Removes PQDNs from conformance tests and places them in their own tests

[nagiesek]

What type of PR is this?

/kind failing-test

What this PR does / why we need it:
Windows assumes any DNS query PQDN with a "." in it to be fully qualified. It's possible to fix this, but it is likely that doing so would break expectations of applications on Windows. After consulting with SIG-Network, we came to the conclusion that conformance tests shouldn't break this assumption nor be tied to the behavioral nuances of a DNS resolver of a specific OS. We propose to separate the current DNS conformance tests as follows:"

• Keep existing test assertions that test PQDN DNS queries not containing ".".
• Keep existing test assertions that perform FQDN DNS queries.
• For any test assertions that use PQDN DNS queries containing ".":
  • Replace those test assertions in the conformance test with an equivalent FQDN DNS query.
  • Move those test assertions into a new (non-conformance) test.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:
/sig testing
/area conformance

Does this PR introduce a user-facing change?:
NONE

[k8s-ci-robot]

@nagiesek: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please email the CNCF helpdesk: helpdesk@rt.linuxfoundation.org

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[nagiesek]

@daschott @dineshgovindasamy

[dineshgovindasamy]

/sig windows

[dineshgovindasamy]

@nagiesek can you please sign the CLA?

[dineshgovindasamy]

/ok-to-test

[dineshgovindasamy]

/sig network

[nagiesek]

Should be verified now?

[dineshgovindasamy]

@thockin Based on SIG-NETWORK feedback, we have split these tests into conformance and non-conformance tests. Could you please review and provide feedback?

[spiffxp]

/retest

[daschott]

Even with this fix-up, the 2 DNS tests will not pass because they use the dig cmdlet, which isn't honoring DNS SearchList RegKeys in Windows containers. That being said, we still rely on this getting in (otherwise we would be forced to change the behavior of the DNS resolver itself on Windows).

In a nutshell, to pass the tests on Windows after getting this in, we further need to do one of either alternatives:

1. If possible, fix up the implementation of the dig tool on Windows to not rely on Linux-specific files (/etc/hosts, see #70189)
2. (Better) For Windows, decouple the test from the dig cmdlet that isn't an accurate representation of default Windows DNS behavior, and migrate to a tool representative of the user experience such as resolve-dnsname while still capturing the intended test requirement.

[thockin]

I'm really torn about this behavior. Almost every example in the world that deals with service resolution in Kubernetes is using shortened examples like kubernetes.default. Without that ability we almost certainly need to be able to plumb the cluster suffix through downward-API.

What is the expected breakage if we actually fixed this in the Windows side?

[daschott]

@thockin The DNS resolver is a shared component that is used by applications running on Windows OS in general, so any changes need to be carefully examined. I talked to the Windows DNS team and we filed a work-item for the next Windows release to add a configuration parameter to make the behavior consistent with Linux. I'm not 100% confident this behavior may change by default for fear of possibly breaking networking for existing applications, but there should be some configuration we can set for containers at least.

In the meanwhile, can we make [SIG-Windows] tests that are outside of conformance and use Test-NetConnection or resolve-dnsname Windows cmdlets instead of changing the official conformance tests? The alternative is that we hack around with the dig binary to make it work correctly on Windows, which probably isn't as close of a representation as possible of the use-cases for the typical Windows application :)

[thockin]

I guess I can cope with this. We should probably add a downwardAPI for cluster suffix.

[thockin]

/lgtm
/approve

[PatrickLang]

/milestone v1.14

[claudiubelu]

/test pull-kubernetes-e2e-gce
/test pull-kubernetes-e2e-kops-aws
/test pull-kubernetes-integration

[claudiubelu]

/test pull-kubernetes-e2e-gce
/test pull-kubernetes-e2e-kops-aws

[claudiubelu]

/test pull-kubernetes-e2e-kops-aws
/test pull-kubernetes-godeps

[claudiubelu]

/test pull-kubernetes-godeps

[claudiubelu]

/test pull-kubernetes-e2e-gce
/test pull-kubernetes-e2e-kops-aws

[k8s-ci-robot]

@nagiesek: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-e2e-kops-aws	1a7e07b	link	/test pull-kubernetes-e2e-kops-aws

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[claudiubelu]

kubernetes.default.svc.cluster is not supposed to be resolvable. That would mean that local would also be a DNS suffix, which is not. Also, as you can see, you've removed only kubernetes.default and kubernetes.default.svc from should provide DNS for the cluster while you're adding 3 here.

This is causing the test to fail.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nagiesek, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• test/e2e/network/OWNERS [thockin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dims]

/release-note-none

[dims]

re-applying lgtm from @thockin

/lgtm