ACK virtual nodes support service discovery using Alibaba Cloud DNS PrivateZone. This feature syncs DNS records for Headless, ClusterIP, and internal LoadBalancer services to PrivateZone. This topic describes how to enable PrivateZone to sync DNS records for Services associated with ECI Pods, allowing you to access them by their domain names.
Background information
Alibaba Cloud DNS PrivateZone (internal DNS resolution) is a DNS service designed for private networks, such as Alibaba Cloud Virtual Private Clouds (VPCs). It allows clients within your VPC, such as ECS instances and containers, to resolve private domain names and accelerates the resolution process. PrivateZone is a paid service. For more information, see Product Billing.
Prerequisites
-
The ack-virtual-node component is installed in your cluster. For more information, see Deploy the ack-virtual-node component.
-
This feature is not compatible with CoreDNS. Ensure that the CoreDNS component is not installed in your cluster.
-
You have activated Alibaba Cloud DNS PrivateZone on the Alibaba Cloud DNS console.
Enable PrivateZone
-
Modify the eci-profile ConfigMap to enable PrivateZone.
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click .
-
From the Namespace drop-down list, select kube-system. Find the eci-profile ConfigMap and click Edit in the Actions column.
-
Change the value of
enablePrivateZonetotrueand then click OK.
-
Confirm that PrivateZone is enabled.
-
In the navigation pane on the left of the Alibaba Cloud DNS console, click Private Zone.
-
On the Authoritative Zone tab, select the User Defined Zones tab. Verify that a zone named svc.cluster.local.<cluster-id> is created.
-
Sync Service DNS records to PrivateZone
-
Create a Deployment and Services for testing.
-
Save the following YAML content as test-pz.yaml.
This manifest creates one Deployment and three Services of the types Headless, ClusterIP, and internal LoadBalancer.
ImportantBy default, Service DNS records are not synced. To enable synchronization for a specific Service, add the
service.beta.kubernetes.io/alibaba-cloud-private-zone-enable: "true"annotation to its manifest. The virtual node controller will then automatically sync its DNS records to PrivateZone.apiVersion: v1 kind: Service metadata: name: nginx-headless-service annotations: service.beta.kubernetes.io/alibaba-cloud-private-zone-enable: "true" spec: ports: - port: 80 protocol: TCP selector: app: nginx clusterIP: None --- apiVersion: v1 kind: Service metadata: name: nginx-clusterip-service annotations: service.beta.kubernetes.io/alibaba-cloud-private-zone-enable: "true" spec: ports: - port: 80 protocol: TCP selector: app: nginx type: ClusterIP --- apiVersion: v1 kind: Service metadata: name: nginx-intranet-service annotations: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: "intranet" service.beta.kubernetes.io/alibaba-cloud-private-zone-enable: "true" spec: ports: - port: 80 protocol: TCP selector: app: nginx type: LoadBalancer --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment labels: app: nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx alibabacloud.com/eci: "true" # Add this label to schedule the Pod on ECI. spec: containers: - name: nginx image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6 ports: - containerPort: 80 -
Create the Deployment and Services.
kubectl create -f test-pz.yaml
-
-
Verify that the Service DNS records are synced to PrivateZone.
-
In the navigation pane on the left of the Alibaba Cloud DNS console, click Private Zone.
-
On the Authoritative Zone tab, select the User Defined Zones tab. Find the zone named svc.cluster.local.<cluster-id> and click Settings in the Actions column.
-
On the Settings tab, verify that the Service DNS records are automatically synced.
The DNS records in the zone use the format
<service-name>.<namespace>and resolve to the corresponding IP addresses. The resolution rules are as follows:-
Headless Service: Corresponds to multiple DNS records, one for each backend Pod IP address.
-
ClusterIP Service: Corresponds to a single DNS record that resolves to the cluster IP. The cluster assigns this virtual IP address to the Service for internal communication.
-
Internal LoadBalancer service: Corresponds to a single DNS record that resolves to the IP address of the internal Server Load Balancer (SLB) instance.
After the records are synced, you can access the Services from within your VPC using their private domain names.
-
Short domain name access: Within the cluster, you can access a Service in the same namespace using
<service-name>, or a Service in a different namespace using<service-name>.<namespace>. -
Fully qualified domain name (FQDN) access: From outside the cluster but within the same VPC, you can access a Service using
<service-name>.<namespace>.svc.cluster.local.<cluster-id>. This method applies only to Headless Services.
-
-