feat(network): add resolv.conf path customization

Adds configuration to customize resolv.conf file paths
for pod and node DNS resolution in network disruptions.

Users can now override default paths via Helm values,
ConfigMap, or CLI flags to support different Kubernetes
distributions (systemd-resolved, NetworkManager, etc.).

Configuration:
- injector.networkDisruption.dnsPodResolvConf
- injector.networkDisruption.dnsNodeResolvConf

Defaults: /etc/resolv.conf (pod),
          /mnt/host/etc/resolv.conf (node)

Logs show which resolv.conf files are loaded with their
nameservers for debugging.

Jira: CHAOSPLT-1360

Author: aymericDD

chart/templates/configmap.yaml

@@ -129,15 +129,21 @@ data:
       {{- end }}
       serviceAccount: {{ .Values.injector.serviceAccount | quote }}
       chaosNamespace: {{ .Values.chaosNamespace | quote }}
-      {{- if .Values.injector.networkDisruption.allowedHosts }}
       networkDisruption:
         hostResolveInterval: {{ .Values.injector.networkDisruption.hostResolveInterval | quote }}
+        {{- if .Values.injector.networkDisruption.allowedHosts }}
         allowedHosts:
           {{- range $index, $allowedHost := .Values.injector.networkDisruption.allowedHosts }}
           {{ $v := printf "%s;%v;%s;%s" ($allowedHost.host | default "") ($allowedHost.port | default "") ($allowedHost.protocol | default "") ($allowedHost.flow | default "") -}}
           - {{ tpl $v $ }}
           {{- end }}
-      {{- end }}
+        {{- end }}
+        {{- if .Values.injector.networkDisruption.dnsPodResolvConf }}
+        dnsPodResolvConf: {{ .Values.injector.networkDisruption.dnsPodResolvConf | quote }}
+        {{- end }}
+        {{- if .Values.injector.networkDisruption.dnsNodeResolvConf }}
+        dnsNodeResolvConf: {{ .Values.injector.networkDisruption.dnsNodeResolvConf | quote }}
+        {{- end }}
     handler:
       image: {{ template "chaos-controller.format-image" deepCopy .Values.global.chaos.defaultImage | merge .Values.global.oci | merge .Values.handler.image }}
       enabled: {{ .Values.handler.enabled }}

chart/values.yaml

@@ -132,6 +132,8 @@ injector:
     #     port: 81
     #     protocol: tcp
     #     flow: ingress
+#    dnsPodResolvConf: "/etc/resolv.conf" # (optional) path for pod DNS resolv.conf
+#    dnsNodeResolvConf: "/mnt/host/etc/resolv.conf" # (optional)  path for node DNS resolv.conf
 handler:
   image:
     repo: chaos-handler

cli/injector/network_disruption.go

@@ -32,6 +32,8 @@ var networkDisruptionCmd = &cobra.Command{
 		hostResolveInterval, _ := cmd.Flags().GetDuration("host-resolve-interval")
 		methods, _ := cmd.Flags().GetStringArray("method")
 		paths, _ := cmd.Flags().GetStringArray("path")
+		dnsPodResolvConf, _ := cmd.Flags().GetString("dns-pod-resolv-conf")
+		dnsNodeResolvConf, _ := cmd.Flags().GetString("dns-node-resolv-conf")
 
 		// prepare injectors
 		for i, config := range configs {
@@ -80,7 +82,12 @@ var networkDisruptionCmd = &cobra.Command{
 			}
 
 			// generate injector
-			inj, err := injector.NewNetworkDisruptionInjector(spec, injector.NetworkDisruptionInjectorConfig{Config: config, HostResolveInterval: hostResolveInterval})
+			inj, err := injector.NewNetworkDisruptionInjector(spec, injector.NetworkDisruptionInjectorConfig{
+				Config:              config,
+				HostResolveInterval: hostResolveInterval,
+				DNSPodResolvConf:    dnsPodResolvConf,
+				DNSNodeResolvConf:   dnsNodeResolvConf,
+			})
 			if err != nil {
 				log.Fatalw("error initializing the network disruption injector: %w", err)
 			}
@@ -103,4 +110,6 @@ func init() {
 	networkDisruptionCmd.Flags().Duration("host-resolve-interval", time.Minute, "Interval to resolve hostnames")
 	networkDisruptionCmd.Flags().StringArray("method", []string{}, "Filter by http method: GET, DELETE, POST, CREATE, PUT, HEAD, PATCH, CONNECT, OPTIONS or TRACE")
 	networkDisruptionCmd.Flags().StringArray("path", []string{v1beta1.DefaultHTTPPathFilter}, "Filter by path and must not exceed 100 characters")
+	networkDisruptionCmd.Flags().String("dns-pod-resolv-conf", "", "Path to pod DNS resolv.conf file (defaults to /etc/resolv.conf)")
+	networkDisruptionCmd.Flags().String("dns-node-resolv-conf", "", "Path to node DNS resolv.conf file (defaults to /mnt/host/etc/resolv.conf)")
 }

config/config.go

@@ -99,6 +99,8 @@ type Toleration struct {
 type injectorNetworkDisruptionConfig struct {
 	AllowedHosts        []string      `json:"allowedHosts" yaml:"allowedHosts"`
 	HostResolveInterval time.Duration `json:"hostResolveInterval" yaml:"hostResolveInterval"`
+	DNSPodResolvConf    string        `json:"dnsPodResolvConf" yaml:"dnsPodResolvConf"`
+	DNSNodeResolvConf   string        `json:"dnsNodeResolvConf" yaml:"dnsNodeResolvConf"`
 }
 
 type handlerConfig struct {
@@ -338,6 +340,18 @@ func New(client corev1client.ConfigMapInterface, logger *zap.SugaredLogger, osAr
 		return cfg, err
 	}
 
+	mainFS.StringVar(&cfg.Injector.NetworkDisruption.DNSPodResolvConf, "injector-network-disruption-dns-pod-resolv-conf", "/etc/resolv.conf", "Path to pod DNS resolv.conf file")
+
+	if err := viper.BindPFlag("injector.networkDisruption.dnsPodResolvConf", mainFS.Lookup("injector-network-disruption-dns-pod-resolv-conf")); err != nil {
+		return cfg, err
+	}
+
+	mainFS.StringVar(&cfg.Injector.NetworkDisruption.DNSNodeResolvConf, "injector-network-disruption-dns-node-resolv-conf", "/mnt/host/etc/resolv.conf", "Path to node DNS resolv.conf file")
+
+	if err := viper.BindPFlag("injector.networkDisruption.dnsNodeResolvConf", mainFS.Lookup("injector-network-disruption-dns-node-resolv-conf")); err != nil {
+		return cfg, err
+	}
+
 	mainFS.BoolVar(&cfg.Handler.Enabled, "handler-enabled", false, "Enable the chaos handler for on-init disruptions")
 
 	if err := viper.BindPFlag("handler.enabled", mainFS.Lookup("handler-enabled")); err != nil {

docs/network_disruption/hosts-and-services.md

@@ -245,10 +245,12 @@ apiVersion: chaos.datadoghq.com/v1beta1
 kind: Disruption
 metadata:
   name: network-disruption-istio
+  namespace: chaos-demo
 spec:
   level: pod
   selector:
     app: my-service
+  count: 1
   network:
     drop: 50
     hosts:
@@ -322,6 +324,81 @@ network:
 - **`pod-fallback-node`** (default): Use when you want resilience - try pod DNS first but fall back to node DNS if it fails
 - **`node-fallback-pod`**: Use when node DNS is preferred but you want pod DNS as a backup
 
+#### Customizing resolv.conf Paths
+
+By default, the chaos-controller uses these locations for resolv.conf files:
+
+- **Pod DNS**: `/etc/resolv.conf`
+- **Node DNS**: `/mnt/host/etc/resolv.conf`
+
+These defaults are set in the controller configuration. Some Kubernetes distributions or node configurations may use different locations for resolv.conf. You can override the defaults using Helm values:
+
+**Helm Configuration:**
+
+Override resolv.conf paths in your Helm values:
+
+```yaml
+injector:
+  networkDisruption:
+    # Path for pod DNS resolv.conf
+    # Default: /etc/resolv.conf
+    dnsPodResolvConf: "/run/systemd/resolve/resolv.conf"
+
+    # Path for node DNS resolv.conf
+    # Default: /mnt/host/etc/resolv.conf
+    dnsNodeResolvConf: "/mnt/host/run/systemd/resolve/stub-resolv.conf"
+```
+
+**Behavior:**
+- Defaults are defined in the controller configuration (can be overridden via ConfigMap, environment variables, or CLI flags)
+- The specified resolv.conf file must exist and be readable
+- Configuration is passed to injector pods as command-line arguments
+- Logging will indicate which resolv.conf file was loaded
+
+**Example: Full Helm configuration for systemd-resolved nodes**
+
+```yaml
+# values.yaml
+injector:
+  networkDisruption:
+    hostResolveInterval: 1m
+
+    # For nodes using systemd-resolved (Ubuntu, Debian, etc.)
+    dnsNodeResolvConf: "/mnt/host/run/systemd/resolve/stub-resolv.conf"
+
+    # For pods with custom DNS configuration
+    dnsPodResolvConf: "/run/systemd/resolve/resolv.conf"
+```
+
+**How it works:**
+
+When you deploy with these Helm values:
+1. The controller reads the configuration from the ConfigMap
+2. For each network disruption, the controller creates an injector pod with CLI arguments:
+   ```bash
+   /chaos-injector network-disruption \
+     --dns-pod-resolv-conf /run/systemd/resolve/resolv.conf \
+     --dns-node-resolv-conf /mnt/host/run/systemd/resolve/stub-resolv.conf \
+     ...
+   ```
+3. The injector uses these paths for DNS resolution
+4. Logs will show which resolv.conf files were loaded:
+   ```
+   INFO  loaded pod DNS configuration  resolv_conf_path=/run/systemd/resolve/resolv.conf  nameservers=[8.8.8.8, 8.8.4.4]
+   INFO  loaded node DNS configuration  resolv_conf_path=/mnt/host/run/systemd/resolve/stub-resolv.conf  nameservers=[10.0.0.1]
+   ```
+
+You can verify the paths used by an injector pod:
+```bash
+kubectl describe pod chaos-injector-xxxxx -n chaos-engineering | grep dns-
+```
+
+**Use cases:**
+- **systemd-resolved**: Nodes using systemd-resolved may have resolv.conf at `/run/systemd/resolve/resolv.conf` or `/run/systemd/resolve/stub-resolv.conf`
+- **NetworkManager**: Some distributions use `/run/NetworkManager/resolv.conf`
+- **Custom Kubernetes distributions**: Distributions like k3s, microk8s, or OpenShift may use non-standard paths
+- **Custom DNS configurations**: Environments with custom DNS setups that require specific resolv.conf locations
+
 ### Some special cases
 
 Cluster IPs can also be specified to target the relevant pods.

injector/ipresolver.go

@@ -35,11 +35,8 @@ func resolveHost(client network.DNSClient, host string, dnsStrategy string) ([]*
 			// if no IP has been parsed, fallback on a hostname
 			// and try to resolve it by using the container resolv.conf file
 			var resolvedIPs []net.IP
-			if dnsStrategy != "" {
-				resolvedIPs, err = client.ResolveWithStrategy(host, dnsStrategy)
-			} else {
-				resolvedIPs, err = client.Resolve(host)
-			}
+
+			resolvedIPs, err = client.ResolveWithStrategy(host, dnsStrategy)
 
 			if err != nil {
 				return nil, fmt.Errorf("can't resolve the given host with the configured dns resolver: %w", err)

injector/network_disruption.go

@@ -65,6 +65,8 @@ type NetworkDisruptionInjectorConfig struct {
 	DNSClient           network.DNSClient
 	HostResolveInterval time.Duration
 	BPFConfigInformer   ebpf.ConfigInformer
+	DNSPodResolvConf    string
+	DNSNodeResolvConf   string
 }
 
 // tcServiceFilter describes a tc filter, representing the service filtered and its priority
@@ -144,7 +146,13 @@ func NewNetworkDisruptionInjector(spec v1beta1.NetworkDisruptionSpec, config Net
 	}
 
 	if config.DNSClient == nil {
-		config.DNSClient = network.NewDNSClient()
+		// Create DNS client with custom resolv.conf paths if provided
+		dnsConfig := network.DNSClientConfig{
+			PodResolvConfPath:  config.DNSPodResolvConf,
+			NodeResolvConfPath: config.DNSNodeResolvConf,
+			Logger:             config.Log,
+		}
+		config.DNSClient = network.NewDNSClient(dnsConfig)
 	}
 
 	if spec.HasHTTPFilters() && config.BPFConfigInformer == nil {

injector/network_disruption_test.go

@@ -14,6 +14,14 @@ import (
 	"strings"
 	"time"
 
+	"github.com/stretchr/testify/mock"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/watch"
+	kubernetes "k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/testing"
+
 	"github.com/DataDog/chaos-controller/api"
 	"github.com/DataDog/chaos-controller/api/v1beta1"
 	"github.com/DataDog/chaos-controller/cgroup"
@@ -24,15 +32,9 @@ import (
 	"github.com/DataDog/chaos-controller/netns"
 	"github.com/DataDog/chaos-controller/network"
 	chaostypes "github.com/DataDog/chaos-controller/types"
+
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
-	"github.com/stretchr/testify/mock"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
-	"k8s.io/apimachinery/pkg/watch"
-	kubernetes "k8s.io/client-go/kubernetes/fake"
-	"k8s.io/client-go/testing"
 )
 
 const (
@@ -143,7 +145,7 @@ var _ = Describe("Failure", func() {
 
 		// dns
 		dns = network.NewDNSClientMock(GinkgoT())
-		dns.EXPECT().Resolve("kubernetes.default").Return([]net.IP{net.ParseIP("192.168.0.254")}, nil).Maybe()
+		dns.EXPECT().ResolveWithStrategy("kubernetes", "default").Return([]net.IP{net.ParseIP("192.168.0.254")}, nil).Maybe()
 
 		// container
 		ctn = container.NewContainerMock(GinkgoT())
@@ -398,7 +400,7 @@ var _ = Describe("Failure", func() {
 					},
 				}
 
-				dns.EXPECT().Resolve("testhost").Return([]net.IP{net.ParseIP(testHostIP), net.ParseIP(testHostIPTwo)}, nil).Once()
+				dns.EXPECT().ResolveWithStrategy("testhost", "").Return([]net.IP{net.ParseIP(testHostIP), net.ParseIP(testHostIPTwo)}, nil).Once()
 			})
 
 			It("should not raise an error", func() {
@@ -409,7 +411,7 @@ var _ = Describe("Failure", func() {
 				tc.AssertCalled(GinkgoT(), "AddFilter", []string{"lo", "eth0", "eth1"}, "1:0", "", nilIPNet, buildSingleIPNet(testHostIP), 0, 80, network.TCP, network.ConnStateUndefined, "1:4")
 				tc.AssertCalled(GinkgoT(), "AddFilter", []string{"lo", "eth0", "eth1"}, "1:0", "", nilIPNet, buildSingleIPNet(testHostIPTwo), 0, 80, network.TCP, network.ConnStateUndefined, "1:4")
 
-				dns.EXPECT().Resolve("testhost").Return([]net.IP{net.ParseIP(testHostIPTwo), net.ParseIP(testHostIPThree)}, nil).Maybe()
+				dns.EXPECT().ResolveWithStrategy("testhost", "").Return([]net.IP{net.ParseIP(testHostIPTwo), net.ParseIP(testHostIPThree)}, nil).Maybe()
 				time.Sleep(time.Second) // Wait for changed IPs to be caught by the hostWatcher
 
 				tc.AssertCalled(GinkgoT(), "DeleteFilter", "lo", uint32(0))
@@ -422,7 +424,7 @@ var _ = Describe("Failure", func() {
 				tc.AssertCalled(GinkgoT(), "AddFilter", []string{"lo", "eth0", "eth1"}, "1:0", "", nilIPNet, buildSingleIPNet(testHostIP), 0, 80, network.TCP, network.ConnStateUndefined, "1:4")
 				tc.AssertCalled(GinkgoT(), "AddFilter", []string{"lo", "eth0", "eth1"}, "1:0", "", nilIPNet, buildSingleIPNet(testHostIPTwo), 0, 80, network.TCP, network.ConnStateUndefined, "1:4")
 
-				dns.EXPECT().Resolve("testhost").Return([]net.IP{net.ParseIP(testHostIP), net.ParseIP(testHostIPTwo), net.ParseIP(testHostIPThree)}, nil).Maybe()
+				dns.EXPECT().ResolveWithStrategy("testhost", "").Return([]net.IP{net.ParseIP(testHostIP), net.ParseIP(testHostIPTwo), net.ParseIP(testHostIPThree)}, nil).Maybe()
 				time.Sleep(time.Second) // Wait for changed IPs to be caught by the hostWatcher
 
 				tc.AssertNotCalled(GinkgoT(), "DeleteFilter")
@@ -433,7 +435,7 @@ var _ = Describe("Failure", func() {
 				tc.AssertCalled(GinkgoT(), "AddFilter", []string{"lo", "eth0", "eth1"}, "1:0", "", nilIPNet, buildSingleIPNet(testHostIP), 0, 80, network.TCP, network.ConnStateUndefined, "1:4")
 				tc.AssertCalled(GinkgoT(), "AddFilter", []string{"lo", "eth0", "eth1"}, "1:0", "", nilIPNet, buildSingleIPNet(testHostIPTwo), 0, 80, network.TCP, network.ConnStateUndefined, "1:4")
 
-				dns.EXPECT().Resolve("testhost").Return([]net.IP{net.ParseIP(testHostIP)}, nil).Maybe()
+				dns.EXPECT().ResolveWithStrategy("testhost", "").Return([]net.IP{net.ParseIP(testHostIP)}, nil).Maybe()
 				time.Sleep(time.Second) // Wait for changed IPs to be caught by the hostWatcher
 
 				tc.AssertCalled(GinkgoT(), "DeleteFilter", "lo", uint32(0))

main.go

@@ -204,6 +204,8 @@ func main() {
 			Labels:                        cfg.Injector.Labels,
 			Tolerations:                   cfg.Injector.Tolerations,
 			NetworkDisruptionAllowedHosts: cfg.Injector.NetworkDisruption.AllowedHosts,
+			DNSPodResolvConf:              cfg.Injector.NetworkDisruption.DNSPodResolvConf,
+			DNSNodeResolvConf:             cfg.Injector.NetworkDisruption.DNSNodeResolvConf,
 			ImagePullSecrets:              cfg.Injector.ImagePullSecrets,
 			LogLevel:                      cfg.Injector.LogLevel,
 		},