From a52cbbfd863909d27af09c85834ca4579a1106e6 Mon Sep 17 00:00:00 2001 From: Parikshit Khedekar Date: Tue, 5 May 2026 12:01:14 +0530 Subject: [PATCH 1/3] OCPBUGS-55179: Set internalTrafficPolicy to Local on dns-default service DNS queries from pods on primary user-defined networks (UDNs) scatter randomly across dns-default pods on all nodes instead of being handled by the local node's dns-default pod. UDN pods reach the dns-default service (172.30.0.10) through a path that crosses network boundaries: UDN pod -> UDN cluster router -> management port -> default network -> OVN load balancer -> dns-default pod. The OVN load balancer on the default network treats dns-default as a standard ClusterIP service and distributes traffic across all backend pods cluster-wide. Setting internalTrafficPolicy to Local restricts the EndpointSlice to contain only the node-local dns-default backend. Since dns-default runs as a DaemonSet with a pod on every node, this is safe and guarantees that DNS queries are always handled by the local pod. The existing trafficDistribution: PreferSameNode (added in PR #457) provides a soft hint for same-node preference but does not guarantee locality for cross-network UDN traffic. internalTrafficPolicy: Local provides the hard constraint needed. Jira: https://issues.redhat.com/browse/OCPBUGS-55179 Signed-off-by: Parikshit Khedekar --- pkg/manifests/assets/dns/service.yaml | 1 + .../controller/controller_dns_service_test.go | 14 ++++++++++++++ 2 files changed, 15 insertions(+) diff --git a/pkg/manifests/assets/dns/service.yaml b/pkg/manifests/assets/dns/service.yaml index 6e3cd2ec8..be2b40110 100644 --- a/pkg/manifests/assets/dns/service.yaml +++ b/pkg/manifests/assets/dns/service.yaml @@ -4,6 +4,7 @@ apiVersion: v1 spec: # clusterIP will be automatically managed. # selector is set at runtime + internalTrafficPolicy: Local trafficDistribution: PreferSameNode ports: - name: dns diff --git a/pkg/operator/controller/controller_dns_service_test.go b/pkg/operator/controller/controller_dns_service_test.go index dbdcbb710..53f554a26 100644 --- a/pkg/operator/controller/controller_dns_service_test.go +++ b/pkg/operator/controller/controller_dns_service_test.go @@ -196,6 +196,20 @@ func TestDNSServiceChanged(t *testing.T) { } } +func TestDesiredDNSServiceInternalTrafficPolicy(t *testing.T) { + dns := &operatorv1.DNS{ + ObjectMeta: metav1.ObjectMeta{Name: "default"}, + } + daemonsetRef := metav1.OwnerReference{} + svc := desiredDNSService(dns, "172.30.0.10", false, daemonsetRef) + + if !assert.NotNil(t, svc.Spec.InternalTrafficPolicy, "expected InternalTrafficPolicy to be set") { + return + } + assert.Equal(t, corev1.ServiceInternalTrafficPolicyLocal, *svc.Spec.InternalTrafficPolicy, + "dns-default service must use InternalTrafficPolicy Local to ensure node-local DNS resolution") +} + func Test_shouldEnableTopologyAwareHints(t *testing.T) { emptyLabels := map[string]string{} someCPU := map[corev1.ResourceName]resource.Quantity{ From b6304d34ebec9b0cc32aefb9aa46090219c5e0fa Mon Sep 17 00:00:00 2001 From: Parikshit Khedekar <31507393+pkhedeka@users.noreply.github.com> Date: Tue, 5 May 2026 23:04:27 +0530 Subject: [PATCH 2/3] Update pkg/operator/controller/controller_dns_service_test.go Co-authored-by: Miciah Dashiel Butler Masters --- pkg/operator/controller/controller_dns_service_test.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkg/operator/controller/controller_dns_service_test.go b/pkg/operator/controller/controller_dns_service_test.go index 53f554a26..d58d734e8 100644 --- a/pkg/operator/controller/controller_dns_service_test.go +++ b/pkg/operator/controller/controller_dns_service_test.go @@ -203,9 +203,7 @@ func TestDesiredDNSServiceInternalTrafficPolicy(t *testing.T) { daemonsetRef := metav1.OwnerReference{} svc := desiredDNSService(dns, "172.30.0.10", false, daemonsetRef) - if !assert.NotNil(t, svc.Spec.InternalTrafficPolicy, "expected InternalTrafficPolicy to be set") { - return - } + assert.NotNil(t, svc.Spec.InternalTrafficPolicy) assert.Equal(t, corev1.ServiceInternalTrafficPolicyLocal, *svc.Spec.InternalTrafficPolicy, "dns-default service must use InternalTrafficPolicy Local to ensure node-local DNS resolution") } From f66ff495be57242bcfaa41e5d3ebc9b1190fae9e Mon Sep 17 00:00:00 2001 From: Parikshit Khedekar <31507393+pkhedeka@users.noreply.github.com> Date: Tue, 5 May 2026 23:04:53 +0530 Subject: [PATCH 3/3] Update pkg/operator/controller/controller_dns_service_test.go Co-authored-by: Miciah Dashiel Butler Masters --- pkg/operator/controller/controller_dns_service_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/operator/controller/controller_dns_service_test.go b/pkg/operator/controller/controller_dns_service_test.go index d58d734e8..61f3dc5b0 100644 --- a/pkg/operator/controller/controller_dns_service_test.go +++ b/pkg/operator/controller/controller_dns_service_test.go @@ -204,8 +204,7 @@ func TestDesiredDNSServiceInternalTrafficPolicy(t *testing.T) { svc := desiredDNSService(dns, "172.30.0.10", false, daemonsetRef) assert.NotNil(t, svc.Spec.InternalTrafficPolicy) - assert.Equal(t, corev1.ServiceInternalTrafficPolicyLocal, *svc.Spec.InternalTrafficPolicy, - "dns-default service must use InternalTrafficPolicy Local to ensure node-local DNS resolution") + assert.Equal(t, corev1.ServiceInternalTrafficPolicyLocal, *svc.Spec.InternalTrafficPolicy) } func Test_shouldEnableTopologyAwareHints(t *testing.T) {