Fluentbit DNS netpol does not allow port 5353 for Openshift

Fluentbit DNS netpol does not allow port 5353 for Openshift

Looking at the DNS netpol here: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit/-/blob/41c1d1c577cfc9e505d27408f462af565497fd5a/chart/templates/bigbang/networkpolicies/allow-dns-lookups.yaml#L16 Only port 53 is allowed. Openshift needs port 5353 for DNS lookups.

Using BB 1.11.0, Openshift 4.6.4

assigned to @kenna81

assigned to @ryan.j.garcia

added BB Customer Issues fluentbit labels

added Good First Issue label

Refer to the Gitlab MRs for how to do it. Carefully review the changes that were made.
Gitlab Package MR example
https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/-/merge_requests/54/diffs
BigBang MR example
https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/664/diffs

set weight to 1

changed milestone to %1.13.0

changed milestone to %1.14.0

changed iteration to Big Bang Iterations Jul 27, 2021 - Aug 9, 2021

unassigned @kenna81 and @ryan.j.garcia

changed iteration to Big Bang Iterations Jul 13, 2021 - Jul 26, 2021

changed milestone to %1.13.0

changed milestone to %1.14.0

changed iteration to Big Bang Iterations Jul 27, 2021 - Aug 9, 2021

assigned to @blloyd

added statusdoing label

changed iteration to Big Bang Iterations Jul 13, 2021 - Jul 26, 2021

mentioned in merge request !677 (closed)

Submitted MR:

https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit/-/merge_requests/26

Will submit BB MR when approved

added statusreview label and removed statusdoing label

mentioned in merge request !725 (merged)

closed

removed statusreview label

reopened

The fluentbit helm chart was updated with the correct fix in this commit: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit/-/commit/f53dff90d51541c63c38896212c6529ab445f1d9#89a6ae26225197a9935e69790fcfba430c163b29_19_21

However, the bigbang helm chart does not pass the openshift flag from the bigbang values file to the fluentbit values secret here: https://repo1.dso.mil/platform-one/big-bang/bigbang/-/blob/master/chart/templates/logging/fluentbit/values.yaml

Changing this:

{{- if .Values.openshift }}
podSecurityContext:
  seLinuxOptions:
    type: "spc_t"
{{- end }}

to this should correct this.

{{- if .Values.openshift }}
openshift: true
podSecurityContext:
  seLinuxOptions:
    type: "spc_t"
{{- end }}

Without this fix, the fluentbit netpol does not have the correct DNS port/protocol for OpenShift DNS (5353).

mentioned in merge request !1221 (merged)

added statusreview label

closed with merge request !1221 (merged)

mentioned in commit 87be2700

removed statusreview label