Merge pull request #87491 from DCChadwick/osdocs11202b

OSDOCS11202: Clarifying and Adding Detail to "Controlling DNS pod placement” doc

Author: skrthomas

modules/nw-controlling-dns-pod-placement.adoc

@@ -8,7 +8,12 @@
 
 The DNS Operator has two daemon sets: one for CoreDNS called `dns-default` and one for managing the `/etc/hosts` file called `node-resolver`.
 
-You might find a need to control which nodes have CoreDNS pods assigned and running, although this is not a common operation. For example, if the cluster administrator has configured security policies that can prohibit communication between pairs of nodes, that would necessitate restricting the set of nodes on which the daemonset for CoreDNS runs. If DNS pods are running on some nodes in the cluster and the nodes where DNS pods are not running have network connectivity to nodes where DNS pods are running, DNS service will be available to all pods.
+You can assign and run CoreDNS pods on specified nodes. For example, if the cluster administrator has configured security policies that prohibit communication between pairs of nodes, you can configure CoreDNS pods to run on a restricted set of nodes.
+
+DNS service is available to all pods if the following circumstances are true:
+
+* DNS pods are running on some nodes in the cluster.
+* The nodes on which DNS pods are not running have network connectivity to nodes on which DNS pods are running, 
 
 The `node-resolver` daemon set must run on every node host because it adds an entry for the cluster image registry to support pulling images. The `node-resolver` pods have only one job: to look up the `image-registry.openshift-image-registry.svc` service's cluster IP address and add it to `/etc/hosts` on the node host so that the container runtime can resolve the service name.
 
@@ -23,25 +28,49 @@ As a cluster administrator, you can use a custom node selector to configure the
 .Procedure
 
 * To allow the daemon set for CoreDNS to run on certain nodes, configure a taint and toleration:
+
+. Set a taint on the nodes that you want to control DNS pod placement by entering the following command:
++
+[source,terminal]
+----
+$ oc adm taint nodes <node_name> dns-only=abc:NoExecute <1>
+----
 +
-. Modify the DNS Operator object named `default`:
+<1> Replace `<node_name>` with the actual name of the node.
+
+. Modify the DNS Operator object named `default` to include the corresponding toleration by entering the following command: 
 +
 [source,terminal]
 ----
 $ oc edit dns.operator/default
 ----
-+
-. Specify a taint key and a toleration for the taint:
+
+. Specify a taint key and a toleration for the taint. The following toleration matches the taint set on the nodes.
 +
 [source,yaml]
 ----
  spec:
    nodePlacement:
      tolerations:
      - effect: NoExecute
-       key: "dns-only"
-       operators: Equal
+       key: "dns-only" <1>
+       operator: Equal
        value: abc
-       tolerationSeconds: 3600 <1>
+       tolerationSeconds: 3600 <2>
 ----
-<1> If the taint is `dns-only`, it can be tolerated indefinitely. You can omit `tolerationSeconds`.
+<1> If the `key` field is set to `dns-only`, it can be tolerated indefinitely.
+<2> The `tolerationSeconds` field is optional.
+
+. Optional: To specify node placement using a node selector, modify the default DNS Operator:
+
+.. Edit the DNS Operator object named `default` to include a node selector:
++
+[source,yaml]
+----
+ spec:
+   nodePlacement:
+     nodeSelector:    <1>
+       node-role.kubernetes.io/control-plane: ""
+----
++
+<1> This node selector ensures that the CoreDNS pods run only on control plane nodes.