remove criticalhostsentry

Author: saewoni

aks-node-controller/parser/helper.go

@@ -803,41 +803,6 @@ func getLocalDnsMemoryLimitInMb(aksnodeconfig *aksnodeconfigv1.Configuration) st
 	return defaultLocalDnsMemoryLimitInMb
 }
 
-// getCriticalHostsEntriesContent returns the critical hosts entries formatted as a hosts file content.
-// Returns empty string if no entries are provided by AKS-RP.
-// AKS-RP provides these entries at provisioning time, and CSE writes them to /etc/localdns/hosts.
-func getCriticalHostsEntriesContent(aksnodeconfig *aksnodeconfigv1.Configuration) string {
-	if aksnodeconfig == nil || aksnodeconfig.GetLocalDnsProfile() == nil {
-		return ""
-	}
-	entries := aksnodeconfig.GetLocalDnsProfile().GetCriticalHostsEntries()
-	if len(entries) == 0 {
-		return ""
-	}
-
-	var content strings.Builder
-	content.WriteString("# AKS critical FQDN addresses provided by AKS-RP\n")
-	content.WriteString("# This file is written by CSE during node provisioning\n\n")
-
-	// Sort FQDNs for deterministic output
-	fqdns := make([]string, 0, len(entries))
-	for fqdn := range entries {
-		fqdns = append(fqdns, fqdn)
-	}
-	sort.Strings(fqdns)
-
-	for _, fqdn := range fqdns {
-		entry := entries[fqdn]
-		content.WriteString(fmt.Sprintf("# %s\n", fqdn))
-		for _, ip := range entry.GetIpAddresses() {
-			content.WriteString(fmt.Sprintf("%s %s\n", ip, fqdn))
-		}
-		content.WriteString("\n")
-	}
-
-	return base64.StdEncoding.EncodeToString([]byte(content.String()))
-}
-
 // ---------------------- End of localdns related helper code ----------------------//
 
 // ---------------------- Start of cse timeout helper code ----------------------//

aks-node-controller/parser/helper_test.go

@@ -1811,103 +1811,3 @@ func Test_getLocalDnsMemoryLimitInMb(t *testing.T) {
 		})
 	}
 }
-
-func Test_getCriticalHostsEntriesContent(t *testing.T) {
-	type args struct {
-		aksnodeconfig *aksnodeconfigv1.Configuration
-	}
-	tests := []struct {
-		name string
-		args args
-		want string
-	}{
-		{
-			name: "nil config",
-			args: args{aksnodeconfig: nil},
-			want: "",
-		},
-		{
-			name: "nil LocalDnsProfile",
-			args: args{aksnodeconfig: &aksnodeconfigv1.Configuration{}},
-			want: "",
-		},
-		{
-			name: "empty CriticalHostsEntries",
-			args: args{aksnodeconfig: &aksnodeconfigv1.Configuration{
-				LocalDnsProfile: &aksnodeconfigv1.LocalDnsProfile{
-					EnableLocalDns:       true,
-					CriticalHostsEntries: map[string]*aksnodeconfigv1.CriticalHostsEntry{},
-				},
-			}},
-			want: "",
-		},
-		{
-			name: "single FQDN with single IP",
-			args: args{aksnodeconfig: &aksnodeconfigv1.Configuration{
-				LocalDnsProfile: &aksnodeconfigv1.LocalDnsProfile{
-					EnableLocalDns: true,
-					CriticalHostsEntries: map[string]*aksnodeconfigv1.CriticalHostsEntry{
-						"mcr.microsoft.com": {IpAddresses: []string{"20.61.99.68"}},
-					},
-				},
-			}},
-			want: func() string {
-				content := "# AKS critical FQDN addresses provided by AKS-RP\n" +
-					"# This file is written by CSE during node provisioning\n\n" +
-					"# mcr.microsoft.com\n" +
-					"20.61.99.68 mcr.microsoft.com\n\n"
-				return base64.StdEncoding.EncodeToString([]byte(content))
-			}(),
-		},
-		{
-			name: "single FQDN with multiple IPs",
-			args: args{aksnodeconfig: &aksnodeconfigv1.Configuration{
-				LocalDnsProfile: &aksnodeconfigv1.LocalDnsProfile{
-					EnableLocalDns: true,
-					CriticalHostsEntries: map[string]*aksnodeconfigv1.CriticalHostsEntry{
-						"mcr.microsoft.com": {IpAddresses: []string{"20.61.99.68", "2603:1061:1002::2"}},
-					},
-				},
-			}},
-			want: func() string {
-				content := "# AKS critical FQDN addresses provided by AKS-RP\n" +
-					"# This file is written by CSE during node provisioning\n\n" +
-					"# mcr.microsoft.com\n" +
-					"20.61.99.68 mcr.microsoft.com\n" +
-					"2603:1061:1002::2 mcr.microsoft.com\n\n"
-				return base64.StdEncoding.EncodeToString([]byte(content))
-			}(),
-		},
-		{
-			name: "multiple FQDNs sorted alphabetically",
-			args: args{aksnodeconfig: &aksnodeconfigv1.Configuration{
-				LocalDnsProfile: &aksnodeconfigv1.LocalDnsProfile{
-					EnableLocalDns: true,
-					CriticalHostsEntries: map[string]*aksnodeconfigv1.CriticalHostsEntry{
-						"mcr.microsoft.com":         {IpAddresses: []string{"20.61.99.68"}},
-						"login.microsoftonline.com": {IpAddresses: []string{"20.190.160.1"}},
-						"acs-mirror.azureedge.net":  {IpAddresses: []string{"152.199.19.161"}},
-					},
-				},
-			}},
-			want: func() string {
-				content := "# AKS critical FQDN addresses provided by AKS-RP\n" +
-					"# This file is written by CSE during node provisioning\n\n" +
-					"# acs-mirror.azureedge.net\n" +
-					"152.199.19.161 acs-mirror.azureedge.net\n\n" +
-					"# login.microsoftonline.com\n" +
-					"20.190.160.1 login.microsoftonline.com\n\n" +
-					"# mcr.microsoft.com\n" +
-					"20.61.99.68 mcr.microsoft.com\n\n"
-				return base64.StdEncoding.EncodeToString([]byte(content))
-			}(),
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := getCriticalHostsEntriesContent(tt.args.aksnodeconfig); got != tt.want {
-				t.Errorf("getCriticalHostsEntriesContent() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}

aks-node-controller/parser/parser.go

@@ -174,7 +174,6 @@ func getCSEEnv(config *aksnodeconfigv1.Configuration) map[string]string {
 		"LOCALDNS_CPU_LIMIT":                                 getLocalDnsCpuLimitInPercentage(config),
 		"LOCALDNS_MEMORY_LIMIT":                              getLocalDnsMemoryLimitInMb(config),
 		"LOCALDNS_GENERATED_COREFILE":                        getLocalDnsCorefileBase64(config),
-		"LOCALDNS_CRITICAL_HOSTS_ENTRIES":                    getCriticalHostsEntriesContent(config),
 		"DISABLE_PUBKEY_AUTH":                                fmt.Sprintf("%v", config.GetDisablePubkeyAuth()),
 		"SERVICE_ACCOUNT_IMAGE_PULL_ENABLED":                 fmt.Sprintf("%v", config.GetServiceAccountImagePullProfile().GetEnabled()),
 		"SERVICE_ACCOUNT_IMAGE_PULL_DEFAULT_CLIENT_ID":       config.GetServiceAccountImagePullProfile().GetDefaultClientId(),

aks-node-controller/parser/parser_test.go

@@ -348,48 +348,6 @@ func TestBuildCSECmd_SetsServicePrincipalFileContent(t *testing.T) {
 	assert.Equal(t, secret, vars["SERVICE_PRINCIPAL_FILE_CONTENT"])
 }
 
-func TestBuildCSECmd_SetsLocalDNSCriticalHostsEntries(t *testing.T) {
-	t.Run("empty when no LocalDnsProfile", func(t *testing.T) {
-		cmd, err := BuildCSECmd(context.TODO(), &aksnodeconfigv1.Configuration{})
-		require.NoError(t, err)
-		vars := environToMap(cmd.Env)
-		assert.Equal(t, "", vars["LOCALDNS_CRITICAL_HOSTS_ENTRIES"])
-	})
-
-	t.Run("empty when CriticalHostsEntries is nil", func(t *testing.T) {
-		cmd, err := BuildCSECmd(context.TODO(), &aksnodeconfigv1.Configuration{
-			LocalDnsProfile: &aksnodeconfigv1.LocalDnsProfile{
-				EnableLocalDns: true,
-			},
-		})
-		require.NoError(t, err)
-		vars := environToMap(cmd.Env)
-		assert.Equal(t, "", vars["LOCALDNS_CRITICAL_HOSTS_ENTRIES"])
-	})
-
-	t.Run("populated when CriticalHostsEntries has entries", func(t *testing.T) {
-		cmd, err := BuildCSECmd(context.TODO(), &aksnodeconfigv1.Configuration{
-			LocalDnsProfile: &aksnodeconfigv1.LocalDnsProfile{
-				EnableLocalDns: true,
-				CriticalHostsEntries: map[string]*aksnodeconfigv1.CriticalHostsEntry{
-					"mcr.microsoft.com": {IpAddresses: []string{"20.61.99.68"}},
-				},
-			},
-		})
-		require.NoError(t, err)
-		vars := environToMap(cmd.Env)
-
-		encoded := vars["LOCALDNS_CRITICAL_HOSTS_ENTRIES"]
-		assert.NotEmpty(t, encoded)
-
-		decoded, err := base64.StdEncoding.DecodeString(encoded)
-		require.NoError(t, err)
-		content := string(decoded)
-		assert.Contains(t, content, "20.61.99.68 mcr.microsoft.com")
-		assert.Contains(t, content, "# mcr.microsoft.com")
-	})
-}
-
 func TestAKSNodeConfigCompatibilityFromJsonToCSECommand(t *testing.T) {
 	tests := []struct {
 		name      string

aks-node-controller/proto/aksnodeconfig/v1/localdns_config.proto

@@ -20,16 +20,8 @@ message LocalDnsProfile {
   // KubeDns overrides apply to DNS traffic from pods with dnsPolicy:ClusterFirst (referred to as KubeDns traffic).
   map<string, LocalDnsOverrides> kube_dns_overrides = 5;
 
-  // CriticalHostsEntries contains FQDN to IP address mappings for critical Azure infrastructure.
-  // AKS-RP provides these entries at provisioning time, and CSE writes them to /etc/localdns/hosts.
-  // Key is the FQDN (e.g., "mcr.microsoft.com"), value contains the IP addresses.
-  map<string, CriticalHostsEntry> critical_hosts_entries = 6;
-}
-
-// Represents IP addresses for a critical FQDN.
-message CriticalHostsEntry {
-  // IP addresses (both IPv4 and IPv6) for the FQDN.
-  repeated string ip_addresses = 1;
+  // Field 6 was critical_hosts_entries, removed.
+  reserved 6;
 }
 
 // Represents DNS override settings for both VnetDNS and KubeDNS traffic.

parts/linux/cloud-init/artifacts/cse_cmd.sh

@@ -186,7 +186,6 @@ SHOULD_ENABLE_LOCALDNS="{{ShouldEnableLocalDNS}}"
 LOCALDNS_CPU_LIMIT="{{GetLocalDNSCPULimitInPercentage}}"
 LOCALDNS_MEMORY_LIMIT="{{GetLocalDNSMemoryLimitInMB}}"
 LOCALDNS_GENERATED_COREFILE="{{GetGeneratedLocalDNSCoreFile}}"
-LOCALDNS_CRITICAL_HOSTS_ENTRIES="{{GetCriticalHostsEntriesBase64}}"
 PRE_PROVISION_ONLY="{{GetPreProvisionOnly}}"
 CSE_TIMEOUT="{{GetCSETimeout}}"
 /usr/bin/nohup /bin/bash -c "/bin/bash /opt/azure/containers/provision_start.sh"

parts/linux/cloud-init/artifacts/cse_config.sh

@@ -1199,20 +1199,10 @@ enableLocalDNS() {
 enableAKSHostsSetup() {
     local hosts_file="/etc/localdns/hosts"
 
-    # Check if AKS-RP provided critical hosts entries
-    # AKS-RP provides IP addresses for critical FQDNs at provisioning time
-    if [ -n "${LOCALDNS_CRITICAL_HOSTS_ENTRIES}" ]; then
-        echo "AKS-RP provided critical hosts entries, writing to ${hosts_file}..."
-        mkdir -p "$(dirname "${hosts_file}")"
-        echo "${LOCALDNS_CRITICAL_HOSTS_ENTRIES}" | base64 -d > "${hosts_file}"
-        chmod 644 "${hosts_file}"
-        echo "Critical hosts entries written from AKS-RP."
-    else
-        # Run the script once immediately to resolve live DNS before kubelet starts
-        echo "Running initial aks-hosts-setup to resolve DNS..."
-        mkdir -p "$(dirname "${hosts_file}")"
-        /opt/azure/containers/aks-hosts-setup.sh || echo "Warning: Initial hosts setup failed"
-    fi
+    # Run the script once immediately to resolve live DNS before kubelet starts
+    echo "Running initial aks-hosts-setup to resolve DNS..."
+    mkdir -p "$(dirname "${hosts_file}")"
+    /opt/azure/containers/aks-hosts-setup.sh || echo "Warning: Initial hosts setup failed"
 
     # Enable the timer for periodic refresh (every 15 minutes)
     # This will update the hosts file with fresh IPs from live DNS

pkg/agent/baker.go

@@ -1221,13 +1221,6 @@ func getContainerServiceFuncMap(config *datamodel.NodeBootstrappingConfiguration
 		"GetLocalDNSMemoryLimitInMB": func() string {
 			return profile.GetLocalDNSMemoryLimitInMB()
 		},
-		"GetCriticalHostsEntriesBase64": func() string {
-			content := profile.GetCriticalHostsEntriesContent()
-			if content == "" {
-				return ""
-			}
-			return base64.StdEncoding.EncodeToString([]byte(content))
-		},
 		"GetPreProvisionOnly": func() bool { return config.PreProvisionOnly },
 		"GetCSETimeout":       func() string { return datamodel.GetCSETimeout(config.CSETimeout) },
 		"BlockIptables": func() bool {

pkg/agent/datamodel/types.go

@@ -2435,11 +2435,6 @@ type LocalDNSProfile struct {
 	MemoryLimitInMB      *int32                        `json:"memoryLimitInMB,omitempty"`
 	VnetDNSOverrides     map[string]*LocalDNSOverrides `json:"vnetDNSOverrides,omitempty"`
 	KubeDNSOverrides     map[string]*LocalDNSOverrides `json:"kubeDNSOverrides,omitempty"`
-	// CriticalHostsEntries contains FQDN to IP address mappings for critical Azure infrastructure.
-	// AKS-RP provides these entries at provisioning time, and CSE writes them to /etc/localdns/hosts.
-	// Format: map[fqdn][]ipAddresses (supports both IPv4 and IPv6)
-	// Example: {"mcr.microsoft.com": ["20.61.99.68", "2603:1061:1002::2"]}
-	CriticalHostsEntries map[string][]string `json:"criticalHostsEntries,omitempty"`
 }
 
 type LocalDNSCoreFileData struct {
@@ -2527,35 +2522,4 @@ func (a *AgentPoolProfile) GetLocalDNSCoreFileData() LocalDNSCoreFileData {
 	return LocalDNSCoreFileData{}
 }
 
-// GetCriticalHostsEntriesContent returns the critical hosts entries formatted as a hosts file content.
-// Returns empty string if no entries are configured by AKS-RP.
-// Format: "IP FQDN\n" for each entry (multiple IPs per FQDN supported).
-func (a *AgentPoolProfile) GetCriticalHostsEntriesContent() string {
-	if a.LocalDNSProfile == nil || len(a.LocalDNSProfile.CriticalHostsEntries) == 0 {
-		return ""
-	}
-
-	var content strings.Builder
-	content.WriteString("# AKS critical FQDN addresses provided by AKS-RP\n")
-	content.WriteString("# This file is written by CSE during node provisioning\n\n")
-
-	// Sort FQDNs for deterministic output
-	fqdns := make([]string, 0, len(a.LocalDNSProfile.CriticalHostsEntries))
-	for fqdn := range a.LocalDNSProfile.CriticalHostsEntries {
-		fqdns = append(fqdns, fqdn)
-	}
-	sort.Strings(fqdns)
-
-	for _, fqdn := range fqdns {
-		ips := a.LocalDNSProfile.CriticalHostsEntries[fqdn]
-		content.WriteString(fmt.Sprintf("# %s\n", fqdn))
-		for _, ip := range ips {
-			content.WriteString(fmt.Sprintf("%s %s\n", ip, fqdn))
-		}
-		content.WriteString("\n")
-	}
-
-	return content.String()
-}
-
 // ----------------------- End of changes related to localdns ------------------------------------------.