当前位置：网站首页>Analyzing the principle of DNS resolution in kubernetes cluster

Analyzing the principle of DNS resolution in kubernetes cluster

2022-07-28 13:41:00 【CSDN cloud computing】

author | Jiang Xiaonan

source | Jiang Xiaonan and his friends

introduction

Speaking of DNS Domain name resolution , What you think of most may be /etc/hosts file , There's nothing wrong with it , however /etc/hosts Only the local domain name can be resolved , If the cross machine parsing is a little stretched .

There is another configuration in the server that deserves your attention ,/etc/resolv.conf, This file is used to configure DNS The server , So that domain name resolution can be extended beyond the machine .

kubernetes This mechanism is used by clusters .

principle

When kubernetes Once the initialization is complete , stay kube-system Under the namespace kube-dns Of service Services and coredns Of pod.

[[email protected] etc]# kubectl get svc -n kube-system
NAME       TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)                  AGE
kube-dns   ClusterIP   10.96.0.10   <none>        53/UDP,53/TCP,9153/TCP   14d
[[email protected] etc]# kubectl get pod -n kube-system -o wide| grep coredns
coredns-5897cd56c4-7ps2n                   1/1     Running   9          14d   192.168.235.220   k8s-master    <none>           <none>
coredns-5897cd56c4-j7psj                   1/1     Running   9          14d   192.168.235.221   k8s-master    <none>           <none>
[[email protected] etc]#

CoreDNS It's a DNS Resolved components , As in the cluster DNS The server , Provide domain name resolution services for the cluster . For example, a front end pod To pass the service name Access back end pod, front end pod Will first pass their own dns file (/etc/resolv.conf) Point to dns The server , from dns The server is used for domain name resolution and conversion ip, And then through ip Access to the back end pod.

Configure policy

stay yaml in , adopt dnsPolicy Field configuration DNS Strategy , share 4 Strategies ：

ClusterFirst： The default policy , Indicates the use of... Within the cluster CoreDNS To do domain name resolution .
Default：Pod Directly inherit the cluster node Node's domain name resolution configuration , That is to say ,Pod Will directly use the... On the host /etc/resolv.conf The contents of the document .
None： Ignore k8s In a cluster environment DNS Set up ,Pod Will use its dnsConfig Field DNS To configure .
ClusterFirstWithHostNet： Host and Kubernetes coexistence , In this case POD, It can use the host computer DNS service , Can use again kube-dns Of Dns service , Note that hostNetwork open .

Deployment validation

First of all, let's make a point ,CoreDNS It has the ability to resolve domain names outside the cluster , But outside the cluster DNS The server does not necessarily have the ability to resolve domain names in the cluster . Based on this understanding , We do the following tests .

ClusterFirst

# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx-deploy
  name: nginx-deploy
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx-deploy
  template:
    metadata:
      labels:
        app: nginx-deploy
    spec:
      restartPolicy: Always
      containers:
        - name: mynginx
          image: nginx
          imagePullPolicy: IfNotPresent
      dnsPolicy: ClusterFirst

[[email protected] test]# kubectl apply -f deployment.yaml 
deployment.apps/nginx-deploy created
[[email protected] test]# kubectl get pod
NAME                            READY   STATUS    RESTARTS   AGE
nginx-deploy-6d79d74f76-qp8pr   1/1     Running   0          77s
nginx-deploy-6d79d74f76-tjcxt   1/1     Running   0          77s
[[email protected] test]#

#  Go inside the container 
[[email protected] test]# kubectl exec -it nginx-deploy-6d79d74f76-qp8pr -c mynginx -- /bin/bash
[email protected]:/# cat /etc/resolv.conf 
nameserver 10.96.0.10
search default.svc.cluster.local svc.cluster.local cluster.local pek3.qingcloud.com
options ndots:5
[email protected]:/#

#  visit service success 
[email protected]:/# curl nginx-deploy.default.svc:8000
<!DOCTYPE html>
<html>
...
<body>
<h1>Welcome to nginx!</h1>
...
</body>
</html>
[email protected]:/#

You can find NDS The server is 10.96.0.10, We got this address in the principle section above kube-dns The same address as . explain ClusterFirst The strategy of uses the inside of the cluster CoreDNS To do domain name resolution , And successfully parsed service domain name .

Default

take yaml Medium dnsPolicy: ClusterFirst It is amended as follows dnsPolicy: Default.

[[email protected] test]# kubectl apply -f deployment.yaml 
deployment.apps/nginx-deploy created
[[email protected] test]# kubectl get pod
NAME                            READY   STATUS    RESTARTS   AGE
nginx-deploy-85bd9d5f4c-js6fv   1/1     Running   0          5s
nginx-deploy-85bd9d5f4c-q8pxb   1/1     Running   0          5s
[[email protected] test]#

#  Go inside the container 
[[email protected] test]# kubectl exec -it nginx-deploy-85bd9d5f4c-js6fv -c mynginx -- /bin/bash
[email protected]:/# cat /etc/resolv.conf 
nameserver 100.64.9.5
search pek3.qingcloud.com
[email protected]:/#

#  View the native  /etc/resolv.conf
[[email protected] test]# cat /etc/resolv.conf 
# Generated by NetworkManager
search pek3.qingcloud.com
nameserver 100.64.9.5
[[email protected] test]#

#  visit service You don't succeed 
[email protected]:/# curl nginx-deploy.default.svc:8000
curl: (6) Could not resolve host: nginx-deploy.default.svc
[email protected]:/#

#  Visit Baidu successfully 
[email protected]:/# curl www.baidu.com
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title> use Baidu Search , You will know </title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value= use Baidu Search  class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav> Journalism </a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav> Map </a> <a href=http://v.baidu.com name=tj_trvideo class=mnav> video </a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav> tieba </a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb> Sign in </a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb"> Sign in </a>');</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;"> More products </a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com> About Baidu </a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>&copy;2017&nbsp;Baidu&nbsp;<a href=http://www.baidu.com/duty/> Read Before Using Baidu </a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback> Feedback </a>&nbsp; Beijing ICP Prove 030173 Number &nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>
[email protected]:/#

Instruction use Default Strategy ,Pod Will directly use the... On the host /etc/resolv.conf The contents of the document , Of course service Domain name is not successful .

None

# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx-deploy
  name: nginx-deploy
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx-deploy
  template:
    metadata:
      labels:
        app: nginx-deploy
    spec:
      restartPolicy: Always
      containers:
        - name: mynginx
          image: nginx
          imagePullPolicy: IfNotPresent
      dnsPolicy: None
      dnsConfig:
        nameservers: ["172.31.0.3","172.31.0.4"]
        searches:
          - default.svc.cluster.local
          - svc.cluster.local
          - cluster.local
        options:
          - name: ndots
            value: "5"

[[email protected] test]# kubectl apply -f deployment.yaml 
deployment.apps/nginx-deploy created
[[email protected] test]# kubectl get pod
NAME                            READY   STATUS    RESTARTS   AGE
nginx-deploy-6699fcc589-7nrn7   1/1     Running   0          7s
nginx-deploy-6699fcc589-8sk8p   1/1     Running   0          7s
[[email protected] test]#

#  Go inside the container 
[[email protected] test]# kubectl exec -it nginx-deploy-6699fcc589-7nrn7 -c mynginx -- /bin/bash
[email protected]:/# cat /etc/resolv.conf 
nameserver 172.31.0.3
nameserver 172.31.0.4
search default.svc.cluster.local svc.cluster.local cluster.local
options ndots:5
[email protected]:/#

explain None Strategy Pod Will use its dnsConfig Field DNS To configure .nameserver Up to... Can be configured 3 individual ip. Domain name resolution ability depends on DNS Depends on the parsing ability of the server .

ClusterFirstWithHostNet

# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx-deploy
  name: nginx-deploy
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx-deploy
  template:
    metadata:
      labels:
        app: nginx-deploy
    spec:
      restartPolicy: Always
      containers:
        - name: mynginx
          image: nginx
          imagePullPolicy: IfNotPresent
      dnsPolicy: ClusterFirstWithHostNet
      hostNetwork: true

[[email protected] test]# kubectl apply -f deployment.yaml 
deployment.apps/nginx-deploy created
[[email protected] test]# kubectl get pod
NAME                            READY   STATUS    RESTARTS   AGE
nginx-deploy-74bd47ccdd-cjbmv   1/1     Running   0          4s
nginx-deploy-74bd47ccdd-m6bm6   1/1     Running   0          4s
[[email protected] test]#

[[email protected] test]# kubectl exec -it nginx-deploy-74bd47ccdd-cjbmv -c mynginx -- /bin/bash
[email protected]:/# cat /etc/resolv.conf 
nameserver 10.96.0.10
search default.svc.cluster.local svc.cluster.local cluster.local pek3.qingcloud.com
options ndots:5
[email protected]:/#

#  visit service success 
[email protected]:/# curl nginx-deploy.default.svc:8000
<!DOCTYPE html>
<html>
...
<body>
<h1>Welcome to nginx!</h1>
...
</html>
[email protected]:/#

#  Visit Baidu successfully 
[email protected]:/# curl www.baidu.com
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title> use Baidu Search , You will know </title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value= use Baidu Search  class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav> Journalism </a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav> Map </a> <a href=http://v.baidu.com name=tj_trvideo class=mnav> video </a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav> tieba </a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb> Sign in </a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb"> Sign in </a>');</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;"> More products </a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com> About Baidu </a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>&copy;2017&nbsp;Baidu&nbsp;<a href=http://www.baidu.com/duty/> Read Before Using Baidu </a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback> Feedback </a>&nbsp; Beijing ICP Prove 030173 Number &nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>
[email protected]:/#

Can access at the same time service And baidu , It shows that this configuration can use the CoreDNS To do domain name resolution , You can also use the host DNS Do domain name resolution .

Be careful ： We sometimes see the following configuration .

dnsPolicy: ClusterFirst
hostNetwork: true

hostNetwork Indicates sharing cyberspace with the host . But only dnsPolicy: ClusterFirstWithHostNet Effective when . And the configuration here ClusterFirst Because it's open hostNetwork by true, Will automatically switch to Default, At this time, domain name resolution in the cluster cannot succeed .