Implementation for minTTL

build/charts/antrea/conf/antrea-agent.conf

@@ -306,6 +306,11 @@ kubeAPIServerOverride: {{ .Values.kubeAPIServerOverride | quote }}
 # 10.96.0.10:53, [fd00:10:96::a]:53).
 dnsServerOverride: {{ .Values.dnsServerOverride | quote }}
 
+# The minTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
+# It is used to enforce FQDN policy rules, ensuring that resolved IPs are included in datapath rules for as long as the application is caching them.
+# This value should ideally be set to the maximum caching duration across all applications.
+minTTL: {{ .Values.minTTL }}
+
 # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
 # https://golang.org/pkg/crypto/tls/#pkg-constants
 # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always

build/charts/antrea/values.yaml

@@ -186,6 +186,10 @@ kubeAPIServerOverride: ""
 # -- Address of DNS server, to override the kube-dns Service. It's used to
 # resolve hostnames in a FQDN policy.
 dnsServerOverride: ""
+# -- The minTTL setting helps address the problem of applications caching DNS response IPs indefinitely.
+# The Cluster administrators should configure this value, ideally setting it to be equal to or greater than the maximum TTL
+# value of the application's DNS cache.
+minTTL: 0
 # -- IPv4 CIDR range used for Services. Required when AntreaProxy is disabled.
 serviceCIDR: ""
 # -- IPv6 CIDR range used for Services. Required when AntreaProxy is disabled.

build/yamls/antrea-aks.yml

@@ -4234,6 +4234,11 @@ data:
     # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
+    # The minTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
+    # It is used to enforce FQDN policy rules, ensuring that resolved IPs are included in datapath rules for as long as the application is caching them.
+    # This value should ideally be set to the maximum caching duration across all applications.
+    minTTL: 0
+
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
     # https://golang.org/pkg/crypto/tls/#pkg-constants
     # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
@@ -5383,7 +5388,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e2d1d8af083c88667ac4c22c87dea63e595b2f4f770190c32afb00c480440fe3
+        checksum/config: c235e6afdb719cee68a98bec85a0b40682b2d85b51bf4196d1556f1478ce2633
       labels:
         app: antrea
         component: antrea-agent
@@ -5621,7 +5626,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e2d1d8af083c88667ac4c22c87dea63e595b2f4f770190c32afb00c480440fe3
+        checksum/config: c235e6afdb719cee68a98bec85a0b40682b2d85b51bf4196d1556f1478ce2633
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -4234,6 +4234,11 @@ data:
     # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
+    # The minTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
+    # It is used to enforce FQDN policy rules, ensuring that resolved IPs are included in datapath rules for as long as the application is caching them.
+    # This value should ideally be set to the maximum caching duration across all applications.
+    minTTL: 0
+
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
     # https://golang.org/pkg/crypto/tls/#pkg-constants
     # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
@@ -5383,7 +5388,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e2d1d8af083c88667ac4c22c87dea63e595b2f4f770190c32afb00c480440fe3
+        checksum/config: c235e6afdb719cee68a98bec85a0b40682b2d85b51bf4196d1556f1478ce2633
       labels:
         app: antrea
         component: antrea-agent
@@ -5622,7 +5627,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e2d1d8af083c88667ac4c22c87dea63e595b2f4f770190c32afb00c480440fe3
+        checksum/config: c235e6afdb719cee68a98bec85a0b40682b2d85b51bf4196d1556f1478ce2633
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -4234,6 +4234,11 @@ data:
     # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
+    # The minTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
+    # It is used to enforce FQDN policy rules, ensuring that resolved IPs are included in datapath rules for as long as the application is caching them.
+    # This value should ideally be set to the maximum caching duration across all applications.
+    minTTL: 0
+
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
     # https://golang.org/pkg/crypto/tls/#pkg-constants
     # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
@@ -5383,7 +5388,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 7e42a403d388e2ed556d9b41f4af83917eadd0863d4e2bef67353f5adb2ef6c3
+        checksum/config: 6c71e376d2b2ea5a377700084d271a88925337887b10a4432d68b7d269911d90
       labels:
         app: antrea
         component: antrea-agent
@@ -5619,7 +5624,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 7e42a403d388e2ed556d9b41f4af83917eadd0863d4e2bef67353f5adb2ef6c3
+        checksum/config: 6c71e376d2b2ea5a377700084d271a88925337887b10a4432d68b7d269911d90
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -4247,6 +4247,11 @@ data:
     # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
+    # The minTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
+    # It is used to enforce FQDN policy rules, ensuring that resolved IPs are included in datapath rules for as long as the application is caching them.
+    # This value should ideally be set to the maximum caching duration across all applications.
+    minTTL: 0
+
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
     # https://golang.org/pkg/crypto/tls/#pkg-constants
     # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
@@ -5396,7 +5401,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 7d8b0a065c3db85e34e127fdf38b820b32712657900e3f8fe2703d4310c40632
+        checksum/config: d4ce97447743fcc1980c3e46b6ac2ee821a64817bee4671d6ce838813643dd24
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -5678,7 +5683,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 7d8b0a065c3db85e34e127fdf38b820b32712657900e3f8fe2703d4310c40632
+        checksum/config: d4ce97447743fcc1980c3e46b6ac2ee821a64817bee4671d6ce838813643dd24
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea.yml

@@ -4234,6 +4234,11 @@ data:
     # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
+    # The minTTL setting helps address the problem of applications caching DNS response IPs beyond the TTL value for the DNS record.
+    # It is used to enforce FQDN policy rules, ensuring that resolved IPs are included in datapath rules for as long as the application is caching them.
+    # This value should ideally be set to the maximum caching duration across all applications.
+    minTTL: 0
+
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
     # https://golang.org/pkg/crypto/tls/#pkg-constants
     # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
@@ -5383,7 +5388,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 2b4d82bcb825d50926115bad2125097f85aed424bfc49147444314cad8b7826a
+        checksum/config: d6ebdff39564e13df1eabb4bcf0894359a6b03bd8b8b528168a94b3e7a0ba319
       labels:
         app: antrea
         component: antrea-agent
@@ -5619,7 +5624,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 2b4d82bcb825d50926115bad2125097f85aed424bfc49147444314cad8b7826a
+        checksum/config: d6ebdff39564e13df1eabb4bcf0894359a6b03bd8b8b528168a94b3e7a0ba319
       labels:
         app: antrea
         component: antrea-controller

cmd/antrea-agent/agent.go

@@ -528,6 +528,7 @@ func run(o *Options) error {
 		nodeConfig,
 		podNetworkWait,
 		l7Reconciler,
+		o.config.MinTTL,
 	)
 	if err != nil {
 		return fmt.Errorf("error creating new NetworkPolicy controller: %v", err)

cmd/antrea-agent/options.go

@@ -605,6 +605,9 @@ func (o *Options) validateK8sNodeOptions() error {
 		o.dnsServerOverride = hostPort
 	}
 
+	// Ensure that the minTTL is not negative.
+	o.config.MinTTL = max(o.config.MinTTL, 0)
+
 	if err := o.validateSecondaryNetworkConfig(); err != nil {
 		return fmt.Errorf("failed to validate secondary network config: %v", err)
 	}

pkg/agent/controller/networkpolicy/fqdn.go

@@ -127,6 +127,7 @@ type fqdnController struct {
 	ofClient openflow.Client
 	// dnsServerAddr stores the coreDNS server address, or the user provided DNS server address.
 	dnsServerAddr string
+	minTTL        uint32
 
 	// dirtyRuleHandler is a callback that is run upon finding a rule out-of-sync.
 	dirtyRuleHandler func(string)
@@ -160,7 +161,7 @@ type fqdnController struct {
 	clock clock.Clock
 }
 
-func newFQDNController(client openflow.Client, allocator *idAllocator, dnsServerOverride string, dirtyRuleHandler func(string), v4Enabled, v6Enabled bool, gwPort uint32, clock clock.WithTicker) (*fqdnController, error) {
+func newFQDNController(client openflow.Client, allocator *idAllocator, dnsServerOverride string, dirtyRuleHandler func(string), v4Enabled, v6Enabled bool, gwPort uint32, clock clock.WithTicker, minTTL int) (*fqdnController, error) {
 	controller := &fqdnController{
 		ofClient:         client,
 		dirtyRuleHandler: dirtyRuleHandler,
@@ -182,6 +183,7 @@ func newFQDNController(client openflow.Client, allocator *idAllocator, dnsServer
 		ipv6Enabled:            v6Enabled,
 		gwPort:                 gwPort,
 		clock:                  clock,
+		minTTL:                 uint32(minTTL),
 	}
 	if controller.ofClient != nil {
 		if err := controller.ofClient.NewDNSPacketInConjunction(dnsInterceptRuleID); err != nil {
@@ -643,15 +645,15 @@ func (f *fqdnController) parseDNSResponse(msg *dns.Msg) (string, map[string]ipWi
 			if f.ipv4Enabled {
 				responseIPs[r.A.String()] = ipWithExpiration{
 					ip:             r.A,
-					expirationTime: currentTime.Add(time.Duration(r.Header().Ttl) * time.Second),
+					expirationTime: currentTime.Add(time.Duration(max(f.minTTL, r.Header().Ttl)) * time.Second),
 				}
 
 			}
 		case *dns.AAAA:
 			if f.ipv6Enabled {
 				responseIPs[r.AAAA.String()] = ipWithExpiration{
 					ip:             r.AAAA,
-					expirationTime: currentTime.Add(time.Duration(r.Header().Ttl) * time.Second),
+					expirationTime: currentTime.Add(time.Duration(max(f.minTTL, r.Header().Ttl)) * time.Second),
 				}
 			}
 		}

pkg/agent/controller/networkpolicy/fqdn_test.go

@@ -52,6 +52,7 @@ func newMockFQDNController(t *testing.T, controller *gomock.Controller, dnsServe
 		false,
 		config.DefaultHostGatewayOFPort,
 		clockToInject,
+		0,
 	)
 	require.NoError(t, err)
 	return f, mockOFClient

pkg/agent/controller/networkpolicy/networkpolicy_controller.go

@@ -196,7 +196,7 @@ func NewNetworkPolicyController(antreaClientGetter client.AntreaClientProvider,
 	gwPort, tunPort uint32,
 	nodeConfig *config.NodeConfig,
 	podNetworkWait *utilwait.Group,
-	l7Reconciler *l7engine.Reconciler) (*Controller, error) {
+	l7Reconciler *l7engine.Reconciler, minTTL int) (*Controller, error) {
 	idAllocator := newIDAllocator(asyncRuleDeleteInterval, dnsInterceptRuleID)
 	c := &Controller{
 		antreaClientProvider: antreaClientGetter,
@@ -227,7 +227,7 @@ func NewNetworkPolicyController(antreaClientGetter client.AntreaClientProvider,
 
 	var err error
 	if antreaPolicyEnabled {
-		if c.fqdnController, err = newFQDNController(ofClient, idAllocator, dnsServerOverride, c.enqueueRule, v4Enabled, v6Enabled, gwPort, clock.RealClock{}); err != nil {
+		if c.fqdnController, err = newFQDNController(ofClient, idAllocator, dnsServerOverride, c.enqueueRule, v4Enabled, v6Enabled, gwPort, clock.RealClock{}, minTTL); err != nil {
 			return nil, err
 		}
 

pkg/agent/controller/networkpolicy/networkpolicy_controller_test.go

@@ -105,7 +105,8 @@ func newTestController() (*Controller, *fake.Clientset, *mockReconciler) {
 		config.DefaultTunOFPort,
 		&config.NodeConfig{},
 		wait.NewGroup(),
-		l7reconciler)
+		l7reconciler,
+		0)
 	reconciler := newMockReconciler()
 	controller.podReconciler = reconciler
 	controller.auditLogger = nil

pkg/config/agent/config.go

@@ -155,6 +155,10 @@ type AgentConfig struct {
 	// Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
 	// 10.96.0.10:53, [fd00:10:96::a]:53).
 	DNSServerOverride string `yaml:"dnsServerOverride,omitempty"`
+	// The minTTL setting helps address the problem of applications caching DNS response IPs indefinitely.
+	// The Cluster administrators should configure this value, ideally setting it to be equal to or greater than the maximum TTL
+	// value of the application's DNS cache.
+	MinTTL int `yaml:"minTTL,omitempty"`
 	// Cipher suites to use.
 	TLSCipherSuites string `yaml:"tlsCipherSuites,omitempty"`
 	// TLS min version.

test/e2e/antreapolicy_test.go

@@ -5270,8 +5270,12 @@ func testAntreaClusterNetworkPolicyStats(t *testing.T, data *TestData) {
 	k8sUtils.Cleanup(namespaces)
 }
 
-// TestFQDNCacheMinTTL tests stable FQDN access for applications with cached DNS resolutions
-// when FQDN NetworkPolicy are in use and the FQDN-to-IP resolution changes frequently.
+// TestFQDNCacheMinTTL ensures stable FQDN access for applications that cache DNS resolutions,
+// even when FQDN-to-IP mappings change frequently, and FQDN-based NetworkPolicies are in use.
+// It validates the functionality of the new minTTL configuration, which is used for scenarios
+// where applications may cache DNS responses beyond the TTL defined in original DNS response.
+// The minTTL value enforces that resolved IPs remain in datapath rules for as long as
+// applications might cache them, thereby preventing intermittent network connectivity issues to the FQDN concerned.
 func TestFQDNCacheMinTTL(t *testing.T) {
 	const (
 		testFQDN = "fqdn-test-pod.lfx.test"
@@ -5368,14 +5372,13 @@ func TestFQDNCacheMinTTL(t *testing.T) {
 	require.NoError(t, data.setPodAnnotation(data.testNamespace, "custom-dns-server", "test.antrea.io/random-value",
 		randSeq(8)), "failed to update custom DNS Pod annotation.")
 
-	// finally verify that Curling the previously cached IP fails after DNS update.
+	// finally verify that Curling the previously cached IP does not fail after DNS update.
 	// The wait time here should be slightly longer than the reload value specified in the custom DNS configuration.
-	// TODO: This assertion currently verifies the issue described in https://github.com/antrea-io/antrea/issues/6229.
-	// It will need to be updated once minTTL support is implemented.
+	// TODO: This assertion verifies the fix to the issue described in https://github.com/antrea-io/antrea/issues/6229.
 	t.Logf("Trying to curl the existing cached IP of the domain: %s", fqdnIP)
 	assert.EventuallyWithT(t, func(t *assert.CollectT) {
 		_, err := curlFQDN(fqdnIP)
-		assert.Error(t, err)
+		assert.NoError(t, err)
 	}, 10*time.Second, 1*time.Second)
 }