-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DualStack headless services DNS behavior #1531
Conversation
- Headless Kubernetes services: CoreDNS will resolve these services to either an IPv4 entry (A record), an IPv6 entry (AAAA record), or both, depending on the service's `ipFamily`. | ||
- Because service IPs will remain single-family, pods will continue to access the DNS server via a single service IP. In other words, the nameserver entries in a pod's /etc/resolv.conf will typically be a single IPv4 or single IPv6 address, depending upon the IP family of the cluster's service CIDR. | ||
- Non-headless Kubernetes services: DNS will resolve these services to either an IPv4 entry (A record) or an IPv6 entry (AAAA record), depending upon the IP family of the cluster's service CIDR. | ||
- Headless Kubernetes services: DNS will resolve these services to either an IPv4 entry (A record) or an IPv6 entry (AAAA record), depending on the service's `ipFamily`, defaulting to IPv4 if `ipFamily` is not specified. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that we have to preserve backwards compatible behavior of the endpoints object (where you can have both types of addresses), just as general Kubernetes API guarantee.
That implies that anything we do with ipFamily has to allow users to preserve the existing behavior, and thus downstream components have to tolerate mixed addresses and offer meaningful extension.
I would prefer that DNS be changed to use ipFamily as a filter, and DNS treat nil ipFamily as "allow all addresses".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to clarify, does this discussion only apply to headless and external name services? Can we safely state that all Services handled by kube-proxy will be single family since they will all have a single ClusterIP and/or IPFamily? Is there any precedent for supporting multi-family Endpoints behind single family Services before the dual stack work? If we can limit this to Services ignored by kube-proxy, I think it would significantly limit the scope and complexity of the needed changes. I do agree that for the sake of backwards compatibility, the lack of an IPFamily should be treated by DNS as "allow all addresses."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seems we are on the same page, will reword accordingly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@smarterclayton I just realized that there is a different behavior on headless services depending on using selectors or not. This is the bug that Dan found, currently headless service with selectors filters based on the ipFamily and if nil, it defaults to IPv4.
This is due to the function that returns the endpoints based on the pods, only returns one IP per pod. If we want to support this for headless return multiple endpoints per pod we have to modify this function too.
Do we want to modify the behavior of headless service with selectors
to support ipFamily=nil
?
PTAL to the updated PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to modify the behavior of headless service with selectors to support ipFamily=nil?
I think that might be appropriate, if DNS is expected to report A and AAAA when ipfamily is nil.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, I'd agree with that since kube-dns is already responding with both A and AAAA records in some cases (https://github.com/kubernetes/dns/blob/master/vendor/github.com/skynetservices/skydns/server/server.go#L476-L479).
EDIT: Disregard me, kube-dns is mostly irrelevant here for newer clusters. I guess there's still a chance that somewhere in older clusters someone was relying on A and AAAA DNS records, but that does seem unlikely.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, let me try to send a PR with the modifications needed so we can observe the implications
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've updated this PR with the last @thockin suggestion of keep the current endpoints controller defaulting to IPv4 and modifying the endpointslice controller to return both A and AAAA
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: aojea The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
FTR, I am putting this on back-burner until discussion in kubernetes/kubernetes#86895 resolves |
ack |
/close |
@aojea: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
WINC-1174: WinC Disconnected Support
This PR tries to document the DNS behavior of the Headless Kubernetes services, reflecting current behavior in the implementation. Quoting the context of the discussion for context:
Clayton Colemant:
Dan Winship:
Rob Scott:
PD.-
CoreDNS is a specific implementation of the Kubernetes DNS specification, we should be more generic in the spec to avoid misunderstandings.