From 572e864c8a9c8c7e9f3d2e72f4f47c681c7778d0 Mon Sep 17 00:00:00 2001
From: Casey Davenport <caseydavenport@users.noreply.github.com>
Date: Fri, 31 Jul 2020 14:50:15 -0700
Subject: [PATCH] Fix DNS policy for host-networked pods (#790)

---
 pkg/render/apiserver.go       |  5 +++++
 pkg/render/logstorage.go      |  6 ++++++
 pkg/render/logstorage_test.go | 32 ++++++++++++++++++++++++++++++++
 3 files changed, 43 insertions(+)

diff --git a/pkg/render/apiserver.go b/pkg/render/apiserver.go
index 1155fb190e..269083c0b3 100644
--- a/pkg/render/apiserver.go
+++ b/pkg/render/apiserver.go
@@ -542,12 +542,16 @@ func (c *apiServerComponent) apiServer() *appsv1.Deployment {
 	var replicas int32 = 1
 
 	hostNetwork := false
+	dnsPolicy := corev1.DNSClusterFirst
 	if c.installation.Spec.KubernetesProvider == operator.ProviderEKS &&
 		c.installation.Spec.CNI.Type == operator.PluginCalico {
 		// Workaround the fact that webhooks don't work for non-host-networked pods
 		// when in this networking mode on EKS, because the control plane nodes don't run
 		// Calico.
 		hostNetwork = true
+
+		// Adjust DNS policy so we can access in-cluster services.
+		dnsPolicy = corev1.DNSClusterFirstWithHostNet
 	}
 
 	d := &appsv1.Deployment{
@@ -577,6 +581,7 @@ func (c *apiServerComponent) apiServer() *appsv1.Deployment {
 					Annotations: c.tlsAnnotations,
 				},
 				Spec: corev1.PodSpec{
+					DNSPolicy: dnsPolicy,
 					NodeSelector: map[string]string{
 						"kubernetes.io/os": "linux",
 					},
diff --git a/pkg/render/logstorage.go b/pkg/render/logstorage.go
index fd8bf6c804..d4527e73a2 100644
--- a/pkg/render/logstorage.go
+++ b/pkg/render/logstorage.go
@@ -945,15 +945,20 @@ func (es elasticsearchComponent) eckOperatorStatefulSet() *appsv1.StatefulSet {
 	defaultMode := int32(420)
 
 	hostNetwork := false
+	dnsPolicy := corev1.DNSClusterFirst
 	if es.installation.Spec.KubernetesProvider == operatorv1.ProviderEKS &&
 		es.installation.Spec.CNI.Type == operatorv1.PluginCalico {
 		// Workaround the fact that webhooks don't work for non-host-networked pods
 		// when in this networking mode on EKS, because the control plane nodes don't run
 		// Calico.
 		hostNetwork = true
+
+		// Adjust DNS policy so we can access in-cluster services.
+		dnsPolicy = corev1.DNSClusterFirstWithHostNet
 	}
 
 	return &appsv1.StatefulSet{
+		TypeMeta: metav1.TypeMeta{Kind: "StatefulSet", APIVersion: "apps/v1"},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      ECKOperatorName,
 			Namespace: ECKOperatorNamespace,
@@ -978,6 +983,7 @@ func (es elasticsearchComponent) eckOperatorStatefulSet() *appsv1.StatefulSet {
 					},
 				},
 				Spec: corev1.PodSpec{
+					DNSPolicy:          dnsPolicy,
 					ServiceAccountName: "elastic-operator",
 					ImagePullSecrets:   getImagePullSecretReferenceList(es.pullSecrets),
 					HostNetwork:        hostNetwork,
diff --git a/pkg/render/logstorage_test.go b/pkg/render/logstorage_test.go
index d835af0d44..10420c6ef8 100644
--- a/pkg/render/logstorage_test.go
+++ b/pkg/render/logstorage_test.go
@@ -440,6 +440,38 @@ var _ = Describe("Elasticsearch rendering tests", func() {
 			Expect(nodeSelectors["k2"]).To(Equal("v2"))
 		})
 
+		It("should run as host network on EKS with Calico CNI", func() {
+			logStorage.Spec.DataNodeSelector = map[string]string{
+				"k1": "v1",
+				"k2": "v2",
+			}
+			installation.Spec.KubernetesProvider = "EKS"
+			installation.Spec.CNI = &operator.CNISpec{Type: "Calico"}
+			component := render.LogStorage(
+				logStorage,
+				installation, nil, nil, nil, nil,
+				esConfig,
+				[]*corev1.Secret{
+					{ObjectMeta: metav1.ObjectMeta{Name: render.TigeraElasticsearchCertSecret, Namespace: render.OperatorNamespace()}},
+					{ObjectMeta: metav1.ObjectMeta{Name: render.TigeraElasticsearchCertSecret, Namespace: render.ElasticsearchNamespace}},
+				},
+				[]*corev1.Secret{
+					{ObjectMeta: metav1.ObjectMeta{Name: render.TigeraKibanaCertSecret, Namespace: render.OperatorNamespace()}},
+					{ObjectMeta: metav1.ObjectMeta{Name: render.TigeraKibanaCertSecret, Namespace: render.KibanaNamespace}},
+				}, true,
+				[]*corev1.Secret{
+					{ObjectMeta: metav1.ObjectMeta{Name: "tigera-pull-secret"}},
+				}, operator.ProviderNone, nil, nil, nil, "cluster.local", true, nil)
+
+			// Host networking settings should be correct on the ECK operator.
+			resources, _ := component.Objects()
+			eckObj := GetResource(resources, "elastic-operator", "tigera-eck-operator", "apps", "v1", "StatefulSet")
+			Expect(eckObj).NotTo(BeNil())
+			eck := eckObj.(*appsv1.StatefulSet)
+			Expect(eck.Spec.Template.Spec.HostNetwork).To(BeTrue())
+			Expect(eck.Spec.Template.Spec.DNSPolicy).To(Equal(corev1.DNSClusterFirstWithHostNet))
+		})
+
 		It("Configures OIDC for Kibana when the OIDC configuration is provided", func() {
 			component := render.LogStorage(
 				logStorage,