no-jira: Add localhost resolution within the CoreDNS Corefile for cloud platforms

[sadasu]

- What I did

- How to verify it

- Description for the changelog

Summary by CodeRabbit

Release Notes

• New Features
  • CoreDNS now uses a hosts plugin backed by the system /etc/hosts to resolve localhost and localhost.localdomain for both IPv4 (127.0.0.1) and IPv6 (::1), with fallthrough enabled.
  • CoreDNS-related containers (including the config-rendering step and monitoring sidecar) now mount the host /etc/hosts as read-only to ensure consistent localhost resolution.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@sadasu: This pull request explicitly references no jira issue.

Details

In response to this:

- What I did

- How to verify it

- Description for the changelog

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a842eee9-e6d4-4f92-af3b-810da7d2f10e

📥 Commits

Reviewing files that changed from the base of the PR and between 4774e1b and 9543674.

📒 Files selected for processing (4)

• manifests/cloud-platform-alt-dns/coredns-corefile.tmpl
• manifests/cloud-platform-alt-dns/coredns.yaml
• templates/common/cloud-platform-alt-dns/files/coredns-corefile.yaml
• templates/common/cloud-platform-alt-dns/files/coredns.yaml

✅ Files skipped from review due to trivial changes (1)

• templates/common/cloud-platform-alt-dns/files/coredns-corefile.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• manifests/cloud-platform-alt-dns/coredns.yaml
• manifests/cloud-platform-alt-dns/coredns-corefile.tmpl
• templates/common/cloud-platform-alt-dns/files/coredns.yaml

---

Walkthrough

The CoreDNS static Pod manifest (and its template) gains a hosts-dir hostPath volume backed by the node's /etc/hosts, which is mounted into the render-config, coredns, and coredns-monitor containers. The CoreDNS Corefile (and its template) is updated to use hosts /etc/hosts with explicit 127.0.0.1/::1 localhost entries and fallthrough.

Changes

CoreDNS /etc/hosts integration

Layer / File(s)	Summary
CoreDNS Corefile hosts plugin configuration templates/common/cloud-platform-alt-dns/files/coredns-corefile.yaml, manifests/cloud-platform-alt-dns/coredns-corefile.tmpl	The hosts plugin block is updated to reference /etc/hosts explicitly and adds 127.0.0.1 and ::1 mappings for localhost and localhost.localdomain with fallthrough enabled, in both the template and the rendered manifest.
hosts-dir volume and container mounts templates/common/cloud-platform-alt-dns/files/coredns.yaml, manifests/cloud-platform-alt-dns/coredns.yaml	A new hosts-dir hostPath volume backing the host /etc/hosts is defined and mounted read-only at /etc/hosts in the render-config-coredns initContainer, the coredns container, and the coredns-monitor sidecar, across both the template and the rendered manifest.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: adding localhost resolution within CoreDNS Corefile for cloud platforms, which matches the modifications across all four files that implement this functionality.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR contains no Ginkgo test files or test definitions. The changes are limited to CoreDNS configuration templates and Kubernetes manifests, so the stable test names check does not apply.
Test Structure And Quality	✅ Passed	PR contains only CoreDNS configuration and manifest files, not Ginkgo test code. Check is not applicable to configuration-only changes.
Microshift Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. The changes consist entirely of configuration files: CoreDNS corefile templates and Kubernetes Pod manifests for cloud-platform-alt-dns, with no test...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains no Ginkgo e2e tests; only CoreDNS configuration and Pod manifest changes. Check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR only adds DNS configuration to CoreDNS (hosts file support) via volume mounts. It does not introduce scheduling constraints (no affinity rules, node selectors, topology spread, or PDB chang...
Ote Binary Stdout Contract	✅ Passed	Pull request modifies only configuration files (YAML/templates) for CoreDNS with no Go source code or executable binary code that could violate the OTE stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not add Ginkgo e2e tests; it only modifies CoreDNS configuration files (YAML manifests and templates). The custom check is not applicable.
No-Weak-Crypto	✅ Passed	PR modifies only CoreDNS configuration files for localhost resolution; no weak crypto algorithms, custom crypto implementations, or secret comparisons are present.
Container-Privileges	✅ Passed	PR only adds read-only /etc/hosts volume mounts to existing CoreDNS pods. All privilege settings (privileged: true, hostNetwork: true, openshift.io/required-scc: privileged) were pre-existing in ma...
No-Sensitive-Data-In-Logs	✅ Passed	PR contains only CoreDNS configuration changes that add localhost resolution via hosts plugin. No logging statements exposing passwords, tokens, API keys, PII, or other sensitive data were introduced.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sadasu
Once this PR has been reviewed and has the lgtm label, please assign djoshy for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

templates/common/cloud-platform-alt-dns/files/coredns.yaml (1)

31-33: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Constrain hostPath type for /etc/hosts to a file.

Line 31-33 should set hostPath.type: File to prevent accidental/non-file path binding and tighten hostPath behavior.

Suggested patch

       - name: hosts-dir
         hostPath:
           path: "/etc/hosts"
+          type: File

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@templates/common/cloud-platform-alt-dns/files/coredns.yaml` around lines 31 -
33, The hosts-dir volume in the coredns.yaml file is using a hostPath without
specifying a type constraint. Add a type field with the value File to the
hostPath object for the hosts-dir volume (lines 31-33) to explicitly specify
that the path must be a file, preventing accidental binding to non-file paths
and improving security posture.

manifests/cloud-platform-alt-dns/coredns.yaml (1)

27-29: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Harden hostPath with type: File.

Line 27-29 should explicitly set type: File for /etc/hosts to enforce expected path kind.

Suggested patch

   - name: hosts-dir
     hostPath:
       path: "/etc/hosts"
+      type: File

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@manifests/cloud-platform-alt-dns/coredns.yaml` around lines 27 - 29, The
hostPath volume definition for the hosts-dir volume mounting /etc/hosts lacks an
explicit type specification, which should be hardened for security and clarity.
Add the type field with value File to the hostPath configuration to explicitly
enforce that the path refers to a file rather than leaving it unspecified. This
makes the expected path kind explicit and hardens the volume definition.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@manifests/cloud-platform-alt-dns/coredns.yaml`:
- Around line 61-63: The hosts-dir volume mount at mountPath "/etc/hosts" lacks
the readOnly: true flag, violating least-privilege principles for hostPath
access. Add readOnly: true to the volumeMounts entry for the hosts-dir volume to
make the mount read-only. This same issue appears in two locations (line 62 and
line 81), so apply the readOnly: true flag to both hosts-dir volumeMounts
entries to ensure all containers can only read (not modify) the node's
/etc/hosts file.

In `@templates/common/cloud-platform-alt-dns/files/coredns.yaml`:
- Around line 65-67: The volumeMount entries for the hosts-dir volume that
mounts /etc/hosts are missing the readOnly: true property, which violates
least-privilege security principles by allowing containers to mutate the host's
/etc/hosts file. Add readOnly: true to all volumeMount definitions where name is
hosts-dir and mountPath is /etc/hosts to enforce read-only access across all
occurrences in the manifest.

---

Nitpick comments:
In `@manifests/cloud-platform-alt-dns/coredns.yaml`:
- Around line 27-29: The hostPath volume definition for the hosts-dir volume
mounting /etc/hosts lacks an explicit type specification, which should be
hardened for security and clarity. Add the type field with value File to the
hostPath configuration to explicitly enforce that the path refers to a file
rather than leaving it unspecified. This makes the expected path kind explicit
and hardens the volume definition.

In `@templates/common/cloud-platform-alt-dns/files/coredns.yaml`:
- Around line 31-33: The hosts-dir volume in the coredns.yaml file is using a
hostPath without specifying a type constraint. Add a type field with the value
File to the hostPath object for the hosts-dir volume (lines 31-33) to explicitly
specify that the path must be a file, preventing accidental binding to non-file
paths and improving security posture.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0980aac9-50c4-4ec7-a84e-f42774daf93f

📥 Commits

Reviewing files that changed from the base of the PR and between 92c3188 and 4774e1b.

📒 Files selected for processing (4)

• manifests/cloud-platform-alt-dns/coredns-corefile.tmpl
• manifests/cloud-platform-alt-dns/coredns.yaml
• templates/common/cloud-platform-alt-dns/files/coredns-corefile.yaml
• templates/common/cloud-platform-alt-dns/files/coredns.yaml

[openshift-ci]

@sadasu: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.