This topic introduces how Domain Name System (DNS) resolution works in Container Service for Kubernetes (ACK) clusters, and describes how to configure DNS policies to meet different business requirements in various scenarios.
Prerequisites
Before you configure the pre-installed DNS server, make sure that you have completed the following steps:
Background information
By default, a Service named kube-dns is deployed in an ACK cluster to provide DNS resolution services for the cluster. You can run the following command to query information about the kube-dns Service:
kubectl get svc kube-dns -n kube-system
Expected output:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 172.24.0.10 <none> 53/UDP,53/TCP,9153/TCP 27d
Two backend pods named coredns are deployed for the kube-dns Service. You can run the following command to query information about the coredns pods:
kubectl get deployment coredns -n kube-system
Expected output:
NAME READY UP-TO-DATE AVAILABLE AGE
coredns 2/2 2 2 27d
How DNS resolution works in ACK clusters
The startup parameters of kubelet in an ACK cluster include --cluster-dns=<dns-service-ip>
and --cluster-domain=<default-local-domain>
. These parameters are used to configure the IP address and the suffix of the base domain name for the DNS server in the ACK cluster.
The DNS configuration file in the pod is /etc/resolv.conf. The file contains the following content:
nameserver xx.xx.0.10
search kube-system.svc.cluster.local svc.cluster.local cluster.local
options ndots:5
Parameter | Description |
nameserver | Specifies the IP addresses of the DNS servers. |
search | Specifies the suffixes that are used for DNS queries. More suffixes indicate more DNS queries. For ACK clusters, suffixes are |
options | Specifies the options for the DNS configuration file. You can specify multiple key-value pairs. For example, |
According to the preceding settings, DNS queries of internal domain names and external domain names are sent to the DNS servers of an ACK cluster for DNS resolution.
Use dnsPolicy to configure DNS policies for an ACK cluster in different scenarios
You can use the dnsPolicy parameter to specify different DNS policies among pods. ACK clusters support the following DNS policies:
ClusterFirst: This policy indicates that a pod uses CoreDNS to resolve domain names. The /etc/resolv.conf file contains the address of the DNS server that is provided by CoreDNS, which is kube-dns. This is the default DNS policy for workloads in an ACK cluster.
None: This policy indicates that a pod ignores the DNS settings of the ACK cluster. You must customize the DNS settings by using the dnsConfig field.
Default: This policy indicates that a pod inherits the DNS settings from the node where the pod is deployed. In an ACK cluster, nodes are created based on Elastic Compute Service (ECS) instances. Therefore, a pod directly uses the /etc/resolv.conf file of the ECS instance-based node where the pod is deployed. This file contains the address of a DNS server that is provided by Alibaba Cloud DNS.
ClusterFirstWithHostNet: This policy indicates that a pod in HostNetwork mode uses the ClusterFirst policy. If you do not specify a policy for a pod, the pod uses the Default policy.
You can use the preceding DNS policies to meet different business requirements in various scenarios.
Scenario 1: Use CoreDNS provided by ACK clusters to resolve domain names
In this scenario, you must specify
dnsPolicy: ClusterFirst
for the DNS policy settings. Example:apiVersion: v1 kind: Pod metadata: name: alpine namespace: default spec: containers: - image: alpine command: - sleep - "10000" imagePullPolicy: Always name: alpine dnsPolicy: ClusterFirst
Scenario 2: Customize DNS settings for a pod
To customize DNS settings for a Deployment, you must specify
dnsPolicy: None
for the DNS policy settings. Example:apiVersion: v1 kind: Pod metadata: name: alpine namespace: default spec: containers: - image: alpine command: - sleep - "10000" imagePullPolicy: Always name: alpine dnsPolicy: None dnsConfig: nameservers: ["169.254.xx.xx"] searches: - default.svc.cluster.local - svc.cluster.local - cluster.local options: - name: ndots value: "2"
The following table describes the parameters in the dnsConfig section.
Parameter
Description
nameservers
A list of IP addresses of DNS servers for the pod. You can specify up to three IP addresses. If you set dnsPolicy to
None
for a pod, you must specify at least one IP address. If you do not set dnsPolicy to None for a pod, this parameter is optional. The listed DNS server IP addresses will be added to the nameserver field of the DNS configuration file that is generated based on the value of dnsPolicy. Duplicate IP addresses are removed.searches
A list of DNS search domains for hostname lookup in the pod. This parameter is optional. The listed DNS search domains will be added to the list of base search domains that are generated based on the specified DNS policy. Duplicate domain names are removed. You can specify up to six search domains.
options
A list of optional items. Each item can contain a name (required) and a value (optional). The specified items will be added to the list of optional items that are generated based on the specified DNS policy. Duplicate items are removed.
For more information, see DNS for Services and Pods.
Scenario 3: Use the DNS settings of an ECS instance that is provided by Alibaba Cloud
If your application pods do not need to access other services deployed in the ACK cluster, you can specify
dnsPolicy: Default
for the DNS policy settings. In this scenario, DNS resolution is performed by Alibaba Cloud DNS and CoreDNS is not required. Example:apiVersion: v1 kind: Pod metadata: name: alpine namespace: default spec: containers: - image: alpine command: - sleep - "10000" imagePullPolicy: Always name: alpine dnsPolicy: Default
Scenario 4: Enable pods in HostNetwork mode to access services in an ACK cluster
If you specify hostNetwork:true for the network settings of your application pods, your application pods can directly use the host network. In this case, the default DNS policy for a pod is Default. As a result, your application pods cannot access services deployed in the ACK cluster. If you want to enable pods in HostNetwork mode to access services deployed in the ACK cluster, you must specify
dnsPolicy: ClusterFirstWithHostNet
for the DNS policy settings. Example:apiVersion: v1 kind: Pod metadata: name: alpine namespace: default spec: hostNetwork: true dnsPolicy: ClusterFirstWithHostNet containers: - image: alpine command: - sleep - "10000" imagePullPolicy: Always name: alpine
Use the hostAliases field to configure the /etc/hosts file in a pod
If you want to map a specified domain name to a static IP address for DNS resolution within all pods, you can enable the hosts plug-in of CoreDNS. For more information, see Configure extended features based on CoreDNS.
If you want to map a specified domain name to a static IP address for DNS resolutions within a specified pod, you can add the hostAliases field to the configurations of the pod to modify the /etc/hosts file. Example:
apiVersion: v1
kind: Pod
metadata:
name: hostaliases-pod
spec:
hostAliases:
- ip: "127.0.**.**"
hostnames:
- "foo.local"
- "bar.local"
- ip: "10.1.**.**"
hostnames:
- "foo.remote"
containers:
- name: cat-hosts
image: busybox:1.28
command:
- cat
args:
- "/etc/hosts"
The hostAliases
field is added to the spec section in the pod configurations. After the pod is launched, the /etc/hosts file is initialized with the following content:
# Kubernetes-managed hosts file.
127.0.**.** localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
fe00::0 ip6-mcastprefix
fe00::1 ip6-allnodes
fe00::2 ip6-allrouters
10.200.**.** hostaliases-pod
# Entries added by HostAliases.
127.0.**.** foo.local bar.local
10.1.**.** foo.remote bar.remote
The preceding content shows that the foo.local, bar.local, and foo.remote domain names are mapped to static IP addresses.