If you want to map private domain names in one or more virtual private clouds (VPCs) to IP addresses and block access to these private domain names from other networks, you can use the service discovery feature based on Alibaba Cloud DNS PrivateZone. ACK Serverless provides the service discovery feature to allow you to resolve and manage private domain names in VPCs. The service discovery feature supports intranet Services, headless Services, and ClusterIP Services.
Prerequisites
Alibaba Cloud DNS PrivateZone is activated in the Alibaba Cloud DNS console.
Choose a region where PrivateZone is available. PrivateZone is not supported in the UAE (Dubai) region.
An ACK Serverless cluster is created and the PrivateZone component is enabled.
Method 1: To enable the component for a new ACK Serverless cluster, select PrivateZone for the Service Discovery parameter when you create the cluster.
Method 2: To enable the component for an existing ACK Serverless cluster, set the
enablePrivateZoneparameter in theeci-profileConfigMap totrue.
Billing
For more information about the billing rules of Alibaba Cloud DNS PrivateZone, see Pricing.
Procedure
Deploy a Deployment and create Services.
The following code block is a sample template. Copy the following YAML content to a YAML file and run the
kubectl create -f nginx-service.yamlcommand to create Services.apiVersion: v1 kind: Service metadata: name: nginx-headless-service spec: ports: - port: 80 protocol: TCP selector: app: nginx clusterIP: None --- apiVersion: v1 kind: Service metadata: name: nginx-clusterip-service spec: ports: - port: 80 protocol: TCP selector: app: nginx type: ClusterIP --- apiVersion: v1 kind: Service metadata: name: nginx-intranet-service annotations: service.beta.kubernetes.io/alicloud-loadbalancer-address-type: intranet spec: ports: - port: 80 protocol: TCP selector: app: nginx type: LoadBalancer --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment labels: app: nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:alpine ports: - containerPort: 80Run the following command to query the status of the Deployment:
kubectl get svc,pod,deploymentLog on to the Alibaba Cloud DNS console.
In the left-side navigation pane, click Private DNS (PrivateZone). In the upper-right part of the page, click Configuration Mode and click the Built-in Authoritative Module tab in the middle of the page. Then, click User Defined Zones.
On the User Defined Zones tab, click Resource Records Settings in the Actions column of the domain name that you want to manage.
NotePrivateZone records use the
$svc.$nsformat to resolve domain names to IP addresses. Take note of the following rules when you create PrivateZone records:A LoadBalancer Service corresponds to only one PrivateZone record. The record maps the Service to the IP address of the Server Load Balancer (SLB) instance.
A ClusterIP Service corresponds to only one PrivateZone record. The record maps the Service to the IP address of the cluster.
A headless Service corresponds to multiple PrivateZone records. The records map the Service to the IP addresses of backend pods.
You can access a Service within the VPC through the private domain name of the Service.
You can use
$svc.$ns.svc.cluster.local.$clusterIdto access Services that are discovered in the current cluster. You can also use the long domain name to access Services in other clusters after you use Alibaba Cloud DNS PrivateZone to discover these Services.You can use
$svcto access Services in the current namespace and use$svc.$nsto access Services in other namespaces.
For more information, see serverless-k8s-examples.
References
In addition to Alibaba Cloud DNS PrivateZone, you can also use CoreDNS to provide DNS resolution services in ACK Serverless clusters. For more information, see How DNS resolution works in ACK Serverless clusters.