ default: AAAA
+ description: queryType specifies the DNS query type to match.
+ enum:
+ - AAAA
+ type: string
+ zones:
+ description: |-
+ zones specifies the DNS zones this template applies to.
+ Each zone must be a valid DNS name as defined in RFC 1123.
+ The special zone "." matches all domains (catch-all).
+ Multiple zones can be specified to apply the same template actions to multiple domains.
+
+ Examples:
+ - ["."] matches all domains (catch-all for global AAAA filtering)
+ - ["example.com"] matches only example.com and its subdomains
+ - ["example.com", "test.com"] matches both domains and their subdomains
+ items:
+ type: string
+ minItems: 1
+ type: array
+ required:
+ - actions
+ - queryClass
+ - queryType
+ - zones
+ type: object
+ upstreamResolvers:
+ default: {}
+ description: |-
+ upstreamResolvers defines a schema for configuring CoreDNS
+ to proxy DNS messages to upstream resolvers for the case of the
+ default (".") server
+
+ If this field is not specified, the upstream used will default to
+ /etc/resolv.conf, with policy "sequential"
+ properties:
+ policy:
+ default: Sequential
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Sequential"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration options
+ to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the referenced
+ config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ default:
+ - type: SystemResolvConf
+ description: |-
+ upstreams is a list of resolvers to forward name queries for the "." domain.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ If no Upstreams are specified, /etc/resolv.conf is used by default
+ items:
+ anyOf:
+ - not:
+ required:
+ - address
+ - port
+ properties:
+ type:
+ enum:
+ - ""
+ - SystemResolvConf
+ - optional:
+ - port
+ properties:
+ type:
+ enum:
+ - Network
+ required:
+ - address
+ description: |-
+ Upstream can either be of type SystemResolvConf, or of type Network.
+
+ - For an Upstream of type SystemResolvConf, no further fields are necessary:
+ The upstream will be configured to use /etc/resolv.conf.
+ - For an Upstream of type Network, a NetworkResolver field needs to be defined
+ with an IP address or IP:port if the upstream listens on a port other than 53.
+ properties:
+ address:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ description: |-
+ address must be defined when Type is set to Network. It will be ignored otherwise.
+ It must be a valid ipv4 or ipv6 address.
+ type: string
+ port:
+ default: 53
+ description: |-
+ port may be defined when Type is set to Network. It will be ignored otherwise.
+ Port must be between 65535
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ type:
+ description: |-
+ type defines whether this upstream contains an IP/IP:port resolver or the local /etc/resolv.conf.
+ Type accepts 2 possible values: SystemResolvConf or Network.
+
+ * When SystemResolvConf is used, the Upstream structure does not require any further fields to be defined:
+ /etc/resolv.conf will be used
+ * When Network is used, the Upstream structure must contain at least an Address
+ enum:
+ - SystemResolvConf
+ - Network
+ - ""
+ type: string
+ required:
+ - type
+ type: object
+ maxItems: 15
+ type: array
+ type: object
+ type: object
+ status:
+ description: status is the most recently observed status of the DNS.
+ properties:
+ clusterDomain:
+ description: |-
+ clusterDomain is the local cluster DNS domain suffix for DNS services.
+ This will be a subdomain as defined in RFC 1034,
+ section 3.5: https://tools.ietf.org/html/rfc1034#section-3.5
+ Example: "cluster.local"
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service
+ type: string
+ clusterIP:
+ description: |-
+ clusterIP is the service IP through which this DNS is made available.
+
+ In the case of the default DNS, this will be a well known IP that is used
+ as the default nameserver for pods that are using the default ClusterFirst DNS policy.
+
+ In general, this IP can be specified in a pod's spec.dnsConfig.nameservers list
+ or used explicitly when performing name resolution from within the cluster.
+ Example: dig foo.com @
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+ type: string
+ conditions:
+ description: |-
+ conditions provide information about the state of the DNS on the cluster.
+
+ These are the supported DNS conditions:
+
+ * Available
+ - True if the following conditions are met:
+ * DNS controller daemonset is available.
+ - False if any of those conditions are unsatisfied.
+ items:
+ description: OperatorCondition is just the standard condition fields.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - status
+ - type
+ type: object
+ type: array
+ required:
+ - clusterDomain
+ - clusterIP
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-OKD.crd.yaml
similarity index 99%
rename from operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses.crd.yaml
rename to operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-OKD.crd.yaml
index 946f6aaade2..17dae12019e 100644
--- a/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses.crd.yaml
+++ b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-OKD.crd.yaml
@@ -6,6 +6,7 @@ metadata:
api.openshift.io/merged-by-featuregates: "true"
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
+ release.openshift.io/feature-set: OKD
name: dnses.operator.openshift.io
spec:
group: operator.openshift.io
diff --git a/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-TechPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-TechPreviewNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..02a01399c36
--- /dev/null
+++ b/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-TechPreviewNoUpgrade.crd.yaml
@@ -0,0 +1,615 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/475
+ api.openshift.io/merged-by-featuregates: "true"
+ include.release.openshift.io/ibm-cloud-managed: "true"
+ include.release.openshift.io/self-managed-high-availability: "true"
+ release.openshift.io/feature-set: TechPreviewNoUpgrade
+ name: dnses.operator.openshift.io
+spec:
+ group: operator.openshift.io
+ names:
+ kind: DNS
+ listKind: DNSList
+ plural: dnses
+ singular: dns
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ DNS manages the CoreDNS component to provide a name resolution service
+ for pods and services in the cluster.
+
+ This supports the DNS-based service discovery specification:
+ https://github.com/kubernetes/dns/blob/master/docs/specification.md
+
+ More details: https://kubernetes.io/docs/tasks/administer-cluster/coredns
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec is the specification of the desired behavior of the
+ DNS.
+ properties:
+ cache:
+ description: |-
+ cache describes the caching configuration that applies to all server blocks listed in the Corefile.
+ This field allows a cluster admin to optionally configure:
+ * positiveTTL which is a duration for which positive responses should be cached.
+ * negativeTTL which is a duration for which negative responses should be cached.
+ If this is not configured, OpenShift will configure positive and negative caching with a default value that is
+ subject to change. At the time of writing, the default positiveTTL is 900 seconds and the default negativeTTL is
+ 30 seconds or as noted in the respective Corefile for your version of OpenShift.
+ properties:
+ negativeTTL:
+ description: |-
+ negativeTTL is optional and specifies the amount of time that a negative response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 30 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 30 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ positiveTTL:
+ description: |-
+ positiveTTL is optional and specifies the amount of time that a positive response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 900 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 900 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ type: object
+ logLevel:
+ default: Normal
+ description: |-
+ logLevel describes the desired logging verbosity for CoreDNS.
+ Any one of the following values may be specified:
+ * Normal logs errors from upstream resolvers.
+ * Debug logs errors, NXDOMAIN responses, and NODATA responses.
+ * Trace logs errors and all responses.
+ Setting logLevel: Trace will produce extremely verbose logs.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ managementState:
+ description: |-
+ managementState indicates whether the DNS operator should manage cluster
+ DNS
+ pattern: ^(Managed|Unmanaged|Force|Removed)$
+ type: string
+ nodePlacement:
+ description: |-
+ nodePlacement provides explicit control over the scheduling of DNS
+ pods.
+
+ Generally, it is useful to run a DNS pod on every node so that DNS
+ queries are always handled by a local DNS pod instead of going over
+ the network to a DNS pod on another node. However, security policies
+ may require restricting the placement of DNS pods to specific nodes.
+ For example, if a security policy prohibits pods on arbitrary nodes
+ from communicating with the API, a node selector can be specified to
+ restrict DNS pods to nodes that are permitted to communicate with the
+ API. Conversely, if running DNS pods on nodes with a particular
+ taint is desired, a toleration can be specified for that taint.
+
+ If unset, defaults are used. See nodePlacement for more details.
+ properties:
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ nodeSelector is the node selector applied to DNS pods.
+
+ If empty, the default is used, which is currently the following:
+
+ kubernetes.io/os: linux
+
+ This default is subject to change.
+
+ If set, the specified selector is used and replaces the default.
+ type: object
+ tolerations:
+ description: |-
+ tolerations is a list of tolerations applied to DNS pods.
+
+ If empty, the DNS operator sets a toleration for the
+ "node-role.kubernetes.io/master" taint. This default is subject to
+ change. Specifying tolerations without including a toleration for
+ the "node-role.kubernetes.io/master" taint may be risky as it could
+ lead to an outage if all worker nodes become unavailable.
+
+ Note that the daemon controller adds some tolerations as well. See
+ https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ operatorLogLevel:
+ default: Normal
+ description: |-
+ operatorLogLevel controls the logging level of the DNS Operator.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ setting operatorLogLevel: Trace will produce extremely verbose logs.
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ servers:
+ description: |-
+ servers is a list of DNS resolvers that provide name query delegation for one or
+ more subdomains outside the scope of the cluster domain. If servers consists of
+ more than one Server, longest suffix match will be used to determine the Server.
+
+ For example, if there are two Servers, one for "foo.com" and another for "a.foo.com",
+ and the name query is for "www.a.foo.com", it will be routed to the Server with Zone
+ "a.foo.com".
+
+ If this field is nil, no servers are created.
+ items:
+ description: Server defines the schema for a server that runs per
+ instance of CoreDNS.
+ properties:
+ forwardPlugin:
+ description: |-
+ forwardPlugin defines a schema for configuring CoreDNS to proxy DNS messages
+ to upstream resolvers.
+ properties:
+ policy:
+ default: Random
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Random"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration
+ options to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the
+ referenced config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ description: |-
+ upstreams is a list of resolvers to forward name queries for subdomains of Zones.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy. Each upstream is represented
+ by an IP address or IP:port if the upstream listens on a port other than 53.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ items:
+ type: string
+ maxItems: 15
+ type: array
+ type: object
+ name:
+ description: |-
+ name is required and specifies a unique name for the server. Name must comply
+ with the Service Name Syntax of rfc6335.
+ type: string
+ zones:
+ description: |-
+ zones is required and specifies the subdomains that Server is authoritative for.
+ Zones must conform to the rfc1123 definition of a subdomain. Specifying the
+ cluster domain (i.e., "cluster.local") is invalid.
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ upstreamResolvers:
+ default: {}
+ description: |-
+ upstreamResolvers defines a schema for configuring CoreDNS
+ to proxy DNS messages to upstream resolvers for the case of the
+ default (".") server
+
+ If this field is not specified, the upstream used will default to
+ /etc/resolv.conf, with policy "sequential"
+ properties:
+ policy:
+ default: Sequential
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Sequential"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration options
+ to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the referenced
+ config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ default:
+ - type: SystemResolvConf
+ description: |-
+ upstreams is a list of resolvers to forward name queries for the "." domain.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ If no Upstreams are specified, /etc/resolv.conf is used by default
+ items:
+ anyOf:
+ - not:
+ required:
+ - address
+ - port
+ properties:
+ type:
+ enum:
+ - ""
+ - SystemResolvConf
+ - optional:
+ - port
+ properties:
+ type:
+ enum:
+ - Network
+ required:
+ - address
+ description: |-
+ Upstream can either be of type SystemResolvConf, or of type Network.
+
+ - For an Upstream of type SystemResolvConf, no further fields are necessary:
+ The upstream will be configured to use /etc/resolv.conf.
+ - For an Upstream of type Network, a NetworkResolver field needs to be defined
+ with an IP address or IP:port if the upstream listens on a port other than 53.
+ properties:
+ address:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ description: |-
+ address must be defined when Type is set to Network. It will be ignored otherwise.
+ It must be a valid ipv4 or ipv6 address.
+ type: string
+ port:
+ default: 53
+ description: |-
+ port may be defined when Type is set to Network. It will be ignored otherwise.
+ Port must be between 65535
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ type:
+ description: |-
+ type defines whether this upstream contains an IP/IP:port resolver or the local /etc/resolv.conf.
+ Type accepts 2 possible values: SystemResolvConf or Network.
+
+ * When SystemResolvConf is used, the Upstream structure does not require any further fields to be defined:
+ /etc/resolv.conf will be used
+ * When Network is used, the Upstream structure must contain at least an Address
+ enum:
+ - SystemResolvConf
+ - Network
+ - ""
+ type: string
+ required:
+ - type
+ type: object
+ maxItems: 15
+ type: array
+ type: object
+ type: object
+ status:
+ description: status is the most recently observed status of the DNS.
+ properties:
+ clusterDomain:
+ description: |-
+ clusterDomain is the local cluster DNS domain suffix for DNS services.
+ This will be a subdomain as defined in RFC 1034,
+ section 3.5: https://tools.ietf.org/html/rfc1034#section-3.5
+ Example: "cluster.local"
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service
+ type: string
+ clusterIP:
+ description: |-
+ clusterIP is the service IP through which this DNS is made available.
+
+ In the case of the default DNS, this will be a well known IP that is used
+ as the default nameserver for pods that are using the default ClusterFirst DNS policy.
+
+ In general, this IP can be specified in a pod's spec.dnsConfig.nameservers list
+ or used explicitly when performing name resolution from within the cluster.
+ Example: dig foo.com @
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+ type: string
+ conditions:
+ description: |-
+ conditions provide information about the state of the DNS on the cluster.
+
+ These are the supported DNS conditions:
+
+ * Available
+ - True if the following conditions are met:
+ * DNS controller daemonset is available.
+ - False if any of those conditions are unsatisfied.
+ items:
+ description: OperatorCondition is just the standard condition fields.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - status
+ - type
+ type: object
+ type: array
+ required:
+ - clusterDomain
+ - clusterIP
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/operator/v1/zz_generated.deepcopy.go b/operator/v1/zz_generated.deepcopy.go
index 3bc6b81de46..77010b4163c 100644
--- a/operator/v1/zz_generated.deepcopy.go
+++ b/operator/v1/zz_generated.deepcopy.go
@@ -1303,6 +1303,11 @@ func (in *DNSSpec) DeepCopyInto(out *DNSSpec) {
in.UpstreamResolvers.DeepCopyInto(&out.UpstreamResolvers)
in.NodePlacement.DeepCopyInto(&out.NodePlacement)
out.Cache = in.Cache
+ if in.Template != nil {
+ in, out := &in.Template, &out.Template
+ *out = new(Template)
+ (*in).DeepCopyInto(*out)
+ }
return
}
@@ -4798,6 +4803,22 @@ func (in *RestartService) DeepCopy() *RestartService {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReturnEmptyAction) DeepCopyInto(out *ReturnEmptyAction) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReturnEmptyAction.
+func (in *ReturnEmptyAction) DeepCopy() *ReturnEmptyAction {
+ if in == nil {
+ return nil
+ }
+ out := new(ReturnEmptyAction)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RouteAdmissionPolicy) DeepCopyInto(out *RouteAdmissionPolicy) {
*out = *in
@@ -5440,6 +5461,55 @@ func (in *SyslogLoggingDestinationParameters) DeepCopy() *SyslogLoggingDestinati
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Template) DeepCopyInto(out *Template) {
+ *out = *in
+ if in.Zones != nil {
+ in, out := &in.Zones, &out.Zones
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ if in.Actions != nil {
+ in, out := &in.Actions, &out.Actions
+ *out = make([]TemplateAction, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Template.
+func (in *Template) DeepCopy() *Template {
+ if in == nil {
+ return nil
+ }
+ out := new(Template)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TemplateAction) DeepCopyInto(out *TemplateAction) {
+ *out = *in
+ if in.ReturnEmpty != nil {
+ in, out := &in.ReturnEmpty, &out.ReturnEmpty
+ *out = new(ReturnEmptyAction)
+ **out = **in
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateAction.
+func (in *TemplateAction) DeepCopy() *TemplateAction {
+ if in == nil {
+ return nil
+ }
+ out := new(TemplateAction)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Theme) DeepCopyInto(out *Theme) {
*out = *in
diff --git a/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/operator/v1/zz_generated.featuregated-crd-manifests.yaml
index 51a758804d6..f969eea0038 100644
--- a/operator/v1/zz_generated.featuregated-crd-manifests.yaml
+++ b/operator/v1/zz_generated.featuregated-crd-manifests.yaml
@@ -132,7 +132,8 @@ dnses.operator.openshift.io:
CRDName: dnses.operator.openshift.io
Capability: ""
Category: ""
- FeatureGates: []
+ FeatureGates:
+ - DNSTemplatePlugin
FilenameOperatorName: dns
FilenameOperatorOrdering: "00"
FilenameRunLevel: "0000_70"
diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/dnses.operator.openshift.io/DNSTemplatePlugin.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/dnses.operator.openshift.io/DNSTemplatePlugin.yaml
new file mode 100644
index 00000000000..c74463794fe
--- /dev/null
+++ b/operator/v1/zz_generated.featuregated-crd-manifests/dnses.operator.openshift.io/DNSTemplatePlugin.yaml
@@ -0,0 +1,677 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/475
+ api.openshift.io/filename-cvo-runlevel: "0000_70"
+ api.openshift.io/filename-operator: dns
+ api.openshift.io/filename-ordering: "00"
+ feature-gate.release.openshift.io/DNSTemplatePlugin: "true"
+ name: dnses.operator.openshift.io
+spec:
+ group: operator.openshift.io
+ names:
+ kind: DNS
+ listKind: DNSList
+ plural: dnses
+ singular: dns
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ DNS manages the CoreDNS component to provide a name resolution service
+ for pods and services in the cluster.
+
+ This supports the DNS-based service discovery specification:
+ https://github.com/kubernetes/dns/blob/master/docs/specification.md
+
+ More details: https://kubernetes.io/docs/tasks/administer-cluster/coredns
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec is the specification of the desired behavior of the
+ DNS.
+ properties:
+ cache:
+ description: |-
+ cache describes the caching configuration that applies to all server blocks listed in the Corefile.
+ This field allows a cluster admin to optionally configure:
+ * positiveTTL which is a duration for which positive responses should be cached.
+ * negativeTTL which is a duration for which negative responses should be cached.
+ If this is not configured, OpenShift will configure positive and negative caching with a default value that is
+ subject to change. At the time of writing, the default positiveTTL is 900 seconds and the default negativeTTL is
+ 30 seconds or as noted in the respective Corefile for your version of OpenShift.
+ properties:
+ negativeTTL:
+ description: |-
+ negativeTTL is optional and specifies the amount of time that a negative response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 30 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 30 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ positiveTTL:
+ description: |-
+ positiveTTL is optional and specifies the amount of time that a positive response should be cached.
+
+ If configured, it must be a value of 1s (1 second) or greater up to a theoretical maximum of several years. This
+ field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix,
+ e.g. "100s", "1m30s", "12h30m10s". Values that are fractions of a second are rounded down to the nearest second.
+ If the configured value is less than 1s, the default value will be used.
+ If not configured, the value will be 0s and OpenShift will use a default value of 900 seconds unless noted
+ otherwise in the respective Corefile for your version of OpenShift. The default value of 900 seconds is subject
+ to change.
+ pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+ type: string
+ type: object
+ logLevel:
+ default: Normal
+ description: |-
+ logLevel describes the desired logging verbosity for CoreDNS.
+ Any one of the following values may be specified:
+ * Normal logs errors from upstream resolvers.
+ * Debug logs errors, NXDOMAIN responses, and NODATA responses.
+ * Trace logs errors and all responses.
+ Setting logLevel: Trace will produce extremely verbose logs.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ managementState:
+ description: |-
+ managementState indicates whether the DNS operator should manage cluster
+ DNS
+ pattern: ^(Managed|Unmanaged|Force|Removed)$
+ type: string
+ nodePlacement:
+ description: |-
+ nodePlacement provides explicit control over the scheduling of DNS
+ pods.
+
+ Generally, it is useful to run a DNS pod on every node so that DNS
+ queries are always handled by a local DNS pod instead of going over
+ the network to a DNS pod on another node. However, security policies
+ may require restricting the placement of DNS pods to specific nodes.
+ For example, if a security policy prohibits pods on arbitrary nodes
+ from communicating with the API, a node selector can be specified to
+ restrict DNS pods to nodes that are permitted to communicate with the
+ API. Conversely, if running DNS pods on nodes with a particular
+ taint is desired, a toleration can be specified for that taint.
+
+ If unset, defaults are used. See nodePlacement for more details.
+ properties:
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ nodeSelector is the node selector applied to DNS pods.
+
+ If empty, the default is used, which is currently the following:
+
+ kubernetes.io/os: linux
+
+ This default is subject to change.
+
+ If set, the specified selector is used and replaces the default.
+ type: object
+ tolerations:
+ description: |-
+ tolerations is a list of tolerations applied to DNS pods.
+
+ If empty, the DNS operator sets a toleration for the
+ "node-role.kubernetes.io/master" taint. This default is subject to
+ change. Specifying tolerations without including a toleration for
+ the "node-role.kubernetes.io/master" taint may be risky as it could
+ lead to an outage if all worker nodes become unavailable.
+
+ Note that the daemon controller adds some tolerations as well. See
+ https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ operatorLogLevel:
+ default: Normal
+ description: |-
+ operatorLogLevel controls the logging level of the DNS Operator.
+ Valid values are: "Normal", "Debug", "Trace".
+ Defaults to "Normal".
+ setting operatorLogLevel: Trace will produce extremely verbose logs.
+ enum:
+ - Normal
+ - Debug
+ - Trace
+ type: string
+ servers:
+ description: |-
+ servers is a list of DNS resolvers that provide name query delegation for one or
+ more subdomains outside the scope of the cluster domain. If servers consists of
+ more than one Server, longest suffix match will be used to determine the Server.
+
+ For example, if there are two Servers, one for "foo.com" and another for "a.foo.com",
+ and the name query is for "www.a.foo.com", it will be routed to the Server with Zone
+ "a.foo.com".
+
+ If this field is nil, no servers are created.
+ items:
+ description: Server defines the schema for a server that runs per
+ instance of CoreDNS.
+ properties:
+ forwardPlugin:
+ description: |-
+ forwardPlugin defines a schema for configuring CoreDNS to proxy DNS messages
+ to upstream resolvers.
+ properties:
+ policy:
+ default: Random
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Random"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration
+ options to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the
+ referenced config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ description: |-
+ upstreams is a list of resolvers to forward name queries for subdomains of Zones.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy. Each upstream is represented
+ by an IP address or IP:port if the upstream listens on a port other than 53.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ items:
+ type: string
+ maxItems: 15
+ type: array
+ type: object
+ name:
+ description: |-
+ name is required and specifies a unique name for the server. Name must comply
+ with the Service Name Syntax of rfc6335.
+ type: string
+ zones:
+ description: |-
+ zones is required and specifies the subdomains that Server is authoritative for.
+ Zones must conform to the rfc1123 definition of a subdomain. Specifying the
+ cluster domain (i.e., "cluster.local") is invalid.
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ template:
+ description: |-
+ template is an optional configuration for custom DNS query handling via the CoreDNS template plugin.
+ The template defines how to handle queries matching specific zones and query types.
+
+ The template is injected into ALL Corefile server blocks (both custom servers from spec.servers
+ and the default .:5353 block). This ensures consistent behavior across all DNS resolution paths.
+
+ AAAA filtering is intended for IPv4-only clusters. In IPv6 or dual-stack clusters, use specific
+ zones instead of "." to avoid filtering internal IPv6 service addresses (e.g., cluster.local).
+
+ When this field is not set, no template plugin configuration is added to CoreDNS.
+ properties:
+ actions:
+ description: actions defines a list of actions to apply to matching
+ queries.
+ items:
+ description: |-
+ TemplateAction defines the action taken by the template for matching queries.
+ This is a discriminated union - exactly one action type must be specified.
+ properties:
+ returnEmpty:
+ description: |-
+ returnEmpty returns an empty DNS response with the specified response code.
+ This is useful for filtering queries (e.g., AAAA filtering in IPv4-only clusters).
+
+ When set, the template returns a response with no answer records. For AAAA filtering,
+ this means IPv6 address queries return successfully but with no IPv6 addresses,
+ causing clients to fall back to IPv4 (A record) queries.
+ properties:
+ rcode:
+ default: NOERROR
+ description: |-
+ rcode is the DNS response code to return in the empty response.
+ Valid values are "NOERROR".
+
+ NOERROR indicates a successful query with no answer records. This is the standard
+ response for AAAA filtering - the query succeeds but returns no IPv6 addresses,
+ causing clients to fall back to A record (IPv4) queries.
+ enum:
+ - NOERROR
+ type: string
+ required:
+ - rcode
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: only returnEmpty action is supported
+ rule: has(self.returnEmpty)
+ minItems: 1
+ type: array
+ queryClass:
+ default: IN
+ description: queryClass specifies the DNS query class to match.
+ enum:
+ - IN
+ type: string
+ queryType:
+ default: AAAA
+ description: queryType specifies the DNS query type to match.
+ enum:
+ - AAAA
+ type: string
+ zones:
+ description: |-
+ zones specifies the DNS zones this template applies to.
+ Each zone must be a valid DNS name as defined in RFC 1123.
+ The special zone "." matches all domains (catch-all).
+ Multiple zones can be specified to apply the same template actions to multiple domains.
+
+ Examples:
+ - ["."] matches all domains (catch-all for global AAAA filtering)
+ - ["example.com"] matches only example.com and its subdomains
+ - ["example.com", "test.com"] matches both domains and their subdomains
+ items:
+ type: string
+ minItems: 1
+ type: array
+ required:
+ - actions
+ - queryClass
+ - queryType
+ - zones
+ type: object
+ upstreamResolvers:
+ description: |-
+ upstreamResolvers defines a schema for configuring CoreDNS
+ to proxy DNS messages to upstream resolvers for the case of the
+ default (".") server
+
+ If this field is not specified, the upstream used will default to
+ /etc/resolv.conf, with policy "sequential"
+ properties:
+ policy:
+ default: Sequential
+ description: |-
+ policy is used to determine the order in which upstream servers are selected for querying.
+ Any one of the following values may be specified:
+
+ * "Random" picks a random upstream server for each query.
+ * "RoundRobin" picks upstream servers in a round-robin order, moving to the next server for each new query.
+ * "Sequential" tries querying upstream servers in a sequential order until one responds, starting with the first server for each new query.
+
+ The default value is "Sequential"
+ enum:
+ - Random
+ - RoundRobin
+ - Sequential
+ type: string
+ protocolStrategy:
+ description: |-
+ protocolStrategy specifies the protocol to use for upstream DNS
+ requests.
+ Valid values for protocolStrategy are "TCP" and omitted.
+ When omitted, this means no opinion and the platform is left to choose
+ a reasonable default, which is subject to change over time.
+ The current default is to use the protocol of the original client request.
+ "TCP" specifies that the platform should use TCP for all upstream DNS requests,
+ even if the client request uses UDP.
+ "TCP" is useful for UDP-specific issues such as those created by
+ non-compliant upstream resolvers, but may consume more bandwidth or
+ increase DNS response time. Note that protocolStrategy only affects
+ the protocol of DNS requests that CoreDNS makes to upstream resolvers.
+ It does not affect the protocol of DNS requests between clients and
+ CoreDNS.
+ enum:
+ - TCP
+ - ""
+ type: string
+ transportConfig:
+ description: |-
+ transportConfig is used to configure the transport type, server name, and optional custom CA or CA bundle to use
+ when forwarding DNS requests to an upstream resolver.
+
+ The default value is "" (empty) which results in a standard cleartext connection being used when forwarding DNS
+ requests to an upstream resolver.
+ properties:
+ tls:
+ description: tls contains the additional configuration options
+ to use when Transport is set to "TLS".
+ properties:
+ caBundle:
+ description: |-
+ caBundle references a ConfigMap that must contain either a single
+ CA Certificate or a CA Bundle. This allows cluster administrators to provide their
+ own CA or CA bundle for validating the certificate of upstream resolvers.
+
+ 1. The configmap must contain a `ca-bundle.crt` key.
+ 2. The value must be a PEM encoded CA certificate or CA bundle.
+ 3. The administrator must create this configmap in the openshift-config namespace.
+ 4. The upstream server certificate must contain a Subject Alternative Name (SAN) that matches ServerName.
+ properties:
+ name:
+ description: name is the metadata.name of the referenced
+ config map
+ type: string
+ required:
+ - name
+ type: object
+ serverName:
+ description: |-
+ serverName is the upstream server to connect to when forwarding DNS queries. This is required when Transport is
+ set to "TLS". ServerName will be validated against the DNS naming conventions in RFC 1123 and should match the
+ TLS certificate installed in the upstream resolver(s).
+ maxLength: 253
+ pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
+ type: string
+ required:
+ - serverName
+ type: object
+ transport:
+ description: |-
+ transport allows cluster administrators to opt-in to using a DNS-over-TLS
+ connection between cluster DNS and an upstream resolver(s). Configuring
+ TLS as the transport at this level without configuring a CABundle will
+ result in the system certificates being used to verify the serving
+ certificate of the upstream resolver(s).
+
+ Possible values:
+ "" (empty) - This means no explicit choice has been made and the platform chooses the default which is subject
+ to change over time. The current default is "Cleartext".
+ "Cleartext" - Cluster admin specified cleartext option. This results in the same functionality
+ as an empty value but may be useful when a cluster admin wants to be more explicit about the transport,
+ or wants to switch from "TLS" to "Cleartext" explicitly.
+ "TLS" - This indicates that DNS queries should be sent over a TLS connection. If Transport is set to TLS,
+ you MUST also set ServerName. If a port is not included with the upstream IP, port 853 will be tried by default
+ per RFC 7858 section 3.1; https://datatracker.ietf.org/doc/html/rfc7858#section-3.1.
+ enum:
+ - TLS
+ - Cleartext
+ - ""
+ type: string
+ type: object
+ upstreams:
+ default:
+ - type: SystemResolvConf
+ description: |-
+ upstreams is a list of resolvers to forward name queries for the "." domain.
+ Each instance of CoreDNS performs health checking of Upstreams. When a healthy upstream
+ returns an error during the exchange, another resolver is tried from Upstreams. The
+ Upstreams are selected in the order specified in Policy.
+
+ A maximum of 15 upstreams is allowed per ForwardPlugin.
+ If no Upstreams are specified, /etc/resolv.conf is used by default
+ items:
+ description: |-
+ Upstream can either be of type SystemResolvConf, or of type Network.
+
+ - For an Upstream of type SystemResolvConf, no further fields are necessary:
+ The upstream will be configured to use /etc/resolv.conf.
+ - For an Upstream of type Network, a NetworkResolver field needs to be defined
+ with an IP address or IP:port if the upstream listens on a port other than 53.
+ properties:
+ address:
+ description: |-
+ address must be defined when Type is set to Network. It will be ignored otherwise.
+ It must be a valid ipv4 or ipv6 address.
+ type: string
+ port:
+ default: 53
+ description: |-
+ port may be defined when Type is set to Network. It will be ignored otherwise.
+ Port must be between 65535
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ type:
+ description: |-
+ type defines whether this upstream contains an IP/IP:port resolver or the local /etc/resolv.conf.
+ Type accepts 2 possible values: SystemResolvConf or Network.
+
+ * When SystemResolvConf is used, the Upstream structure does not require any further fields to be defined:
+ /etc/resolv.conf will be used
+ * When Network is used, the Upstream structure must contain at least an Address
+ enum:
+ - SystemResolvConf
+ - Network
+ - ""
+ type: string
+ required:
+ - type
+ type: object
+ maxItems: 15
+ type: array
+ type: object
+ type: object
+ status:
+ description: status is the most recently observed status of the DNS.
+ properties:
+ clusterDomain:
+ description: |-
+ clusterDomain is the local cluster DNS domain suffix for DNS services.
+ This will be a subdomain as defined in RFC 1034,
+ section 3.5: https://tools.ietf.org/html/rfc1034#section-3.5
+ Example: "cluster.local"
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service
+ type: string
+ clusterIP:
+ description: |-
+ clusterIP is the service IP through which this DNS is made available.
+
+ In the case of the default DNS, this will be a well known IP that is used
+ as the default nameserver for pods that are using the default ClusterFirst DNS policy.
+
+ In general, this IP can be specified in a pod's spec.dnsConfig.nameservers list
+ or used explicitly when performing name resolution from within the cluster.
+ Example: dig foo.com @
+
+ More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+ type: string
+ conditions:
+ description: |-
+ conditions provide information about the state of the DNS on the cluster.
+
+ These are the supported DNS conditions:
+
+ * Available
+ - True if the following conditions are met:
+ * DNS controller daemonset is available.
+ - False if any of those conditions are unsatisfied.
+ items:
+ description: OperatorCondition is just the standard condition fields.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - status
+ - type
+ type: object
+ type: array
+ required:
+ - clusterDomain
+ - clusterIP
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/operator/v1/zz_generated.swagger_doc_generated.go b/operator/v1/zz_generated.swagger_doc_generated.go
index 64aac26eb38..3504ec7c75f 100644
--- a/operator/v1/zz_generated.swagger_doc_generated.go
+++ b/operator/v1/zz_generated.swagger_doc_generated.go
@@ -704,6 +704,7 @@ var map_DNSSpec = map[string]string{
"operatorLogLevel": "operatorLogLevel controls the logging level of the DNS Operator. Valid values are: \"Normal\", \"Debug\", \"Trace\". Defaults to \"Normal\". setting operatorLogLevel: Trace will produce extremely verbose logs.",
"logLevel": "logLevel describes the desired logging verbosity for CoreDNS. Any one of the following values may be specified: * Normal logs errors from upstream resolvers. * Debug logs errors, NXDOMAIN responses, and NODATA responses. * Trace logs errors and all responses.\n Setting logLevel: Trace will produce extremely verbose logs.\nValid values are: \"Normal\", \"Debug\", \"Trace\". Defaults to \"Normal\".",
"cache": "cache describes the caching configuration that applies to all server blocks listed in the Corefile. This field allows a cluster admin to optionally configure: * positiveTTL which is a duration for which positive responses should be cached. * negativeTTL which is a duration for which negative responses should be cached. If this is not configured, OpenShift will configure positive and negative caching with a default value that is subject to change. At the time of writing, the default positiveTTL is 900 seconds and the default negativeTTL is 30 seconds or as noted in the respective Corefile for your version of OpenShift.",
+ "template": "template is an optional configuration for custom DNS query handling via the CoreDNS template plugin. The template defines how to handle queries matching specific zones and query types.\n\nThe template is injected into ALL Corefile server blocks (both custom servers from spec.servers and the default .:5353 block). This ensures consistent behavior across all DNS resolution paths.\n\nAAAA filtering is intended for IPv4-only clusters. In IPv6 or dual-stack clusters, use specific zones instead of \".\" to avoid filtering internal IPv6 service addresses (e.g., cluster.local).\n\nWhen this field is not set, no template plugin configuration is added to CoreDNS.",
}
func (DNSSpec) SwaggerDoc() map[string]string {
@@ -743,6 +744,15 @@ func (ForwardPlugin) SwaggerDoc() map[string]string {
return map_ForwardPlugin
}
+var map_ReturnEmptyAction = map[string]string{
+ "": "ReturnEmptyAction configures the template to return empty DNS responses. This is used for query filtering, such as AAAA filtering in IPv4-only clusters.",
+ "rcode": "rcode is the DNS response code to return in the empty response. Valid values are \"NOERROR\".\n\nNOERROR indicates a successful query with no answer records. This is the standard response for AAAA filtering - the query succeeds but returns no IPv6 addresses, causing clients to fall back to A record (IPv4) queries.",
+}
+
+func (ReturnEmptyAction) SwaggerDoc() map[string]string {
+ return map_ReturnEmptyAction
+}
+
var map_Server = map[string]string{
"": "Server defines the schema for a server that runs per instance of CoreDNS.",
"name": "name is required and specifies a unique name for the server. Name must comply with the Service Name Syntax of rfc6335.",
@@ -754,6 +764,27 @@ func (Server) SwaggerDoc() map[string]string {
return map_Server
}
+var map_Template = map[string]string{
+ "": "Template defines a template for custom DNS query handling via the CoreDNS template plugin. Templates enable filtering or custom responses for DNS queries matching specific zones and query types.",
+ "zones": "zones specifies the DNS zones this template applies to. Each zone must be a valid DNS name as defined in RFC 1123. The special zone \".\" matches all domains (catch-all). Multiple zones can be specified to apply the same template actions to multiple domains.\n\nExamples: - [\".\"] matches all domains (catch-all for global AAAA filtering) - [\"example.com\"] matches only example.com and its subdomains - [\"example.com\", \"test.com\"] matches both domains and their subdomains",
+ "queryType": "queryType specifies the DNS query type to match.",
+ "queryClass": "queryClass specifies the DNS query class to match.",
+ "actions": "actions defines a list of actions to apply to matching queries.",
+}
+
+func (Template) SwaggerDoc() map[string]string {
+ return map_Template
+}
+
+var map_TemplateAction = map[string]string{
+ "": "TemplateAction defines the action taken by the template for matching queries. This is a discriminated union - exactly one action type must be specified.",
+ "returnEmpty": "returnEmpty returns an empty DNS response with the specified response code. This is useful for filtering queries (e.g., AAAA filtering in IPv4-only clusters).\n\nWhen set, the template returns a response with no answer records. For AAAA filtering, this means IPv6 address queries return successfully but with no IPv6 addresses, causing clients to fall back to IPv4 (A record) queries.",
+}
+
+func (TemplateAction) SwaggerDoc() map[string]string {
+ return map_TemplateAction
+}
+
var map_Upstream = map[string]string{
"": "Upstream can either be of type SystemResolvConf, or of type Network.\n\n - For an Upstream of type SystemResolvConf, no further fields are necessary:\n The upstream will be configured to use /etc/resolv.conf.\n - For an Upstream of type Network, a NetworkResolver field needs to be defined\n with an IP address or IP:port if the upstream listens on a port other than 53.",
"type": "type defines whether this upstream contains an IP/IP:port resolver or the local /etc/resolv.conf. Type accepts 2 possible values: SystemResolvConf or Network.\n\n* When SystemResolvConf is used, the Upstream structure does not require any further fields to be defined:\n /etc/resolv.conf will be used\n* When Network is used, the Upstream structure must contain at least an Address",
diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
index db59d186a29..677160eac97 100644
--- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
@@ -116,6 +116,9 @@
{
"name": "DNSNameResolver"
},
+ {
+ "name": "DNSTemplatePlugin"
+ },
{
"name": "DRAPartitionableDevices"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
index bcb089a53bf..88d2a6ae9c9 100644
--- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
@@ -162,6 +162,9 @@
{
"name": "DNSNameResolver"
},
+ {
+ "name": "DNSTemplatePlugin"
+ },
{
"name": "DRAPartitionableDevices"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
index 332c549cafa..3ca55de5c0d 100644
--- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
@@ -118,6 +118,9 @@
{
"name": "DNSNameResolver"
},
+ {
+ "name": "DNSTemplatePlugin"
+ },
{
"name": "DRAPartitionableDevices"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
index dcf160c5417..529885611b5 100644
--- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
@@ -28,6 +28,9 @@
{
"name": "ClusterAPIInstall"
},
+ {
+ "name": "DNSTemplatePlugin"
+ },
{
"name": "EventedPLEG"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
index 72e73eb4233..0a10f27b328 100644
--- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
@@ -116,6 +116,9 @@
{
"name": "DNSNameResolver"
},
+ {
+ "name": "DNSTemplatePlugin"
+ },
{
"name": "DRAPartitionableDevices"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
index f29f4947246..07f14fd2749 100644
--- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
@@ -144,6 +144,9 @@
{
"name": "DNSNameResolver"
},
+ {
+ "name": "DNSTemplatePlugin"
+ },
{
"name": "DRAPartitionableDevices"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
index 7f29f0d1a1a..9f8f4ead911 100644
--- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
@@ -118,6 +118,9 @@
{
"name": "DNSNameResolver"
},
+ {
+ "name": "DNSTemplatePlugin"
+ },
{
"name": "DRAPartitionableDevices"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
index be6d15233f7..ffe38f8b0c3 100644
--- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
@@ -28,6 +28,9 @@
{
"name": "ClusterAPIInstall"
},
+ {
+ "name": "DNSTemplatePlugin"
+ },
{
"name": "EventedPLEG"
},