-
Notifications
You must be signed in to change notification settings - Fork 1.5k
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API Server cannot talk to in-cluster service #2467
Comments
The API server can not talk to an in cluster domain because that would introduce a circular dependency. The source of truth for in-cluster service domains is the API server. If the API server used the in-cluster DNS resolution there would be a circular dependency in the cluster. There is no way to disable use of the docker embedded DNS. KIND depends on this, and it wouldn't make in-cluster domains resolvable by the API server anyhow. |
@BenTheElder are you saying this is an issue with Kind cluster only or we will face it in real Kubernetes clusters (deployed on VMs or bare metals) ? |
This is an issue you will face in all Kubernetes distributions I am aware of. It's fundamentally problematic to have the API server use DNS ultimately originating from itself. |
See previously: kubernetes/kubeadm#1236 Kind caught an issue with an attempt at enabling this upstream previously but the problem wasn't / isn't limited to kind. At that point in time kubeadm wasn't in required PR tests and the change was only in kubeadm. |
Thanks for explaining. The doc here https://v1-20.docs.kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector does explain about circular dependency but then it also says you can service as reference. Can you please tell?
|
From the relevant section
From that section https://v1-20.docs.kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#service-reference
In this case we're referencing the service object / concept not the DNS url. Because we reference the service directly, kube-apiserver is aware of the service object and can look it up directly from the service data from itself / etcd (which is the same data used by the in-cluster DNS server), it does NOT make any DNS calls to do this.
It doesn't need to use DNS / does not resolve them. Services are objects in the api-server, the api-server "asks" itself directly when using a service reference.
It does not, it runs with hostNetwork with default dnsPolicy typically, including in kubeadm upstream (which is what kind builds on), under hostNetwork with default dnsPolicy there is only the host's DNS, not any injected cluster DNS. |
Thank you for the explanation @BenTheElder ! One last piece of the puzzle - for my API server pod, I see dnsPolicy as ClusterFirst. By default, say the cluster has the domain cluster.local. So going by your explanation, does that mean even though dnsPolicy is ClusterFirst, API server is not really using the CoreDNS but always forwards to host's DNS server? |
yes because it is ClusterFirst not ClusterFirstWithHostNet https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy kubernetes/dns#316 "ClusterFirst" is the default dns setting (Confusingly, not "Default", see the docs above), but by default hostNetwork pods host networking ~100%, including DNS resolution, whereas non-host-network pods use the in-cluster DNS. |
I am deploying kind cluster using docker desktop on Mac. I need the API server to contact a web hook deployed as kubernetes service using its dns name like mywebhook.dex.svc.cluster.local but API server fails. Gives error in resolving the service dns mywebhook..svc.cluster.local.
I want to understand why is it trying to reach out to 192.168.65.2:53 for DNS resolution. That address appears to be that of the docker desktop's virtual network kit (vpn) IP. I see that IP:
Also, I want to know if there is a way to configure the kind cluster to disable the use of docker vpn kit IP as the IP address of the DNS server for API server.
The text was updated successfully, but these errors were encountered: