feat(network): add resolv.conf path customization

Adds configuration to customize resolv.conf file paths
for pod and node DNS resolution in network disruptions.

Users can now override default paths via Helm values,
ConfigMap, or CLI flags to support different Kubernetes
distributions (systemd-resolved, NetworkManager, etc.).

Configuration:
- injector.networkDisruption.dnsPodResolvConf
- injector.networkDisruption.dnsNodeResolvConf

Defaults: /etc/resolv.conf (pod),
          /mnt/host/etc/resolv.conf (node)

Logs show which resolv.conf files are loaded with their
nameservers for debugging.

Jira: CHAOSPLT-1359

Author: aymericDD

chart/templates/configmap.yaml

@@ -129,15 +129,21 @@ data:
       {{- end }}
       serviceAccount: {{ .Values.injector.serviceAccount | quote }}
       chaosNamespace: {{ .Values.chaosNamespace | quote }}
-      {{- if .Values.injector.networkDisruption.allowedHosts }}
       networkDisruption:
         hostResolveInterval: {{ .Values.injector.networkDisruption.hostResolveInterval | quote }}
+        {{- if .Values.injector.networkDisruption.allowedHosts }}
         allowedHosts:
           {{- range $index, $allowedHost := .Values.injector.networkDisruption.allowedHosts }}
           {{ $v := printf "%s;%v;%s;%s" ($allowedHost.host | default "") ($allowedHost.port | default "") ($allowedHost.protocol | default "") ($allowedHost.flow | default "") -}}
           - {{ tpl $v $ }}
           {{- end }}
-      {{- end }}
+        {{- end }}
+        {{- if .Values.injector.networkDisruption.dnsPodResolvConf }}
+        dnsPodResolvConf: {{ .Values.injector.networkDisruption.dnsPodResolvConf | quote }}
+        {{- end }}
+        {{- if .Values.injector.networkDisruption.dnsNodeResolvConf }}
+        dnsNodeResolvConf: {{ .Values.injector.networkDisruption.dnsNodeResolvConf | quote }}
+        {{- end }}
     handler:
       image: {{ template "chaos-controller.format-image" deepCopy .Values.global.chaos.defaultImage | merge .Values.global.oci | merge .Values.handler.image }}
       enabled: {{ .Values.handler.enabled }}

chart/values.yaml

@@ -132,6 +132,8 @@ injector:
     #     port: 81
     #     protocol: tcp
     #     flow: ingress
+    dnsPodResolvConf: "/etc/resolv.conf" # path for pod DNS resolv.conf
+    dnsNodeResolvConf: "/mnt/host/run/systemd/resolve/resolv.conf" # path for node DNS resolv.conf
 handler:
   image:
     repo: chaos-handler

cli/injector/network_disruption.go

@@ -32,6 +32,8 @@ var networkDisruptionCmd = &cobra.Command{
 		hostResolveInterval, _ := cmd.Flags().GetDuration("host-resolve-interval")
 		methods, _ := cmd.Flags().GetStringArray("method")
 		paths, _ := cmd.Flags().GetStringArray("path")
+		dnsPodResolvConf, _ := cmd.Flags().GetString("dns-pod-resolv-conf")
+		dnsNodeResolvConf, _ := cmd.Flags().GetString("dns-node-resolv-conf")
 
 		// prepare injectors
 		for i, config := range configs {
@@ -80,7 +82,12 @@ var networkDisruptionCmd = &cobra.Command{
 			}
 
 			// generate injector
-			inj, err := injector.NewNetworkDisruptionInjector(spec, injector.NetworkDisruptionInjectorConfig{Config: config, HostResolveInterval: hostResolveInterval})
+			inj, err := injector.NewNetworkDisruptionInjector(spec, injector.NetworkDisruptionInjectorConfig{
+				Config:              config,
+				HostResolveInterval: hostResolveInterval,
+				DNSPodResolvConf:    dnsPodResolvConf,
+				DNSNodeResolvConf:   dnsNodeResolvConf,
+			})
 			if err != nil {
 				log.Fatalw("error initializing the network disruption injector: %w", err)
 			}
@@ -103,4 +110,6 @@ func init() {
 	networkDisruptionCmd.Flags().Duration("host-resolve-interval", time.Minute, "Interval to resolve hostnames")
 	networkDisruptionCmd.Flags().StringArray("method", []string{}, "Filter by http method: GET, DELETE, POST, CREATE, PUT, HEAD, PATCH, CONNECT, OPTIONS or TRACE")
 	networkDisruptionCmd.Flags().StringArray("path", []string{v1beta1.DefaultHTTPPathFilter}, "Filter by path and must not exceed 100 characters")
+	networkDisruptionCmd.Flags().String("dns-pod-resolv-conf", "", "Path to pod DNS resolv.conf file (defaults to /etc/resolv.conf)")
+	networkDisruptionCmd.Flags().String("dns-node-resolv-conf", "", "Path to node DNS resolv.conf file (defaults to /mnt/host/etc/resolv.conf)")
 }

config/config.go

@@ -99,6 +99,8 @@ type Toleration struct {
 type injectorNetworkDisruptionConfig struct {
 	AllowedHosts        []string      `json:"allowedHosts" yaml:"allowedHosts"`
 	HostResolveInterval time.Duration `json:"hostResolveInterval" yaml:"hostResolveInterval"`
+	DNSPodResolvConf    string        `json:"dnsPodResolvConf" yaml:"dnsPodResolvConf"`
+	DNSNodeResolvConf   string        `json:"dnsNodeResolvConf" yaml:"dnsNodeResolvConf"`
 }
 
 type handlerConfig struct {
@@ -338,6 +340,18 @@ func New(client corev1client.ConfigMapInterface, logger *zap.SugaredLogger, osAr
 		return cfg, err
 	}
 
+	mainFS.StringVar(&cfg.Injector.NetworkDisruption.DNSPodResolvConf, "injector-network-disruption-dns-pod-resolv-conf", "/etc/resolv.conf", "Path to pod DNS resolv.conf file")
+
+	if err := viper.BindPFlag("injector.networkDisruption.dnsPodResolvConf", mainFS.Lookup("injector-network-disruption-dns-pod-resolv-conf")); err != nil {
+		return cfg, err
+	}
+
+	mainFS.StringVar(&cfg.Injector.NetworkDisruption.DNSNodeResolvConf, "injector-network-disruption-dns-node-resolv-conf", "/mnt/host/etc/resolv.conf", "Path to node DNS resolv.conf file")
+
+	if err := viper.BindPFlag("injector.networkDisruption.dnsNodeResolvConf", mainFS.Lookup("injector-network-disruption-dns-node-resolv-conf")); err != nil {
+		return cfg, err
+	}
+
 	mainFS.BoolVar(&cfg.Handler.Enabled, "handler-enabled", false, "Enable the chaos handler for on-init disruptions")
 
 	if err := viper.BindPFlag("handler.enabled", mainFS.Lookup("handler-enabled")); err != nil {

docs/network_disruption/hosts-and-services.md

@@ -245,10 +245,12 @@ apiVersion: chaos.datadoghq.com/v1beta1
 kind: Disruption
 metadata:
   name: network-disruption-istio
+  namespace: chaos-demo
 spec:
   level: pod
   selector:
     app: my-service
+  count: 1
   network:
     drop: 50
     hosts:
@@ -290,6 +292,81 @@ network:
 - **`pod-fallback-node`** (default): Use when you want resilience - try pod DNS first but fall back to node DNS if it fails
 - **`node-fallback-pod`**: Use when node DNS is preferred but you want pod DNS as a backup
 
+#### Customizing resolv.conf Paths
+
+By default, the chaos-controller uses these locations for resolv.conf files:
+
+- **Pod DNS**: `/etc/resolv.conf`
+- **Node DNS**: `/mnt/host/etc/resolv.conf`
+
+These defaults are set in the controller configuration. Some Kubernetes distributions or node configurations may use different locations for resolv.conf. You can override the defaults using Helm values:
+
+**Helm Configuration:**
+
+Override resolv.conf paths in your Helm values:
+
+```yaml
+injector:
+  networkDisruption:
+    # Path for pod DNS resolv.conf
+    # Default: /etc/resolv.conf
+    dnsPodResolvConf: "/run/systemd/resolve/resolv.conf"
+
+    # Path for node DNS resolv.conf
+    # Default: /mnt/host/etc/resolv.conf
+    dnsNodeResolvConf: "/mnt/host/run/systemd/resolve/stub-resolv.conf"
+```
+
+**Behavior:**
+- Defaults are defined in the controller configuration (can be overridden via ConfigMap, environment variables, or CLI flags)
+- The specified resolv.conf file must exist and be readable
+- Configuration is passed to injector pods as command-line arguments
+- Logging will indicate which resolv.conf file was loaded
+
+**Example: Full Helm configuration for systemd-resolved nodes**
+
+```yaml
+# values.yaml
+injector:
+  networkDisruption:
+    hostResolveInterval: 1m
+
+    # For nodes using systemd-resolved (Ubuntu, Debian, etc.)
+    dnsNodeResolvConf: "/mnt/host/run/systemd/resolve/stub-resolv.conf"
+
+    # For pods with custom DNS configuration
+    dnsPodResolvConf: "/run/systemd/resolve/resolv.conf"
+```
+
+**How it works:**
+
+When you deploy with these Helm values:
+1. The controller reads the configuration from the ConfigMap
+2. For each network disruption, the controller creates an injector pod with CLI arguments:
+   ```bash
+   /chaos-injector network-disruption \
+     --dns-pod-resolv-conf /run/systemd/resolve/resolv.conf \
+     --dns-node-resolv-conf /mnt/host/run/systemd/resolve/stub-resolv.conf \
+     ...
+   ```
+3. The injector uses these paths for DNS resolution
+4. Logs will show which resolv.conf files were loaded:
+   ```
+   INFO  loaded pod DNS configuration  resolv_conf_path=/run/systemd/resolve/resolv.conf  nameservers=[8.8.8.8, 8.8.4.4]
+   INFO  loaded node DNS configuration  resolv_conf_path=/mnt/host/run/systemd/resolve/stub-resolv.conf  nameservers=[10.0.0.1]
+   ```
+
+You can verify the paths used by an injector pod:
+```bash
+kubectl describe pod chaos-injector-xxxxx -n chaos-engineering | grep dns-
+```
+
+**Use cases:**
+- **systemd-resolved**: Nodes using systemd-resolved may have resolv.conf at `/run/systemd/resolve/resolv.conf` or `/run/systemd/resolve/stub-resolv.conf`
+- **NetworkManager**: Some distributions use `/run/NetworkManager/resolv.conf`
+- **Custom Kubernetes distributions**: Distributions like k3s, microk8s, or OpenShift may use non-standard paths
+- **Custom DNS configurations**: Environments with custom DNS setups that require specific resolv.conf locations
+
 ### Some special cases
 
 Cluster IPs can also be specified to target the relevant pods.

injector/network_disruption.go

@@ -65,6 +65,8 @@ type NetworkDisruptionInjectorConfig struct {
 	DNSClient           network.DNSClient
 	HostResolveInterval time.Duration
 	BPFConfigInformer   ebpf.ConfigInformer
+	DNSPodResolvConf    string
+	DNSNodeResolvConf   string
 }
 
 // tcServiceFilter describes a tc filter, representing the service filtered and its priority
@@ -144,7 +146,13 @@ func NewNetworkDisruptionInjector(spec v1beta1.NetworkDisruptionSpec, config Net
 	}
 
 	if config.DNSClient == nil {
-		config.DNSClient = network.NewDNSClient()
+		// Create DNS client with custom resolv.conf paths if provided
+		dnsConfig := network.DNSClientConfig{
+			PodResolvConfPath:  config.DNSPodResolvConf,
+			NodeResolvConfPath: config.DNSNodeResolvConf,
+			Logger:             config.Log,
+		}
+		config.DNSClient = network.NewDNSClient(dnsConfig)
 	}
 
 	if spec.HasHTTPFilters() && config.BPFConfigInformer == nil {

main.go

@@ -204,6 +204,8 @@ func main() {
 			Labels:                        cfg.Injector.Labels,
 			Tolerations:                   cfg.Injector.Tolerations,
 			NetworkDisruptionAllowedHosts: cfg.Injector.NetworkDisruption.AllowedHosts,
+			DNSPodResolvConf:              cfg.Injector.NetworkDisruption.DNSPodResolvConf,
+			DNSNodeResolvConf:             cfg.Injector.NetworkDisruption.DNSNodeResolvConf,
 			ImagePullSecrets:              cfg.Injector.ImagePullSecrets,
 			LogLevel:                      cfg.Injector.LogLevel,
 		},

network/dns.go

@@ -12,6 +12,7 @@ import (
 	"github.com/avast/retry-go"
 	"github.com/hashicorp/go-multierror"
 	"github.com/miekg/dns"
+	"go.uber.org/zap"
 )
 
 const (
@@ -23,6 +24,9 @@ const (
 	DNSResolverPodFallbackNode = "pod-fallback-node"
 	// DNSResolverNodeFallbackPod tries node first, then falls back to pod
 	DNSResolverNodeFallbackPod = "node-fallback-pod"
+
+	DefaultPodResolvConfPath  = "/etc/resolv.conf"
+	DefaultNodeResolvConfPath = "/mnt/host/etc/resolv.conf"
 )
 
 type DNSConfig struct {
@@ -36,11 +40,37 @@ type DNSClient interface {
 	ResolveWithStrategy(host string, strategy string) ([]net.IP, error)
 }
 
-type dnsClient struct{}
+type dnsClient struct {
+	podResolvConfPath  string
+	nodeResolvConfPath string
+	log                *zap.SugaredLogger
+}
 
-// NewDNSClient creates a standard DNS client
-func NewDNSClient() DNSClient {
-	return dnsClient{}
+// DNSClientConfig contains configuration for the DNS client
+type DNSClientConfig struct {
+	PodResolvConfPath  string
+	NodeResolvConfPath string
+	Logger             *zap.SugaredLogger
+}
+
+// NewDNSClient creates a standard DNS client with optional configuration
+func NewDNSClient(config ...DNSClientConfig) DNSClient {
+	client := dnsClient{
+		podResolvConfPath:  DefaultPodResolvConfPath,
+		nodeResolvConfPath: DefaultNodeResolvConfPath,
+	}
+
+	// Apply configuration if provided
+	if len(config) > 0 {
+		client.podResolvConfPath = config[0].PodResolvConfPath
+		client.nodeResolvConfPath = config[0].NodeResolvConfPath
+
+		if config[0].Logger != nil {
+			client.log = config[0].Logger
+		}
+	}
+
+	return client
 }
 
 func (c dnsClient) Resolve(host string) ([]net.IP, error) {
@@ -115,32 +145,44 @@ func (c dnsClient) getResolversAndNames(host string, strategy string) (resolvers
 		strategy = DNSResolverPodFallbackNode
 	}
 
+	// Use configured paths from the client
+	podPath := c.podResolvConfPath
+	nodePath := c.nodeResolvConfPath
+
 	switch strategy {
 	case DNSResolverPod:
-		podDNSConfig, err := dns.ClientConfigFromFile("/etc/resolv.conf")
+		podDNSConfig, err := dns.ClientConfigFromFile(podPath)
 		if err != nil {
-			return nil, nil, fmt.Errorf("can't read '/etc/resolv.conf' file: %w", err)
+			return nil, nil, fmt.Errorf("can't read pod resolv.conf file: %w", err)
+		}
+
+		if c.log != nil {
+			c.log.Infow("loaded pod DNS configuration", "resolv_conf_path", podPath, "nameservers", podDNSConfig.Servers)
 		}
 
 		resolvers = podDNSConfig.Servers
 		names = podDNSConfig.NameList(host)
 	case DNSResolverNode:
-		nodeDNSConfig, err := dns.ClientConfigFromFile("/mnt/host/etc/resolv.conf")
+		nodeDNSConfig, err := dns.ClientConfigFromFile(nodePath)
 		if err != nil {
-			return nil, nil, fmt.Errorf("can't read '/mnt/host/etc/resolv.conf' file: %w", err)
+			return nil, nil, fmt.Errorf("can't read node resolv.conf file: %w", err)
+		}
+
+		if c.log != nil {
+			c.log.Infow("loaded node DNS configuration", "resolv_conf_path", nodePath, "nameservers", nodeDNSConfig.Servers)
 		}
 
 		resolvers = nodeDNSConfig.Servers
 		names = nodeDNSConfig.NameList(host)
 	case DNSResolverPodFallbackNode, DNSResolverNodeFallbackPod:
-		podDNSConfig, err := dns.ClientConfigFromFile("/etc/resolv.conf")
+		podDNSConfig, err := dns.ClientConfigFromFile(podPath)
 		if err != nil {
-			return nil, nil, fmt.Errorf("can't read '/etc/resolv.conf' file: %w", err)
+			return nil, nil, fmt.Errorf("can't read pod resolv.conf file: %w", err)
 		}
 
-		nodeDNSConfig, err := dns.ClientConfigFromFile("/mnt/host/etc/resolv.conf")
+		nodeDNSConfig, err := dns.ClientConfigFromFile(nodePath)
 		if err != nil {
-			return nil, nil, fmt.Errorf("can't read '/mnt/host/etc/resolv.conf' file: %w", err)
+			return nil, nil, fmt.Errorf("can't read node resolv.conf file: %w", err)
 		}
 
 		if strategy == DNSResolverPodFallbackNode {
@@ -149,12 +191,28 @@ func (c dnsClient) getResolversAndNames(host string, strategy string) (resolvers
 			resolvers = append(resolvers, nodeDNSConfig.Servers...)
 			names = append([]string{}, podDNSConfig.NameList(host)...)
 			names = append(names, nodeDNSConfig.NameList(host)...)
+
+			if c.log != nil {
+				c.log.Infow("loaded pod and node DNS configuration (pod-fallback-node strategy)",
+					"pod_resolv_conf_path", podPath,
+					"pod_nameservers", podDNSConfig.Servers,
+					"node_resolv_conf_path", nodePath,
+					"node_nameservers", nodeDNSConfig.Servers)
+			}
 		} else {
 			// Node first, then pod
 			resolvers = append([]string{}, nodeDNSConfig.Servers...)
 			resolvers = append(resolvers, podDNSConfig.Servers...)
 			names = append([]string{}, nodeDNSConfig.NameList(host)...)
 			names = append(names, podDNSConfig.NameList(host)...)
+
+			if c.log != nil {
+				c.log.Infow("loaded pod and node DNS configuration (node-fallback-pod strategy)",
+					"node_resolv_conf_path", nodePath,
+					"node_nameservers", nodeDNSConfig.Servers,
+					"pod_resolv_conf_path", podPath,
+					"pod_nameservers", podDNSConfig.Servers)
+			}
 		}
 	default:
 		return nil, nil, fmt.Errorf("unknown DNS resolver strategy: %s", strategy)
@@ -194,3 +252,15 @@ func (c dnsClient) resolve(hostName string, protocol string, resolvers []string)
 
 	return response, multiErr
 }
+
+// Test helpers for unexported functions
+
+// ReadResolvConfFileForTest is a test helper that exposes readResolvConfFile for unit testing
+func ReadResolvConfFileForTest(path string) (*dns.ClientConfig, error) {
+	config, err := dns.ClientConfigFromFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read resolv.conf from %s: %w", path, err)
+	}
+
+	return config, nil
+}