Kubernetes DNS system

  • The DNS service is not required
  • It is usually installed as an add-on
  • Kube DNS, CoreDNS

process

  1. After the DNS application of Kubernetes is deployed, a service Cluster IP will be exposed
  2. After the DNS service Cluster IP is assigned, the system (generally refers to the installer) will configure Kubelet with the – cluster DNS = startup parameter
  3. The IP address of the DNS service will be passed when the user container is started and written by kubelet to the / etc/resolv.conf file of each container
  4. Containers in the cluster obtain domain name resolution services by accessing the Cluster IP+53 port of the service
  5. Kubelet's – cluster_ The domain = parameter supports the configuration of cluster domain name suffix, which is cluster.local by default

Pod internal resolv.conf

root@master-01:~/tmp# kubectl exec backend01 -it sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # cat /etc/resolv.conf
nameserver 10.96.0.10
search default.svc.cluster.local svc.cluster.local cluster.local
options ndots:5

Cluster dns service and endpoint

root@master-01:~/tmp# kubectl get svc -n kube-system
NAME       TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)                  AGE
kube-dns   ClusterIP   10.96.0.10   <none>        53/UDP,53/TCP,9153/TCP   49d
root@master-01:~/tmp# kubectl get ep kube-dns -n kube-system
NAME       ENDPOINTS                                                  AGE
kube-dns   10.0.184.75:53,10.0.184.76:53,10.0.184.75:53 + 3 more...   49d

Naming scheme of Kubernetes DNS

Kubernetes DNS add in supports forward lookup (A Record), port lookup (SRV record), reverse IP address lookup (PTR record) and other functions

For Service, Kubernetes DNS server will generate three types of DNS records: A record, SRV record and CNAME record

A record

A Record is the most basic type of DNS record used to point a domain or subdomain to an IP address. The record includes the domain name, the IP address that resolved it, and the TTL in seconds.

A Record is divided into "normal" and "headless" services.

  • The "normal" service assigns a DNS A Record as the name of the form your-svc.your-namespace.svc.cluster.local. This name resolves to the cluster IP of the service.
    Mapping relationship: {service name}.{service namespace}.svc.{domain} - > cluster IP
/ # nslookup backendsvc.testing.svc.cluster.local
Server:         10.96.0.10
Address:        10.96.0.10#53
Name:   backendsvc.testing.svc.cluster.local
Address: 10.110.180.21
  • The "headless" service assigns a DNS A Record to the name of the form your-svc.your-namespace.svc.cluster.local. In contrast to the "normal" service, this name resolves a set of pod IPS selected for the service
    Mapping relationship: {service name}.{service namespace}.svc.{domain} - > pod list
  • Pod will also assign a DNS A record: {pod IP}. {pod namespace}. Pod. {domain} - > pod IP. However, IP addresses are generally used

SRV record

SRV records facilitate service discovery by describing certain service protocols and addresses. SRV records usually define a symbolic name and a transport protocol (such as TCP) as part of the domain name, and define the priority, weight, port and destination of a given service.

  • SRV records are created for the specified ports of "normal" or "headless" services.
  • SRV records use_ my-port-name._ In the form of my-port-protocol.my-svc.my-namespace.svc.cluster.local.
  • For the "normal" service, the resolved port number and domain name are my-svc.my-namespace.svc.cluster.local
  • For the "headless" service, it is resolved to multiple answers, and each answer contains the Pod port number and domain name of the auto generated-name.my-svc.my-namespace.svc.cluster.local form

CNAME record

The CNAME record is used to point a domain or subdomain to another host name.

In Kubernetes, CNAME records cross cluster service discovery that can be used for federated services.

Kubernetes domain name resolution strategy

Kubernetes domain name resolution policy corresponds to dnsPolicy in Pod configuration. There are four optional policies: None, ClusterFirstWithHostNet, ClusterFirst and Default

  • None: a new option value introduced from Kubernetes version 1.9. It allows Pod to ignore DNS settings in the Kubernetes environment. All DNS settings shall be provided using the fields in dnsConfigPod specification;
  • ClusterFirstWithHostNet: for pods running using hostNetwork, users should explicitly set their DNS policy to ClusterFirstWithHostNet;
  • ClusterFirst: any DNS query that does not match the configured cluster domain suffix (for example, cluster.local)“ www.kubernetes.io ”)Forward to the upstream domain name server inherited from the host. The cluster administrator can configure the upstream DNS server as required;
  • Default: the Pod inherits the name resolution configuration from the host

For example, the default is ClusterFirst:

apiVersion: v1
kind: Pod
metadata:
  annotations:
   ...
    kubernetes.io/psp: restrict-policy
  labels:
    run: backend01
  name: backend01
  namespace: default
  resourceVersion: "767484"
  uid: cf5fc4cb-c573-4cc3-81dd-acc086145517
spec:
  containers:
  - image: registry.cn-hangzhou.aliyuncs.com/tanzu/network-multitool:1.1
    imagePullPolicy: IfNotPresent
    name: backend01
    resources: {}
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-rkrp8
      readOnly: true
  **dnsPolicy: ClusterFirst**
  enableServiceLinks: true
  nodeName: worker-01
  preemptionPolicy: PreemptLowerPriority
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: default

In this mode, DNS is forwarded to the DNS of the host:

/ # nslookup cisco.com
Server: 10.96.0.10
Address: 10.96.0.10#53
Non-authoritative answer:
Name: cisco.com
Address: 72.163.4.185
Name: cisco.com
Address: 2001:420:1101:1::185

Tags: Kubernetes

Posted on Mon, 06 Dec 2021 20:32:52 -0500 by gli