how to implement service discovery for ECI using Alibaba Cloud DNS PrivateZone - Container Service for Kubernetes

ACK virtual nodes support service discovery using Alibaba Cloud DNS PrivateZone. This feature syncs DNS records for Headless, ClusterIP, and internal LoadBalancer services to PrivateZone. This topic describes how to enable PrivateZone to sync DNS records for Services associated with ECI Pods, allowing you to access them by their domain names.

Background information

Alibaba Cloud DNS PrivateZone (internal DNS resolution) is a DNS service designed for private networks, such as Alibaba Cloud Virtual Private Clouds (VPCs). It allows clients within your VPC, such as ECS instances and containers, to resolve private domain names and accelerates the resolution process. PrivateZone is a paid service. For more information, see Product Billing.

Prerequisites

The ack-virtual-node component is installed in your cluster. For more information, see Deploy the ack-virtual-node component.
This feature is not compatible with CoreDNS. Ensure that the CoreDNS component is not installed in your cluster.
You have activated Alibaba Cloud DNS PrivateZone on the Alibaba Cloud DNS console.

Enable PrivateZone

Modify the eci-profile ConfigMap to enable PrivateZone.
1. Log on to the ACK console. In the left navigation pane, click Clusters.
2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Configurations > ConfigMaps.
3. From the Namespace drop-down list, select kube-system. Find the eci-profile ConfigMap and click Edit in the Actions column.
4. Change the value of enablePrivateZone to true and then click OK.
Confirm that PrivateZone is enabled.
1. In the navigation pane on the left of the Alibaba Cloud DNS console, click Private Zone.
2. On the Authoritative Zone tab, select the User Defined Zones tab. Verify that a zone named svc.cluster.local.<cluster-id> is created.

Sync Service DNS records to PrivateZone

Create a Deployment and Services for testing.

Save the following YAML content as test-pz.yaml.

This manifest creates one Deployment and three Services of the types Headless, ClusterIP, and internal LoadBalancer.

Important

By default, Service DNS records are not synced. To enable synchronization for a specific Service, add the service.beta.kubernetes.io/alibaba-cloud-private-zone-enable: "true" annotation to its manifest. The virtual node controller will then automatically sync its DNS records to PrivateZone.

apiVersion: v1
kind: Service
metadata:
  name: nginx-headless-service
  annotations:
     service.beta.kubernetes.io/alibaba-cloud-private-zone-enable: "true"
spec:
  ports:
  - port: 80
    protocol: TCP
  selector:
    app: nginx
  clusterIP: None
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-clusterip-service
  annotations:
     service.beta.kubernetes.io/alibaba-cloud-private-zone-enable: "true"
spec:
  ports:
  - port: 80
    protocol: TCP
  selector:
    app: nginx
  type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-intranet-service
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: "intranet"
    service.beta.kubernetes.io/alibaba-cloud-private-zone-enable: "true"
spec:
  ports:
  - port: 80
    protocol: TCP
  selector:
    app: nginx
  type: LoadBalancer
---  
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
        alibabacloud.com/eci: "true"          # Add this label to schedule the Pod on ECI.
    spec:
      containers:
      - name: nginx
        image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
        ports:
        - containerPort: 80

Create the Deployment and Services.
```
kubectl create -f test-pz.yaml
```

Verify that the Service DNS records are synced to PrivateZone.
1. In the navigation pane on the left of the Alibaba Cloud DNS console, click Private Zone.
2. On the Authoritative Zone tab, select the User Defined Zones tab. Find the zone named svc.cluster.local.<cluster-id> and click Settings in the Actions column.
3. On the Settings tab, verify that the Service DNS records are automatically synced.
  
  The DNS records in the zone use the format <service-name>.<namespace> and resolve to the corresponding IP addresses. The resolution rules are as follows:
  - Headless Service: Corresponds to multiple DNS records, one for each backend Pod IP address.
  - ClusterIP Service: Corresponds to a single DNS record that resolves to the cluster IP. The cluster assigns this virtual IP address to the Service for internal communication.
  - Internal LoadBalancer service: Corresponds to a single DNS record that resolves to the IP address of the internal Server Load Balancer (SLB) instance.
  After the records are synced, you can access the Services from within your VPC using their private domain names.
  - Short domain name access: Within the cluster, you can access a Service in the same namespace using <service-name>, or a Service in a different namespace using <service-name>.<namespace>.
  - Fully qualified domain name (FQDN) access: From outside the cluster but within the same VPC, you can access a Service using <service-name>.<namespace>.svc.cluster.local.<cluster-id>. This method applies only to Headless Services.