Skip to content
Branch: master
Find file History
k8s-ci-robot Merge pull request #78546 from prameshj/nodelocal-1_15_3
Use node-cache image 1.15.3 in the yaml
Latest commit 0216ccf Jun 2, 2019
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md Doc changes for nodelocaldns graduating to beta May 14, 2019
nodelocaldns.yaml Use nodecache image 1.15.3 May 30, 2019

README.md

Nodelocal DNS Cache

This addon runs a node-local-dns pod on all cluster nodes. The pod runs CoreDNS as the dns cache. It runs with hostNetwork:True and creates a dedicated dummy interface with a link local ip(169.254.20.10/32 by default) to listen for DNS queries. The cache instances connect to clusterDNS in case of cache misses.

Design details here KEP to graduate to beta here

This feature is graduating to Beta in release 1.15.

nodelocaldns addon template

This directory contains the addon config yaml - nodelocaldns.yaml The variables will be substituted by the configure scripts when the yaml is copied into master. To create a GCE cluster with nodelocaldns enabled, use the command: KUBE_ENABLE_NODELOCAL_DNS=true go run hack/e2e.go -v --up

Network policy and DNS connectivity

When running nodelocaldns addon on clusters using network policy, additional rules might be required to enable dns connectivity. Using a namespace selector for dns egress traffic as shown here might not be enough since the node-local-dns pods run with hostNetwork: True

One way to enable connectivity from node-local-dns pods to clusterDNS ip is to use an ipBlock rule instead:

spec:
  egress:
  - ports:
    - port: 53
      protocol: TCP
    - port: 53
      protocol: UDP
    to:
    - ipBlock:
        cidr: <well-known clusterIP for DNS>/32
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

Negative caching

The denial cache TTL has been reduced to the minimum of 5 seconds here. In the unlikely event that this impacts performance, setting this TTL to a higher value make help alleviate issues, but be aware that operations that rely on DNS polling for orchestration may fail (for example operators with StatefulSets).

You can’t perform that action at this time.