Use the dnsPolicy parameter to configure DNS policies for pods in a Container Compute Service (ACS) cluster.
How DNS resolution works in ACS
In an ACS cluster, CoreDNS is deployed on the cloud. The cluster uses the kube-dns Service to expose CoreDNS, and DNS queries from pods are forwarded to the DNS server specified in the CoreDNS pod configuration. To view details about the kube-dns Service, run:
kubectl get svc kube-dns -n kube-systemFor more information about DNS resolution in Kubernetes clusters, see DNS overview.
DNS policies
ACS clusters support four dnsPolicy values:
| Policy | Description |
|---|---|
ClusterFirst | Default. Routes DNS queries through CoreDNS. The /etc/resolv.conf file in the pod contains the kube-dns address. |
None | Ignores all cluster DNS settings. Requires a dnsConfig block to define custom DNS configuration. Without dnsConfig, the pod cannot resolve any domain name. |
Default | Uses Alibaba Cloud DNS for resolution. CoreDNS is not involved. |
ClusterFirstWithHostNet | ACS pods do not support host network, so this policy is equivalent to ClusterFirst. For details, see Kubernetes application limits. |
Configure a DNS policy
Use CoreDNS (ClusterFirst)
Set dnsPolicy: ClusterFirst to route pod DNS queries through the cluster's CoreDNS. Use this policy when pods need to resolve Services deployed in the same ACS cluster.
apiVersion: v1
kind: Pod
metadata:
name: alpine
namespace: default
spec:
containers:
- image: alpine # Replace with the actual image you use.
command:
- sleep
- "10000"
imagePullPolicy: Always
name: alpine
dnsPolicy: ClusterFirstVerify: After the pod starts, check its DNS configuration:
kubectl exec alpine -- cat /etc/resolv.confThe output should show the kube-dns cluster IP as the nameserver.
Use a custom DNS configuration (None)
Set dnsPolicy: None and add a dnsConfig block to fully control DNS resolution for the pod. Use this policy when pods need to use a specific DNS server outside the cluster.
apiVersion: v1
kind: Pod
metadata:
name: alpine
namespace: default
spec:
containers:
- image: alpine # Replace with the actual image you use.
command:
- sleep
- "10000"
imagePullPolicy: Always
name: alpine
dnsPolicy: None
dnsConfig:
nameservers: ["169.254.xxx.xxx"]
searches:
- default.svc.cluster.local
- svc.cluster.local
- cluster.local
options:
- name: ndots
value: "2"The dnsConfig fields:
| Field | Description |
|---|---|
nameservers | IP addresses of DNS servers for the pod. Accepts up to three addresses. When dnsPolicy is None, at least one address is required. These addresses are merged into the pod's /etc/resolv.conf, with duplicates removed. |
searches | DNS search domains for hostname lookup. Optional. Accepts up to six domains. These domains are appended to the base search list generated by the DNS policy, with duplicates removed. |
options | A list of DNS resolver options. Each item has a name (required) and an optional value. These options are merged into the generated options list, with duplicates removed. |
Verify: After the pod starts, confirm the DNS configuration written to the container:
kubectl exec alpine -- cat /etc/resolv.confWith the example configuration above, the output is similar to:
nameserver 169.254.xxx.xxx
search default.svc.cluster.local svc.cluster.local cluster.local
options ndots:2For the full dnsConfig specification, see DNS for Services and Pods.
Use Alibaba Cloud DNS (Default)
Set dnsPolicy: Default when pods do not need to access other Services in the ACS cluster. DNS resolution is handled by Alibaba Cloud DNS — CoreDNS is not used.
apiVersion: v1
kind: Pod
metadata:
name: alpine
namespace: default
spec:
containers:
- image: alpine # Replace with the actual image you use.
command:
- sleep
- "10000"
imagePullPolicy: Always
name: alpine
dnsPolicy: DefaultVerify: After the pod starts, check that the nameserver points to Alibaba Cloud DNS rather than kube-dns:
kubectl exec alpine -- cat /etc/resolv.conf