-
Notifications
You must be signed in to change notification settings - Fork 465
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PTR records can collide #124
Comments
PTR records are needed for running some popular applications using StatefulSet. Some examples are GlusterFS, HBase. ref: kubernetes/kubernetes#33470 . We ourselves use GlusterFS. So, we like to have this feature not get reverted. From #25 (comment) : |
We need to do something with this for 1.8 |
@bowei Is this still targeted for 1.8? I think it might classify as a bug-fix, so we might be able to merge post freeze. |
Leave leave it targeted for 1.8 for the post-freeze for now. I want to take care of it, but am bandwidth constrained pre-freeze :-| |
See #25 (comment) for another way to break this where only one record is ever created, and it is never updated. It works once, then it is set to the original pod name, and never again. |
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
As pointed out at the end of #25, it's possible to make PTR records collide with manual endpoints, in which case someone can hijack the PTR record, even across namespaces.
This sort of makes PTR records, as implemented, useless. @sadlil offers #101, but I am worried about the impact of that when there are many DNS replicas. I don't think it will fly, and we really really do not want DNS to watch Pods (some crazy people run DNS on every node, and it will CRUSH the apiserver).
There's also an issue of adding PTR records for IPs that are not pods, I will open a different issue.
We need to find a solution to this ASAP or revert #25 and eat some crow.
We need some authoritative place that can confirm IP->pod mapping, but that seems impossible to do without creating an O(num-pods) watch, or else trusting Endpoints to not hijack.
The text was updated successfully, but these errors were encountered: