diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2
index 79d801f6c7140f931b81b54b75b3fe0e2f3d5de0..c41e6f3f24f4166d73e7868302227ccfa37aae7d 100644
--- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2
@@ -12,12 +12,10 @@ spec:
labels:
app: netchecker-agent-hostnet
spec:
- hostNetwork: True
+ hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
nodeSelector:
beta.kubernetes.io/os: linux
-{% if kube_version is version('v1.6', '>=') %}
- dnsPolicy: ClusterFirstWithHostNet
-{% endif %}
{% if kube_version is version('v1.11.1', '>=') %}
priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{''}}
{% endif %}
diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2
index 32fb0c1a0e15bf064128db6161631f733e1dde13..fec4a0beb50a0dfbe947f6197b9eec150512e17f 100644
--- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2
@@ -26,6 +26,7 @@ spec:
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
hostIPC: false
hostPID: false
runAsUser:
diff --git a/roles/kubernetes-apps/cloud_controller/oci/templates/oci-cloud-provider.yml.j2 b/roles/kubernetes-apps/cloud_controller/oci/templates/oci-cloud-provider.yml.j2
index e926d76098a8639acb109c9626c347c2e578222d..7ed87603cf30beeed93f085a6165c657fdcd5d42 100644
--- a/roles/kubernetes-apps/cloud_controller/oci/templates/oci-cloud-provider.yml.j2
+++ b/roles/kubernetes-apps/cloud_controller/oci/templates/oci-cloud-provider.yml.j2
@@ -34,6 +34,7 @@ spec:
{% endif %}
serviceAccountName: cloud-controller-manager
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
diff --git a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
index e6dd7d1a178970e9301b6e281713cf237194ae96..d8dce9cf5d0b4354d399f99d1b89a3d66e598f00 100644
--- a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
+++ b/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
@@ -65,6 +65,7 @@ spec:
volumes:
- '*'
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
hostPorts:
- min: 0
max: 65535
diff --git a/roles/kubernetes-apps/container_engine_accelerator/nvidia_gpu/templates/k8s-device-plugin-nvidia-daemonset.yml.j2 b/roles/kubernetes-apps/container_engine_accelerator/nvidia_gpu/templates/k8s-device-plugin-nvidia-daemonset.yml.j2
index a476389bca8714c3cd8547b148847cc9aaa03729..c5a7f51942733180a7bbf6ffc427dc0eb6ee0da7 100644
--- a/roles/kubernetes-apps/container_engine_accelerator/nvidia_gpu/templates/k8s-device-plugin-nvidia-daemonset.yml.j2
+++ b/roles/kubernetes-apps/container_engine_accelerator/nvidia_gpu/templates/k8s-device-plugin-nvidia-daemonset.yml.j2
@@ -29,6 +29,7 @@ spec:
- operator: "Exists"
effect: "NoSchedule"
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
hostPID: true
volumes:
- name: device-plugin
diff --git a/roles/kubernetes-apps/container_engine_accelerator/nvidia_gpu/templates/nvidia-driver-install-daemonset.yml.j2 b/roles/kubernetes-apps/container_engine_accelerator/nvidia_gpu/templates/nvidia-driver-install-daemonset.yml.j2
index 788599c308d3a414d7c75dc4a05df6d8f86dd729..97aff97ac7a4c5bcd81c7c90af80e7a71c088a98 100644
--- a/roles/kubernetes-apps/container_engine_accelerator/nvidia_gpu/templates/nvidia-driver-install-daemonset.yml.j2
+++ b/roles/kubernetes-apps/container_engine_accelerator/nvidia_gpu/templates/nvidia-driver-install-daemonset.yml.j2
@@ -36,6 +36,7 @@ spec:
effect: "NoSchedule"
operator: "Exists"
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
hostPID: true
volumes:
- name: dev
diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2
index bba7a2d0112bb63e0a78e2426e7a3b745d66eb78..f8499cbd6151986c7b71f390ddafaaa26c802f97 100644
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2
@@ -24,6 +24,7 @@ spec:
serviceAccountName: ingress-nginx
{% if ingress_nginx_host_network %}
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
{% endif %}
{% if ingress_nginx_nodeselector %}
nodeSelector:
diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2
index 0eac6aa2c9d835ea0ecfed2ae8b446cbb99c8066..7bf4bbb16f9e54bb94f8d015a7cadcc9bab7e0d5 100644
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2
@@ -26,6 +26,9 @@ spec:
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: {{ ingress_nginx_host_network|bool }}
+{%% if ingress_nginx_host_network %}
+ dnsPolicy: ClusterFirstWithHostNet
+{% endif %}
hostPorts:
- min: 0
max: 65535
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
index 1e7b8240d7dd7c4b91270bc443e578cc22563fe6..30e8b56ff5acd0b077946ef5c712eabd80bb0eac 100644
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
@@ -25,6 +25,7 @@ spec:
nodeSelector:
beta.kubernetes.io/os: linux
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: calico-kube-controllers
tolerations:
- key: CriticalAddonsOnly
diff --git a/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2
index c7375336a171a16299323b7c3d8ed7def37e4880..1989a4ef33ba231676e04d493fcc5e2392299cd5 100644
--- a/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2
+++ b/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2
@@ -35,6 +35,7 @@ spec:
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
hostPorts:
- min: 5000
max: 5000
diff --git a/roles/kubernetes/node/templates/manifests/haproxy.manifest.j2 b/roles/kubernetes/node/templates/manifests/haproxy.manifest.j2
index e0cca903f2e63728131928fcf7cce486880bda7c..8a53007bc4f606a0d1ab24b0fa308d38d3484114 100644
--- a/roles/kubernetes/node/templates/manifests/haproxy.manifest.j2
+++ b/roles/kubernetes/node/templates/manifests/haproxy.manifest.j2
@@ -8,6 +8,7 @@ metadata:
k8s-app: kube-haproxy
spec:
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
nodeSelector:
beta.kubernetes.io/os: linux
{% if kube_version is version('v1.11.1', '>=') %}
diff --git a/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2 b/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2
index 18e85b3faab7d6aaf57adc4d71e88532afe0ec16..d8b5eb1facf83d18ae7d308b2cb479bb7c367caf 100644
--- a/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2
+++ b/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2
@@ -8,6 +8,7 @@ metadata:
k8s-app: kube-nginx
spec:
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
nodeSelector:
beta.kubernetes.io/os: linux
{% if kube_version is version('v1.11.1', '>=') %}
diff --git a/roles/network_plugin/calico/templates/calico-node.yml.j2 b/roles/network_plugin/calico/templates/calico-node.yml.j2
index cd4841867c71b401bdca89f2c9e620239100515d..ffb05c872eaa46d48134aa77b6744ef61f19e743 100644
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@@ -29,6 +29,7 @@ spec:
priorityClassName: system-node-critical
{% endif %}
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: calico-node
tolerations:
- effect: NoExecute
diff --git a/roles/network_plugin/calico/templates/calico-typha.yml.j2 b/roles/network_plugin/calico/templates/calico-typha.yml.j2
index 19e5ec894ab703222902bb2b82025b6e8ca038a3..36181281b4898cd2646dad81d68b715cea9378a6 100644
--- a/roles/network_plugin/calico/templates/calico-typha.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-typha.yml.j2
@@ -51,6 +51,7 @@ spec:
nodeSelector:
beta.kubernetes.io/os: linux
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
tolerations:
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
diff --git a/roles/network_plugin/canal/templates/canal-node.yaml.j2 b/roles/network_plugin/canal/templates/canal-node.yaml.j2
index 7b3cba83ea217610799f031e68ab0bbba2fc7ae4..e6bb4d36413b26262a3f0188e9ac3427d2691460 100644
--- a/roles/network_plugin/canal/templates/canal-node.yaml.j2
+++ b/roles/network_plugin/canal/templates/canal-node.yaml.j2
@@ -19,6 +19,7 @@ spec:
priorityClassName: system-node-critical
{% endif %}
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: canal
tolerations:
- operator: Exists
diff --git a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
index 073da965dbf750614934a68937be59be822b35e4..e0b54b98260fb595c8c6ee5143b741cafe71bab5 100755
--- a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
@@ -172,6 +172,7 @@ spec:
- "NET_ADMIN"
privileged: true
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
volumes:
# To keep state between restarts / upgrades
- name: cilium-run
diff --git a/roles/network_plugin/contiv/templates/contiv-api-proxy.yml.j2 b/roles/network_plugin/contiv/templates/contiv-api-proxy.yml.j2
index c1604d0b5d8ec98d43940d295a97a2a7ed61f406..82f94d6ece8ca4b064f78e296e85b3af0d851064 100644
--- a/roles/network_plugin/contiv/templates/contiv-api-proxy.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-api-proxy.yml.j2
@@ -22,6 +22,7 @@ spec:
# The API proxy must run in the host network namespace so that
# it isn't governed by policy that would prevent it from working.
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
hostPID: true
nodeSelector:
node-role.kubernetes.io/master: ""
diff --git a/roles/network_plugin/contiv/templates/contiv-cleanup.yml.j2 b/roles/network_plugin/contiv/templates/contiv-cleanup.yml.j2
index c8de9d29733be632ffc0655ec700e20323fcc9eb..3cd9cf399ebc7b227fcad438813ac6bdaf13fc8a 100644
--- a/roles/network_plugin/contiv/templates/contiv-cleanup.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-cleanup.yml.j2
@@ -19,6 +19,7 @@ spec:
priorityClassName: system-node-critical
{% endif %}
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
hostPID: true
tolerations:
- operator: Exists
diff --git a/roles/network_plugin/contiv/templates/contiv-etcd-proxy.yml.j2 b/roles/network_plugin/contiv/templates/contiv-etcd-proxy.yml.j2
index 18e36ba9e8ea3b754a39404f17aa30cf51e50709..b1754f838338e929bf2aebade43d1dc3fc053d5a 100644
--- a/roles/network_plugin/contiv/templates/contiv-etcd-proxy.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-etcd-proxy.yml.j2
@@ -19,6 +19,7 @@ spec:
priorityClassName: system-node-critical
{% endif %}
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
hostPID: true
affinity:
nodeAffinity:
diff --git a/roles/network_plugin/contiv/templates/contiv-etcd.yml.j2 b/roles/network_plugin/contiv/templates/contiv-etcd.yml.j2
index e320f5b24d051c78222b1e67fe15d137033def0b..2a788c98e9f663a0a0641a805c7f655f1a282f36 100644
--- a/roles/network_plugin/contiv/templates/contiv-etcd.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-etcd.yml.j2
@@ -19,6 +19,7 @@ spec:
priorityClassName: system-node-critical
{% endif %}
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
hostPID: true
nodeSelector:
node-role.kubernetes.io/master: ""
diff --git a/roles/network_plugin/contiv/templates/contiv-netmaster.yml.j2 b/roles/network_plugin/contiv/templates/contiv-netmaster.yml.j2
index a39938f77df2639f7ca53fcb4fc25f2b19f7770e..5e2ae26a20ad27c02335842a4710e135438b6481 100644
--- a/roles/network_plugin/contiv/templates/contiv-netmaster.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-netmaster.yml.j2
@@ -22,6 +22,7 @@ spec:
# The netmaster must run in the host network namespace so that
# it isn't governed by policy that would prevent it from working.
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
hostPID: true
nodeSelector:
node-role.kubernetes.io/master: ""
diff --git a/roles/network_plugin/contiv/templates/contiv-netplugin.yml.j2 b/roles/network_plugin/contiv/templates/contiv-netplugin.yml.j2
index 8b2e65ebd5619e2919cbd6f16ce84ada312eb241..449a6f9f3fe95b9bd77331e8f28f4695f41524d2 100644
--- a/roles/network_plugin/contiv/templates/contiv-netplugin.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-netplugin.yml.j2
@@ -24,6 +24,7 @@ spec:
priorityClassName: system-node-critical
{% endif %}
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
hostPID: true
tolerations:
- operator: Exists
diff --git a/roles/network_plugin/contiv/templates/contiv-ovs.yml.j2 b/roles/network_plugin/contiv/templates/contiv-ovs.yml.j2
index 2ec15fc825cae1c0f882af988e9bc9659c9fedab..c521e8fd5de7506866e93603b7f8ef995b4cc9d7 100644
--- a/roles/network_plugin/contiv/templates/contiv-ovs.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-ovs.yml.j2
@@ -21,6 +21,7 @@ spec:
priorityClassName: system-node-critical
{% endif %}
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
hostPID: true
tolerations:
- operator: Exists
diff --git a/roles/network_plugin/flannel/templates/cni-flannel.yml.j2 b/roles/network_plugin/flannel/templates/cni-flannel.yml.j2
index bcaae4a6d76b1c5fa4e125a4486e8b460ca9b537..11e498ccad86d7dbf939d88bb093eee2eaed4932 100644
--- a/roles/network_plugin/flannel/templates/cni-flannel.yml.j2
+++ b/roles/network_plugin/flannel/templates/cni-flannel.yml.j2
@@ -110,6 +110,7 @@ spec:
- name: host-cni-bin
mountPath: /host/opt/cni/bin/
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
tolerations:
- operator: Exists
# Mark pod as critical for rescheduling (Will have no effect starting with kubernetes 1.12)
diff --git a/roles/network_plugin/kube-router/templates/kube-router.yml.j2 b/roles/network_plugin/kube-router/templates/kube-router.yml.j2
index 52fd47ae17d3dbe48788fc71f770083546778639..a915281cb536593088041b20013af297264b5817 100644
--- a/roles/network_plugin/kube-router/templates/kube-router.yml.j2
+++ b/roles/network_plugin/kube-router/templates/kube-router.yml.j2
@@ -152,6 +152,7 @@ spec:
- name: kubeconfig
mountPath: /var/lib/kube-router
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
{% if kube_router_enable_dsr %}
hostIPC: true
hostPID: true
diff --git a/roles/network_plugin/multus/templates/multus-daemonset.yml.j2 b/roles/network_plugin/multus/templates/multus-daemonset.yml.j2
index 11cf427d047db19c174dfea345047adbe132bddc..96847aa14e7c97cb519b68ab09d444bbab483b5b 100644
--- a/roles/network_plugin/multus/templates/multus-daemonset.yml.j2
+++ b/roles/network_plugin/multus/templates/multus-daemonset.yml.j2
@@ -15,6 +15,7 @@ spec:
app: multus
spec:
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
nodeSelector:
beta.kubernetes.io/arch: amd64
tolerations:
diff --git a/roles/network_plugin/weave/templates/weave-net.yml.j2 b/roles/network_plugin/weave/templates/weave-net.yml.j2
index 0cef290d2066e443787d423d469facb5356f78e9..40e6104979b7fd3962f0ef30e42cf4ac18b1ab9b 100644
--- a/roles/network_plugin/weave/templates/weave-net.yml.j2
+++ b/roles/network_plugin/weave/templates/weave-net.yml.j2
@@ -216,6 +216,7 @@ items:
- name: xtables-lock
mountPath: /run/xtables.lock
hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
hostPID: true
restartPolicy: Always
securityContext: