Add antctl get fqdncache (#6868)

This PR adds functionality for a new antctl command: `antctl get fqdncache`
This command fetches the DNS mapping entries for FQDN policies by reading the
cache for DNS entries and outputting FQDN name, associated IP, and expiration
time. It can also be used with a --domain (-d) flag that can be specified to
filter the result for only a certain FQDN.

Signed-off-by: dj014275 <[email protected]>
Co-authored-by: dj014275 <[email protected]>

Author: Dhruv-J

pkg/agent/apis/types.go

@@ -17,6 +17,7 @@ package apis
 import (
 	"strconv"
 	"strings"
+	"time"
 
 	corev1 "k8s.io/api/core/v1"
 
@@ -72,6 +73,28 @@ func (r AntreaAgentInfoResponse) SortRows() bool {
 	return true
 }
 
+type FQDNCacheResponse struct {
+	FQDNName       string    `json:"fqdnName,omitempty"`
+	IPAddress      string    `json:"ipAddress,omitempty"`
+	ExpirationTime time.Time `json:"expirationTime,omitempty"`
+}
+
+func (r FQDNCacheResponse) GetTableHeader() []string {
+	return []string{"FQDN", "ADDRESS", "EXPIRATION TIME"}
+}
+
+func (r FQDNCacheResponse) GetTableRow(maxColumn int) []string {
+	return []string{
+		r.FQDNName,
+		r.IPAddress,
+		r.ExpirationTime.String(),
+	}
+}
+
+func (r FQDNCacheResponse) SortRows() bool {
+	return true
+}
+
 type FeatureGateResponse struct {
 	Component string `json:"component,omitempty"`
 	Name      string `json:"name,omitempty"`

pkg/agent/apiserver/apiserver.go

@@ -40,6 +40,7 @@ import (
 	"antrea.io/antrea/pkg/agent/apiserver/handlers/bgppolicy"
 	"antrea.io/antrea/pkg/agent/apiserver/handlers/bgproute"
 	"antrea.io/antrea/pkg/agent/apiserver/handlers/featuregates"
+	"antrea.io/antrea/pkg/agent/apiserver/handlers/fqdncache"
 	"antrea.io/antrea/pkg/agent/apiserver/handlers/memberlist"
 	"antrea.io/antrea/pkg/agent/apiserver/handlers/multicast"
 	"antrea.io/antrea/pkg/agent/apiserver/handlers/networkpolicy"
@@ -104,6 +105,7 @@ func installHandlers(aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolic
 	s.Handler.NonGoRestfulMux.HandleFunc("/bgppolicy", bgppolicy.HandleFunc(bgpq))
 	s.Handler.NonGoRestfulMux.HandleFunc("/bgppeers", bgppeer.HandleFunc(bgpq))
 	s.Handler.NonGoRestfulMux.HandleFunc("/bgproutes", bgproute.HandleFunc(bgpq))
+	s.Handler.NonGoRestfulMux.HandleFunc("/fqdncache", fqdncache.HandleFunc(npq))
 }
 
 func installAPIGroup(s *genericapiserver.GenericAPIServer, aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, v4Enabled, v6Enabled bool) error {

pkg/agent/apiserver/handlers/fqdncache/handler.go

@@ -0,0 +1,73 @@
+// Copyright 2025 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package fqdncache
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/url"
+	"regexp"
+	"strings"
+
+	"k8s.io/klog/v2"
+
+	agentapi "antrea.io/antrea/pkg/agent/apis"
+	"antrea.io/antrea/pkg/querier"
+)
+
+func HandleFunc(npq querier.AgentNetworkPolicyInfoQuerier) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		fqdnFilter, err := newFilterFromURLQuery(r.URL.Query())
+		if err != nil {
+			http.Error(w, "Invalid regex: "+err.Error(), http.StatusBadRequest)
+			klog.ErrorS(err, "Invalid regex")
+			return
+		}
+		dnsEntryCache := npq.GetFQDNCache(fqdnFilter)
+		resp := make([]agentapi.FQDNCacheResponse, 0, len(dnsEntryCache))
+		for _, entry := range dnsEntryCache {
+			resp = append(resp, agentapi.FQDNCacheResponse{
+				FQDNName:       entry.FQDNName,
+				IPAddress:      entry.IPAddress.String(),
+				ExpirationTime: entry.ExpirationTime,
+			})
+		}
+		if err := json.NewEncoder(w).Encode(resp); err != nil {
+			http.Error(w, "Failed to encode response: "+err.Error(), http.StatusBadRequest)
+			klog.ErrorS(err, "Failed to encode response")
+			return
+		}
+	}
+}
+
+func newFilterFromURLQuery(query url.Values) (*querier.FQDNCacheFilter, error) {
+	domain := query.Get("domain")
+	if domain == "" {
+		return nil, nil
+	}
+	pattern := strings.TrimSpace(domain)
+	// Replace "." as a regex literal, since it's recogized as a separator in FQDN.
+	pattern = strings.Replace(pattern, ".", "[.]", -1)
+	// Replace "*" with ".*".
+	pattern = strings.Replace(pattern, "*", ".*", -1)
+	// Anchor the regex match expression.
+	pattern = "^" + pattern + "$"
+
+	regex, err := regexp.Compile(pattern)
+	if err != nil {
+		return nil, err
+	}
+	return &querier.FQDNCacheFilter{DomainRegex: regex}, nil
+}

pkg/agent/apiserver/handlers/fqdncache/handler_test.go

@@ -0,0 +1,152 @@
+// Copyright 2025 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package fqdncache
+
+import (
+	"encoding/json"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"regexp"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/mock/gomock"
+
+	"antrea.io/antrea/pkg/agent/apis"
+	"antrea.io/antrea/pkg/agent/types"
+	"antrea.io/antrea/pkg/querier"
+	queriertest "antrea.io/antrea/pkg/querier/testing"
+)
+
+func TestFqdnCacheQuery(t *testing.T) {
+	expirationTime := time.Now().Add(1 * time.Hour).UTC()
+	tests := []struct {
+		name                 string
+		filteredCacheEntries []types.DnsCacheEntry
+		expectedResponse     []apis.FQDNCacheResponse
+	}{
+		{
+			name: "FQDN cache exists - multiple addresses multiple domains",
+			filteredCacheEntries: []types.DnsCacheEntry{
+				{
+					FQDNName:       "example.com",
+					IPAddress:      net.ParseIP("10.0.0.1"),
+					ExpirationTime: expirationTime,
+				},
+				{
+					FQDNName:       "foo.com",
+					IPAddress:      net.ParseIP("10.0.0.4"),
+					ExpirationTime: expirationTime,
+				},
+				{
+					FQDNName:       "bar.com",
+					IPAddress:      net.ParseIP("10.0.0.5"),
+					ExpirationTime: expirationTime,
+				},
+			},
+			expectedResponse: []apis.FQDNCacheResponse{
+				{
+					FQDNName:       "example.com",
+					IPAddress:      "10.0.0.1",
+					ExpirationTime: expirationTime,
+				},
+				{
+					FQDNName:       "foo.com",
+					IPAddress:      "10.0.0.4",
+					ExpirationTime: expirationTime,
+				},
+				{
+					FQDNName:       "bar.com",
+					IPAddress:      "10.0.0.5",
+					ExpirationTime: expirationTime,
+				},
+			},
+		},
+		{
+			name:                 "FQDN cache does not exist",
+			filteredCacheEntries: []types.DnsCacheEntry{},
+			expectedResponse:     []apis.FQDNCacheResponse{},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			q := queriertest.NewMockAgentNetworkPolicyInfoQuerier(ctrl)
+			q.EXPECT().GetFQDNCache(nil).Return(tt.filteredCacheEntries)
+			handler := HandleFunc(q)
+			req, err := http.NewRequest(http.MethodGet, "", nil)
+			require.NoError(t, err)
+			recorder := httptest.NewRecorder()
+			handler.ServeHTTP(recorder, req)
+			var receivedResponse []apis.FQDNCacheResponse
+			err = json.Unmarshal(recorder.Body.Bytes(), &receivedResponse)
+			require.NoError(t, err)
+			assert.Equal(t, tt.expectedResponse, receivedResponse)
+		})
+	}
+}
+
+func TestNewFilterFromURLQuery(t *testing.T) {
+	tests := []struct {
+		name           string
+		queryParams    url.Values
+		expectedFilter *querier.FQDNCacheFilter
+		expectedError  string
+	}{
+		{
+			name:           "Empty query",
+			queryParams:    url.Values{},
+			expectedFilter: nil,
+		},
+		{
+			name: "Valid regex domain",
+			queryParams: url.Values{
+				"domain": {"example.com"},
+			},
+			expectedFilter: &querier.FQDNCacheFilter{DomainRegex: regexp.MustCompile("^example[.]com$")},
+		},
+		{
+			name: "Valid regex domain",
+			queryParams: url.Values{
+				"domain": {"*.example.com"},
+			},
+			expectedFilter: &querier.FQDNCacheFilter{DomainRegex: regexp.MustCompile("^.*[.]example[.]com$")},
+		},
+		{
+			name: "Invalid regex domain",
+			queryParams: url.Values{
+				"domain": {"^example(abc$"},
+			},
+			expectedFilter: nil,
+			expectedError:  "missing closing )",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := newFilterFromURLQuery(tt.queryParams)
+			if tt.expectedError != "" {
+				assert.ErrorContains(t, err, tt.expectedError)
+			} else {
+				require.NoError(t, err)
+				assert.Equal(t, tt.expectedFilter, result)
+			}
+		})
+	}
+}

pkg/agent/controller/networkpolicy/networkpolicy_controller.go

@@ -538,6 +538,19 @@ func NewNetworkPolicyController(antreaClientGetter client.AntreaClientProvider,
 	return c, nil
 }
 
+func (c *Controller) GetFQDNCache(fqdnFilter *querier.FQDNCacheFilter) []types.DnsCacheEntry {
+	cacheEntryList := []types.DnsCacheEntry{}
+	for fqdn, dnsMeta := range c.fqdnController.dnsEntryCache {
+		for _, ipWithExpiration := range dnsMeta.responseIPs {
+			if fqdnFilter == nil || fqdnFilter.DomainRegex.MatchString(fqdn) {
+				entry := types.DnsCacheEntry{FQDNName: fqdn, IPAddress: ipWithExpiration.ip, ExpirationTime: ipWithExpiration.expirationTime}
+				cacheEntryList = append(cacheEntryList, entry)
+			}
+		}
+	}
+	return cacheEntryList
+}
+
 func (c *Controller) GetNetworkPolicyNum() int {
 	return c.ruleCache.GetNetworkPolicyNum()
 }

pkg/agent/controller/networkpolicy/networkpolicy_controller_test.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"regexp"
 	"strings"
 	"sync"
 	"testing"
@@ -903,3 +904,65 @@ func TestValidate(t *testing.T) {
 		t.Fatalf("groupAddress %s expect %v, but got %v", groupAddress2, v1beta1.RuleActionDrop, item.RuleAction)
 	}
 }
+
+func TestGetFqdnCache(t *testing.T) {
+	controller, _, _ := newTestController()
+	expectedEntryList := []agenttypes.DnsCacheEntry{}
+	assert.Equal(t, expectedEntryList, controller.GetFQDNCache(nil))
+	expirationTime := time.Now().Add(1 * time.Hour).UTC()
+
+	controller.fqdnController.dnsEntryCache = map[string]dnsMeta{
+		"example.com": {
+			responseIPs: map[string]ipWithExpiration{
+				"10.0.0.1": {
+					ip:             net.ParseIP("10.0.0.1"),
+					expirationTime: expirationTime,
+				},
+				"10.0.0.2": {
+					ip:             net.ParseIP("10.0.0.2"),
+					expirationTime: expirationTime,
+				},
+				"10.0.0.3": {
+					ip:             net.ParseIP("10.0.0.3"),
+					expirationTime: expirationTime,
+				},
+			},
+		},
+		"antrea.io": {
+			responseIPs: map[string]ipWithExpiration{
+				"10.0.0.4": {
+					ip:             net.ParseIP("10.0.0.4"),
+					expirationTime: expirationTime,
+				},
+			},
+		},
+	}
+
+	expectedEntryList = []agenttypes.DnsCacheEntry{
+		{
+			FQDNName:       "example.com",
+			IPAddress:      net.ParseIP("10.0.0.1"),
+			ExpirationTime: expirationTime,
+		},
+		{
+			FQDNName:       "example.com",
+			IPAddress:      net.ParseIP("10.0.0.2"),
+			ExpirationTime: expirationTime,
+		},
+		{
+			FQDNName:       "example.com",
+			IPAddress:      net.ParseIP("10.0.0.3"),
+			ExpirationTime: expirationTime,
+		},
+		{
+			FQDNName:       "antrea.io",
+			IPAddress:      net.ParseIP("10.0.0.4"),
+			ExpirationTime: expirationTime,
+		},
+	}
+	returnedList := controller.GetFQDNCache(nil)
+	assert.ElementsMatch(t, expectedEntryList, returnedList)
+	pattern := regexp.MustCompile("^.*[.]io$")
+	returnedList = controller.GetFQDNCache(&querier.FQDNCacheFilter{DomainRegex: pattern})
+	assert.ElementsMatch(t, []agenttypes.DnsCacheEntry{expectedEntryList[3]}, returnedList)
+}

pkg/agent/types/networkpolicy.go

@@ -15,13 +15,22 @@
 package types
 
 import (
+	"net"
+	"time"
+
 	"k8s.io/apimachinery/pkg/util/sets"
 
 	"antrea.io/antrea/pkg/apis/controlplane/v1beta2"
 	secv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1"
 	binding "antrea.io/antrea/pkg/ovs/openflow"
 )
 
+type DnsCacheEntry struct {
+	FQDNName       string
+	IPAddress      net.IP
+	ExpirationTime time.Time
+}
+
 type MatchKey struct {
 	ofProtocol    binding.Protocol
 	valueCategory AddressCategory