-
Notifications
You must be signed in to change notification settings - Fork 291
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Private DNS management with private clusters does not give full control over API server address #2477
Comments
Hi vcariven, AKS bot here 👋 I might be just a bot, but I'm told my suggestions are normally quite good, as such:
|
Maybe linked to #1508 |
Triage required from @Azure/aks-pm |
@feiskyer another feature-request for subzone on private dns. |
Action required from @Azure/aks-pm |
Issue needing attention of @Azure/aks-leads |
3 similar comments
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
This is supported now. https://docs.microsoft.com/en-us/azure/aks/private-clusters Specifically, "CUSTOM_PRIVATE_DNS_ZONE_RESOURCE_ID", which requires you to create a Private DNS Zone in this format for Azure global cloud: privatelink..azmk8s.io or .privatelink..azmk8s.io. You will need the Resource ID of that Private DNS Zone going forward. Additionally, you will need a user assigned identity or service principal with at least the private dns zone contributor and network contributor roles. |
Thanks for reaching out. I'm closing this issue as it was marked with "Answer Provided" and it hasn't had activity for 2 days. |
Summary
Private DNS management with private clusters (
--enable-private-cluster
) does not give full control over API server address.We have several options, each one coming with its limitations.
In our case, we setup and operate an Hub and Spoke architecture for different clients with DNS forwarder in the Hub zones.
So we setup our on-prem DNS servers to forward a client-related list of private DNS zones to the client HUB DNS Forwarders.
When creating a private AKS cluster, we do not have full control on API Server address name.
Current available options and limitations
--private-dns-zone system
. A private DNS zone is created in the AKS resource group looking like<uid>.privatelink.<region>.azmk8s.io
and Azure registers the API server address inside it (ex.<aks-prefix><random>.<uid>.privatelink.<region>.azmk8s.io
)Limitations
<uid>.privatelink.<region>.azmk8s.io
--private-dns-zone <private-zone-uid>
(and optionnaly--fqdn-subdomain my-custom-aks-name
)Limitations
privatelink.<region>.azmk8s.io
)--enable-public-fqdn
and--private-dns-zone none
Limitations
Feature request
Though the case 3 fits most of the needs, it is still in preview and does not give full control.
The case 2 is the most promising but is missing some features:
privatelink.<region>.azmk8s.io
(ex.client1.privatelink.<region>.azmk8s.io
)client1.privatelink.<region>.azmk8s.io
forwarding toHUB-CLIENT-1
DNS forwardersclient2.privatelink.<region>.azmk8s.io
forwarding toHUB-CLIENT-2
DNS forwardersclient1.azr.corp
)client1.azr.corp
forwarding toHUB-CLIENT-1
DNS forwardersclient2.azr.corp
forwarding toHUB-CLIENT-2
DNS forwardersExample
my-custom-aks-name.privatelink.<region>.azmk8s.io A 10.100.10.5
my-custom-aks-name.client1.azr.corp A 10.100.10.5
my-custom-aks-name.client1.azr.corp
can be configured at cluster creation as an alternative SAN, we could access the cluster withkubectl
with the server name:https://my-custom-aks-name.client1.azr.corp:443
without TLS Handshake failures.It could be an enhancement of the API and the Azure CLI. The underlying
aks-engine
seems to handle multiple SAN (https://github.com/Azure/aks-engine/blob/master/docs/topics/clusterdefinitions.md#masterprofile)Regards,
The text was updated successfully, but these errors were encountered: