Add in-cluster pod and services dns names to no_proxy #1661
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
size/XS
| @@ -294,6 +294,9 @@ func getProxyEnv(cfg *config.Cluster, networkName string, nodeNames []string) (m | |||
|
|
|||
| noProxyList := append(subnets, envs[common.NOProxy]) | |||
| noProxyList = append(noProxyList, nodeNames...) | |||
| // Add .svc explicitly to no_proxy to allow in cluster | |||
| // pod and service dns resolution | |||
| noProxyList = append(noProxyList, ".svc") | |||
There was a problem hiding this comment.
I think that we have to no_proxy the cluster domain , if we look at the standard coredns config
apiVersion: v1
data:
Corefile: |
.:53 {
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . /etc/resolv.conf
cache 30
loop
reload
loadbalance
}we should add .cluster.local
If you see the DNS spec for k8s, the svc is a subdomain https://github.com/kubernetes/dns/blob/master/docs/specification.md
There was a problem hiding this comment.
yup, thanks for linking to the spec 👍
I also found a couple of issues related to this: kubernetes/kubeadm#2114
I think we'll need to add all of those since k8s also resolves partially qualified names
.svc,.svc.cluster,.svc.cluster.local especially for things like admission webhook which only use .svc by default https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#service-reference, and this still won't solve the problem where services should be resolvable through http://<service> and http://<service>.<ns>
Also, I wasn't sure if cluster.local is static or something that we should be picking up from the coredns config, but looks like it is the default.
There was a problem hiding this comment.
I think we'll need to add all of those since k8s also resolves partially qualified names
.svc,.svc.cluster,.svc.cluster.localespecially for things like admission webhook which only use.svcby default https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#service-reference, and this still won't solve the problem where services should be resolvable throughhttp://<service>andhttp://<service>.<ns>
TIL, thanks for the info
Also, I wasn't sure if cluster.local is static or something that we should be picking up from the coredns config, but looks like it is the default.
it is the kubeadm default I guess, but per example the kubernetes CI that changes it
I think that for KIND environments we should be safe, maybe just add a comment mentioning this, don't know, an environment with proxies and changing the default kind domain seems a very specific case
There was a problem hiding this comment.
It's configurable unfortunately
k8s-ci-robot
added
size/S
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
sorry for the wait |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: amwat, BenTheElder The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
ref: #1650 (comment)
xref: kubernetes/kubernetes#91651 (comment)