Allow-listing domains in pi-hole deployment

I’m hosting the most excellent pi-hole software on my Kubernetes cluster as a stateless deployment. This means that every time a new replica pod for pi-hole starts, all its configuration is supplied via ConfigMap volume mounts and the Gravity database is created from scratch. Pi-hole v5.0 introduced a change to integrate the block/white lists directly into the Gravity database so mounting a /etc/pihole/whitelist.txt using a ConfigMap did not work anymore. You now need to execute the pihole command for allow-listing domains in pi-hole.

Strangely enough, this requirement came along because searching for items at the homedepot.ca web site was not working. My searches resulted in a “Sorry, something went wrong. Please try again.” error message!

When inspecting my browser’s console, the first line showed the following warning:

Loading failed for the <script> with source “https://cdn.cookielaw.org/scripttemplates/otSDKStub.js”.

Loading failed for the <script> with source “https://cdn.cookielaw.org/scripttemplates/otSDKStub.js”.

I tried to open that JavaScript file unsuccessfully, then I did a DNS lookup for cdn.cookielaw.org which returned 0.0.0.0. It looks like this host is in my pi-hole’s block list. It blows my mind that such basic site functionality breaks when failing to load a third-party script, but I digress.

Lifecycle hooks

I could not figure out a workaround to searching the web site, while leaving this host in the block list. Thus, I used a postStart hook on my pi-hole Kubernetes deployment to allow-list this host. Here is the relevant part of my deployment:

containers:
- image: pihole/pihole:2025.06.2
  imagePullPolicy: IfNotPresent
  name: pihole
  lifecycle:
    postStart:
      exec:
        command:
          - /bin/sh
          - -c
          - |
            # Wait for DNS port binding
            until ss -lntu | grep -q ':53'; do sleep 1; done
            # Whitelist domain.
            /usr/local/bin/pihole allow cdn.cookielaw.org

containers:
- image: pihole/pihole:2025.06.2
  imagePullPolicy: IfNotPresent
  name: pihole
  lifecycle:
    postStart:
      exec:
        command:
          - /bin/sh
          - -c
          - |
            # Wait for DNS port binding
            until ss -lntu | grep -q ':53'; do sleep 1; done
            # Whitelist domain.
            /usr/local/bin/pihole allow cdn.cookielaw.org

According to the Kubernetes documentation, you can see that the container ENTRYPOINT and the PostStart hook are triggered simultaneously. This means that I need to figure out a way to signal the hook that pi-hole is ready for Gravity database changes. I have accomplished this by waiting for the port 53 binding to happen. This is not perfect as the Gravity database initializes after this port binding, but this happens quickly enough. I have yet to see this race condition failing to add the allow-listed domain.

So there you go, while I admittedly had quite a niche reason for allow-listing domains in my pi-hole deployment, you too can do the same!