Pod insecure2 (#479)

* return servfail for pod rqsts when pods disabled * Add integration test for disabled pod mode
2025-10-31 10:13:14 -04:00 · 2017-01-12 11:57:00 -05:00
parent 2e366459c5
commit b6a2a5aeaa
2 changed files with 46 additions and 23 deletions
--- a/middleware/kubernetes/kubernetes.go
+++ b/middleware/kubernetes/kubernetes.go
@@ -341,7 +341,7 @@ func ipFromPodName(podname string) string {

 func (k *Kubernetes) findPods(namespace, podname string) (pods []pod, err error) {
 	if k.PodMode == PodModeDisabled {
-		return pods, nil
+		return pods, errors.New("pod records disabled")
 	}

 	var ip string
--- a/test/kubernetes_test.go
+++ b/test/kubernetes_test.go
@@ -196,14 +196,7 @@ var dnsTestCases = []test.Case{
 	},
 	{
 		Qname: "10-20-0-101.test-1.pod.cluster.local.", Qtype: dns.TypeA,
-		Rcode: dns.RcodeSuccess,
-		Answer: []dns.RR{
-			test.A("10-20-0-101.test-1.pod.cluster.local. 0 IN A    10.20.0.101"),
-		},
-	},
-	{
-		Qname: "10-20-0-101.test-X.pod.cluster.local.", Qtype: dns.TypeA,
-		Rcode:  dns.RcodeNameError,
+		Rcode:  dns.RcodeServerFailure,
 		Answer: []dns.RR{},
 	},
 	{
@@ -227,6 +220,21 @@ var dnsTestCases = []test.Case{
 	},
 }

+var dnsTestCasesPodsInsecure = []test.Case{
+	{
+		Qname: "10-20-0-101.test-1.pod.cluster.local.", Qtype: dns.TypeA,
+		Rcode: dns.RcodeSuccess,
+		Answer: []dns.RR{
+			test.A("10-20-0-101.test-1.pod.cluster.local. 0 IN A    10.20.0.101"),
+		},
+	},
+	{
+		Qname: "10-20-0-101.test-X.pod.cluster.local.", Qtype: dns.TypeA,
+		Rcode:  dns.RcodeNameError,
+		Answer: []dns.RR{},
+	},
+}
+
 func createTestServer(t *testing.T, corefile string) (*caddy.Instance, string) {
 	server, err := CoreDNSServer(corefile)
 	if err != nil {
@@ -241,19 +249,7 @@ func createTestServer(t *testing.T, corefile string) (*caddy.Instance, string) {
 	return server, udp
 }

-func TestKubernetesIntegration(t *testing.T) {
-	t.Parallel()
-	corefile :=
-		`.:0 {
-    kubernetes cluster.local 0.0.10.in-addr.arpa {
-                endpoint http://localhost:8080
-		#endpoint https://kubernetes/ 
-		#tls admin.pem admin-key.pem ca.pem
-		#tls k8s_auth/client2.crt k8s_auth/client2.key k8s_auth/ca2.crt
-		namespaces test-1
-		pods insecure
-    }
-`
+func doIntegrationTests(t *testing.T, corefile string, testCases []test.Case) {
 	server, udp := createTestServer(t, corefile)
 	defer server.Stop()

@@ -261,7 +257,7 @@ func TestKubernetesIntegration(t *testing.T) {
 	// test environment.
 	time.Sleep(5 * time.Second)

-	for _, tc := range dnsTestCases {
+	for _, tc := range testCases {

 		dnsClient := new(dns.Client)
 		dnsMessage := new(dns.Msg)
@@ -285,3 +281,30 @@ func TestKubernetesIntegration(t *testing.T) {
 		//TODO: Check the actual RR values
 	}
 }
+
+func TestKubernetesIntegration(t *testing.T) {
+	corefile :=
+		`.:0 {
+    kubernetes cluster.local 0.0.10.in-addr.arpa {
+                endpoint http://localhost:8080
+		#endpoint https://kubernetes/ 
+		#tls admin.pem admin-key.pem ca.pem
+		#tls k8s_auth/client2.crt k8s_auth/client2.key k8s_auth/ca2.crt
+		namespaces test-1
+		pods disabled
+    }
+`
+	doIntegrationTests(t, corefile, dnsTestCases)
+}
+
+func TestKubernetesIntegrationPodsInsecure(t *testing.T) {
+	corefile :=
+		`.:0 {
+    kubernetes cluster.local 0.0.10.in-addr.arpa {
+                endpoint http://localhost:8080
+		namespaces test-1
+		pods insecure
+    }
+`
+	doIntegrationTests(t, corefile, dnsTestCasesPodsInsecure)
+}