All Products
Search
Document Center

Container Service for Kubernetes:DNS for Service discovery

最終更新日:May 30, 2024

Domain Name System (DNS) resolution is one of the methods used for Service discovery in an ACK Serverless cluster. This topic describes how DNS resolution works in ACK Serverless clusters and the DNS-based Service discovery components supported by ACK Serverless clusters.

Table of contents

Usage notes

  • If you do not enable a DNS-based Service discovery component when you create an ACK Serverless cluster, the pods in the cluster use the DNS servers provided by Virtual Private Cloud (VPC) to resolve domain names. In this case, the domain names of Services in the cluster cannot be resolved.

  • If you enable a DNS-based Service discovery component for an existing ACK Serverless cluster, the existing pods in the cluster cannot use the component. You need to recreate the existing pods so that they can use the DNS-based Service discovery component.

  • The managed CoreDNS component will replace the non-managed CoreDNS component, which will be removed from the ACK console. If you want to use the non-managed CoreDNS component,

    submit a ticket.

How DNS resolution works in ACK Serverless clusters

The following code block shows the default content of the /etc/resolv.conf file when you create a pod in an ACK Serverless cluster. The file specifies the DNS server, the search domain, and other parameters.

# The nameserver parameter specifies the IP address of the DNS server that is used by the pod. 
nameserver 172.xx.x.xx
# The search parameter specifies the search domain suffixes that are appended to the Service that you want to access. If the pod belongs to the kube-system namespace, the following search domain suffixes are used: 
search kube-system.svc.cluster.local svc.cluster.local cluster.local
# Other parameters
options ndots:5

For more information about the DNS configuration file and the DNS policies of pods, see DNS policies and domain name resolution.

DNS-based Service discovery components supported by ACK Serverless clusters

Component

Description

Managed CoreDNS

We recommend that you use this component. Pods use managed CoreDNS to resolve domain names. The CoreDNS pods are created and maintained by ACK Serverless. Therefore, managed CoreDNS is completely O&M-free. The component does not run on elastic container instances.

Non-managed CoreDNS

Pods use non-managed CoreDNS to resolve domain names. You must properly configure the component and make sure that the CoreDNS pods run as expected.

PrivateZone

Pods use Alibaba Cloud DNS PrivateZone to resolve domain names. ACK Serverless automatically creates and updates DNS records in Alibaba Cloud DNS PrivateZone.

Managed CoreDNS

Managed CoreDNS is exposed by using the cluster IP address of the kube-dns Service in the kube-system namespace. The following figure shows how a client pod uses managed CoreDNS.

image.png

Link

Description

When a client pod accesses an upstream Service, the client pod obtains the IP address of the DNS server from the local DNS configuration file /etc/resolv.conf. Then, the client pod sends a DNS query to the DNS server to query the IP address of the upstream Service.

In this example, the IP address of the DNS server is the cluster IP address of the kube-dns Service in the kube-system namespace of the ACK Serverless cluster. The backend pods associated with the cluster IP address of the kube-dns Service are maintained and updated by the ACK Serverless cluster.

image.png

When a client pod accesses an external domain name, managed CoreDNS forwards the DNS query to DNS servers 100.100.2.136 and 100.100.2.138. The DNS servers are provided by the VPC of the cluster.

After the client pod obtains the IP address of the upstream Service from the DNS server, the client pod sends a request to the IP address.

Enable managed CoreDNS

Important
  • After you enable managed CoreDNS, the ACK Serverless cluster automatically creates a ClusterIP type Service named kube-dns in the kube-system namespace. Do not manually modify the Service.

  • Managed CoreDNS is available in certain regions. If you cannot find the component in the ACK console, the component is unavailable in the region that you selected. You can customize the configuration of managed CoreDNS. To use this feature,

    submit a ticket.

  • Method 1: To enable managed CoreDNS for a new ACK Serverless cluster, select CoreDNS (Managed) for the Service Discovery parameter when you create the cluster.

    image.png

  • Method 2: To enable managed CoreDNS for an existing ACK Serverless cluster, choose Operations > Add-ons. On the Add-ons page, click the Networking tab. Then, click Install in the CoreDNS (Managed) section. For more information, see Manage components.

Non-managed CoreDNS

Non-managed CoreDNS is a DNS resolver for Kubernetes clusters. Non-managed CoreDNS can resolve custom internal domain names and external domain names. Non-managed CoreDNS provides a variety of plug-ins that you can use to customize DNS settings, host records, Canonical Name (CNAME) records, and rewrite rules for Kubernetes clusters. The CoreDNS project is hosted by Cloud Native Computing Foundation (CNCF), which also hosts Kubernetes. For more information, see CNCF. For more information about CoreDNS, see CoreDNS: DNS and Service Discovery.

Non-managed CoreDNS is exposed by using the cluster IP address of the kube-dns Service in the kube-system namespace. The following figure shows how a client pod uses non-managed CoreDNS.

image.png

Link

Description

When a client pod accesses an upstream Service, the client pod obtains the IP address of the DNS server from the local DNS configuration file /etc/resolv.conf. Then, the client pod sends a DNS query to the DNS server to query the IP address of the upstream Service.

In this example, the IP address of the DNS server is the cluster IP address of the kube-dns Service in the kube-system namespace of the ACK Serverless cluster.

image.png

When a client pod accesses an external domain name, CoreDNS forwards the DNS query to DNS servers 100.100.2.136 and 100.100.2.138. The DNS servers are provided by the VPC of the cluster.

After the client pod obtains the IP address of the upstream Service from the DNS server, the client pod sends a request to the IP address.

Enable non-managed CoreDNS

  • Method 1: To enable non-managed CoreDNS for a new ACK Serverless cluster, select CoreDNS for the Service Discovery parameter when you create the cluster.

    image.png

  • Method 2: To enable non-managed CoreDNS for an existing ACK Serverless cluster, choose Operations > Add-ons. On the Add-ons page, click the Networking tab. Then, click Install in the CoreDNS section. For more information, see Manage components.

PrivateZone

Alibaba Cloud DNS PrivateZone is an Alibaba Cloud private domain name resolution and management service based on VPC. Alibaba Cloud DNS PrivateZone can dynamically monitor the Services and endpoints in each namespace of an ACK Serverless cluster. Alibaba Cloud DNS PrivateZone automatically synchronizes the domain names of resources by interacting with the API server. Pods in an ACK Serverless cluster use Alibaba Cloud DNS PrivateZone to resolve domain names for Service discovery in Kubernetes. For more information about how to use Alibaba Cloud DNS PrivateZone, see Enable service discovery based on Alibaba Cloud DNS PrivateZone for ACK Serverless clusters.

Alibaba Cloud DNS PrivateZone provides resolution services by using DNS servers (100.100.2.136 and 100.100.2.138) provided by the VPC of the cluster. The following figure shows how a client pod uses Alibaba Cloud DNS PrivateZone.

image.png

Link

Description

The PrivateZone controller connects to the API server and monitors Service creation and update events in the cluster.

After the PrivateZone controller detects Service creation and update events, the controller synchronizes the events to the DNS records of the authoritative zone in Alibaba Cloud DNS PrivateZone.

When a client pod accesses an upstream Service, the client pod obtains the IP address of the DNS server from the local DNS configuration file /etc/resolv.conf. Then, the client pod sends a DNS query to the DNS server to query the IP address of the upstream Service.

In this example, the DNS servers are provided by the VPC of the cluster. The IP addresses of the DNS servers are 100.100.2.136 and 100.100.2.138. The DNS servers obtain the IP address of the upstream Service from Alibaba Cloud DNS PrivateZone and return the IP address to the client pod.

After the client pod obtains the IP address of the upstream Service from the DNS servers, the client sends a request to the IP address.

Enable the Alibaba Cloud DNS PrivateZone component

  • Method 1: To enable the component for a new ACK Serverless cluster, select PrivateZone for the Service Discovery parameter when you create the cluster.

    image.png

  • Method 2: To enable the component for an existing ACK Serverless cluster, set the enablePrivateZone parameter in the eci-profile ConfigMap to true.

FAQ

How do I check whether managed CoreDNS, non-managed CoreDNS, or Alibaba Cloud DNS PrivateZone is enabled for a cluster?

  • Managed CoreDNS and non-managed CoreDNS

    Log on to the ACK console. In the left-side navigation pane, choose Operations > Add-ons. On the Add-ons page, click the Networking tab. If Installed is displayed in the upper-right corner of the CoreDNS (Managed) or CoreDNS card, the component is enabled for the cluster.

    The following figure shows that managed CoreDNS is enabled.

    image.png

  • Alibaba Cloud DNS PrivateZone

    Log on to the Alibaba Cloud DNS PrivateZone console and search for authoritative zones by using the ID of the VPC of the ACK Serverless cluster. If zones whose names end with the cluster ID exist, Alibaba Cloud DNS PrivateZone is enabled.

How do I check whether a client pod uses managed CoreDNS, non-managed CoreDNS, or Alibaba Cloud DNS PrivateZone?

  • Managed CoreDNS and non-managed CoreDNS

    Run the kubectl exec command to access the pod. Then, run the cat /etc/resolv.conf command. If the nameserver field displays the cluster IP address of the kube-dns Service in the kube-system namespace, the pod uses managed CoreDNS or non-managed CoreDNS.

  • Alibaba Cloud DNS PrivateZone

    Run the kubectl exec command to access the pod. Then, run the cat /etc/resolv.conf command. If the nameserver field displays 100.100.2.136 and 100.100.2.138, the pod uses Alibaba Cloud DNS PrivateZone. The IP addresses provided in this topic are only for reference.

References