Description of problem: In on-prem installations the regex used to match the cluster API in a node's Corefile is too wide. Any FQDN matching ".*api.<basedomain>" is resolved by coredns' template plugin [1]. [1] https://coredns.io/plugins/template/ Version-Release number of MCO (Machine Config Operator) (if applicable): $ oc get co machine-config NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE machine-config 4.11.0-0.nightly-2022-03-18-065017 True False False 34m Platform (AWS, VSphere, Metal, etc.): Are you certain that the root cause of the issue being reported is the MCO (Machine Config Operator)? (Y/N/Not sure): Y How reproducible: 100% Did you catch this issue by running a Jenkins job? If yes, please list: 1. Jenkins job: N/A 2. Profile: N/A Steps to Reproduce: 1. get cluster's API address $ oc whoami --show-server https://api.mycluster.tld:6443 2. resolve any host matching '.*api.<basedomain>': (using non-existing 'myapi.mycluster.tld') $ oc run -ti --image=registry.redhat.io/openshift4/network-tools-rhel8 test -- /bin/bash If you don't see a command prompt, try pressing enter. [root@test /]# nslookup myapi.mycluster.tld Server: 172.30.0.10 Address: 172.30.0.10#53 Name: myapi.mycluster.tld Address: 192.168.0.5 [root@test /]# nslookup api.mycluster.tld Server: 172.30.0.10 Address: 172.30.0.10#53 Name: api.mycluster.tld Address: 192.168.0.5 [root@test /]# nslookup my.sub.api.mycluster.tld Server: 172.30.0.10 Address: 172.30.0.10#53 Name: my.sub.api.mycluster.tld Address: 192.168.0.5 Actual results: Any '.*api.<basedomain>' FQDN is resolved by coredns' template plugin. Expected results: Only exact '^api.<basedomain>' FQDN's should be resolved from a template block. Additional info: The regex used in the Corefile template block's match field is too wide: $ oc debug node/mycluster-wxt6k-worker-0-g5965 -- grep api -B1 -A2 /host/etc/coredns/Corefile Starting pod/mycluster-wxt6k-worker-0-g5965-debug ... To use host binaries, run `chroot /host` template IN A mycluster.tld { match api.mycluster.tld answer "{{ .Name }} 60 in {{ .Type }} 192.168.0.5" fallthrough -- template IN AAAA mycluster.tld { match api.mycluster.tld fallthrough } template IN A mycluster.tld { match api-int.mycluster.tld answer "{{ .Name }} 60 in {{ .Type }} 192.168.0.5" fallthrough -- template IN AAAA mycluster.tld { match api-int.mycluster.tld fallthrough }
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069