Container Service for Kubernetes (ACK) Serverless clusters can discover Services through Domain Name System (DNS) resolution. This topic describes how DNS resolution works in ACK Serverless clusters and the DNS-based Service discovery components supported by ACK Serverless clusters.
Table of contents
Usage notes
If you do not enable a DNS-based Service discovery component when you create an ACK Serverless cluster, the pods in the cluster use the DNS servers provided by the virtual private cloud (VPC) of the cluster to resolve domain names. In this case, the domain names of Services in the cluster cannot be resolved.
If you enable a DNS-based Service discovery component for an existing ACK Serverless cluster, the existing pods in the cluster do not use the component. You need to recreate the existing pods so that they can use the DNS-based Service discovery component.
The managed CoreDNS component will replace the non-managed CoreDNS component, which will be removed from the ACK console. If you want to use the non-managed CoreDNS component, submit a ticket.
How DNS resolution works in ACK Serverless clusters
The following code block shows the default content of the /etc/resolv.conf file when you create a pod in an ACK Serverless cluster. The file specifies the DNS server, the search domain, and other parameters.
# The nameserver parameter specifies the IP address of the DNS server that is used by the pod.
nameserver 172.xx.x.xx
# The search parameter specifies the search domain suffixes that are appended to the Service that you want to access. If the pod belongs to the kube-system namespace, the following search domain suffixes are used:
search kube-system.svc.cluster.local svc.cluster.local cluster.local
# Other parameters
options ndots:5For more information about the DNS configuration file and the DNS policies of pods, see Configure DNS resolution.
DNS-based Service discovery components supported by ACK Serverless clusters
Component | Description |
Managed CoreDNS | We recommend that you use this component. Pods use managed CoreDNS to resolve domain names. The CoreDNS pods are created and maintained by ACK Serverless. Therefore, managed CoreDNS is completely O&M-free. The component does not run on elastic container instances. |
Non-managed CoreDNS | Pods use non-managed CoreDNS to resolve domain names. You must properly configure the component and make sure that the CoreDNS pods run as expected. |
PrivateZone | Pods use Alibaba Cloud DNS PrivateZone to resolve domain names. ACK Serverless automatically creates and updates DNS records in Alibaba Cloud DNS PrivateZone. |
Managed CoreDNS
Managed CoreDNS is exposed by using the cluster IP address of the kube-dns Service in the kube-system namespace. The following figure shows how a client pod uses managed CoreDNS.
Link | Description |
① | When a client pod accesses an upstream Service, the client pod obtains the IP address of the DNS server from the local DNS configuration file In this example, the IP address of the DNS server is the cluster IP address of the kube-dns Service in the kube-system namespace of the cluster. The cluster IP address of the kube-dns Service is maintained and updated by the ACK Serverless cluster.  |
② | When a client pod accesses an external domain name, managed CoreDNS forwards the DNS query to DNS servers 100.100.2.136 and 100.100.2.138. The DNS servers are provided by the VPC of the cluster. |
③ | After the client pod obtains the IP address of the upstream Service from the DNS server, the client pod sends a request to the IP address. |
Enable managed CoreDNS
After you enable managed CoreDNS, the ACK Serverless cluster automatically creates a ClusterIP type Service named kube-dns in the kube-system namespace. Do not modify the Service.
Managed CoreDNS is available in certain regions. If you cannot find the component in the ACK console, the component is unavailable in the region that you selected. You can customize the configuration of managed CoreDNS. To use this feature, submit a ticket.
Method 1: To enable managed CoreDNS for a new ACK Serverless cluster, select CoreDNS (Managed) for the Service Discovery parameter.
Method 2: To enable managed CoreDNS for an existing ACK Serverless cluster, choose Operations > Add-ons. On the Add-ons page, click the Networking tab. Then, click Install in the CoreDNS (Managed) section. For more information, see Manage components.
Non-managed CoreDNS
Non-managed CoreDNS is a DNS resolver for Kubernetes clusters. Non-managed CoreDNS can resolve custom internal domain names and external domain names. Non-managed CoreDNS provides a variety of plug-ins that you can use to customize DNS settings, host records, Canonical Name (CNAME) records, and rewrite rules for Kubernetes clusters. The CoreDNS project is hosted by Cloud Native Computing Foundation (CNCF), which also hosts Kubernetes. For more information, see CNCF. For more information about CoreDNS, see CoreDNS: DNS and Service Discovery.
Non-managed CoreDNS is exposed by using the cluster IP address of the kube-dns Service in the kube-system namespace. The following figure shows how a client pod uses non-managed CoreDNS.
Link | Description |
① | When a client pod accesses an upstream Service, the client pod obtains the IP address of the DNS server from the local DNS configuration file In this example, the IP address of the DNS server is the cluster IP address of the kube-dns Service in the kube-system namespace. |
② | When a client pod accesses an external domain name, CoreDNS forwards the DNS query to DNS servers 100.100.2.136 and 100.100.2.138. The DNS servers are provided by the VPC of the cluster. |
③ | After the client pod obtains the IP address of the upstream Service from the DNS server, the client pod sends a request to the IP address. |
Enable non-managed CoreDNS
Method 1: To enable non-managed CoreDNS for a new ACK Serverless cluster, select CoreDNS for the Service Discovery parameter.
Method 2: To enable non-managed CoreDNS for an existing ACK Serverless cluster, choose Operations > Add-ons. On the Add-ons page, click the Networking tab. Then, click Install in the CoreDNS section. For more information, see Manage components.
PrivateZone
Alibaba Cloud DNS PrivateZone dynamically monitors the Services and endpoints in each namespace of a Kubernetes cluster and automatically registers the domain names of the Services and the endpoints with Alibaba Cloud DNS PrivateZone. Pods in an ACK Serverless cluster use Alibaba Cloud DNS PrivateZone to resolve domain names for Service discovery in Kubernetes. For more information, see Use Alibaba Cloud DNS PrivateZone to implement Service discovery in ACK Serverless clusters.
Alibaba Cloud DNS PrivateZone provides resolution services by using DNS servers (100.100.2.136 and 100.100.2.138) provided by the VPC of the cluster. The following figure shows how a client pod uses Alibaba Cloud DNS PrivateZone.
Link | Description |
① | The PrivateZone controller connects to the API server and monitors Service creation and update events in the cluster. |
② | After the PrivateZone controller detects Service creation and update events, the controller synchronizes the events to the DNS records of the authoritative zone in Alibaba Cloud DNS PrivateZone. |
③ | When a client pod accesses an upstream Service, the client pod obtains the IP address of the DNS server from the local DNS configuration file In this example, the DNS servers are provided by the VPC of the cluster. The IP addresses of the DNS servers are 100.100.2.136 and 100.100.2.138. The DNS servers obtain the IP address of the upstream Service from Alibaba Cloud DNS PrivateZone and return the IP address to the client pod. |
④ | After the client pod obtains the IP address of the upstream Service from the DNS servers, the client sends a request to the IP address. |
Enable the Alibaba Cloud DNS PrivateZone component
Method 1: To enable the component for a new ACK Serverless cluster, select PrivateZone for the Service Discovery parameter.
Method 2: To enable the component for an existing ACK Serverless cluster, set the
enablePrivateZoneparameter in theeci-profileConfigMap totrue.
FAQ
How do I check whether managed CoreDNS, non-managed CoreDNS, or Alibaba Cloud DNS PrivateZone is enabled for a cluster?
Managed CoreDNS and non-managed CoreDNS
Log on to the ACK console. In the left-side navigation pane, choose Operations > Add-ons. On the Add-ons page, click the Networking tab. If Installed is displayed in the upper-right corner of the CoreDNS (Managed) or CoreDNS card, the component is enabled for the cluster.
The following figure shows that managed CoreDNS is enabled.
Alibaba Cloud DNS PrivateZone
Log on to the Alibaba Cloud DNS PrivateZone console and search for authoritative zones by using the ID of the VPC of the ACK Serverless cluster. If zones whose names end with the cluster ID exist, Alibaba Cloud DNS PrivateZone is enabled.
How do I check whether a client pod uses managed CoreDNS, non-managed CoreDNS, or Alibaba Cloud DNS PrivateZone?
Managed CoreDNS and non-managed CoreDNS
Run the
kubectl execcommand to access the pod. Then, run thecat /etc/resolv.confcommand. If thenameserverfield displays the cluster IP address of the kube-dns Service in the kube-system namespace, the pod uses managed CoreDNS or non-managed CoreDNS.Alibaba Cloud DNS PrivateZone
Run the
kubectl execcommand to access the pod. Then, run thecat /etc/resolv.confcommand. If thenameserverfield displays100.100.2.136and100.100.2.138, the pod uses Alibaba Cloud DNS PrivateZone. The IP addresses provided in this topic are only for reference.