-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs(proposal) DNS using Envoy's DNSFilter #1488
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is a good start. Please be careful with how this will operate on Universal and not breaking the "normal" resolving.
docs/proposals/dns-using-envoy.md
Outdated
|
||
* The top-level domain should be configurable (defaults to `mesh`) | ||
* Drop in replacement to Kuma DNS (Default configuration should match Kuma's current configuration) | ||
* ability to set upstream dns resolvers to have a single resolver in the configuration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How is this going to work in the Universal deployments? Today with Transparent Proxying, we do edit /etc/resolv.conf, which is tricky, yet we preserve the original servers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you'd do the same (update the /etc/resolv.conf).
For example in our universal deployment we set an iptable rule to direct to whatever address you'd like .e.g: -A CNI-o-631b6b8422a8498934cee4 -d 192.168.0.53/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports <passthrough-outbound-port>
and the /etc/resolv.conf to this as well.
docs/proposals/dns-using-envoy.md
Outdated
domain: "kuma" # [Optional defaults to "mesh"] the TLD to use for services exposed with the DNS | ||
upstreamResolvers: # [Optional] A list of resolvers to use when we resolving names not in the TLD | ||
- "8.8.8.8" | ||
- "4.4.4.4" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ahem, in K8s we'll have to add here also whatever ends up in /etc/resolv.conf. We do not want to break the normal K8s service resolving, i.e. resolving to Cluster IPs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you can do either:
- leave that empty and rely on the rest of the /etc/resolv.conf
- just rely on this and have envoy in the /etc/resolv.conf (You could be hardcore and redirect all :53 to envoy but that'd be the nuclear option :)).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was also expecting that our Envoy will just do the resolving of Kuma domains.
Do you need this option @lahabana for your deployment?
If not, I'd consider not including this for now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No we don't I'll remove it then.
docs/proposals/dns-using-envoy.md
Outdated
- The default configuration will make DNS names similar to what is present by default in Kuma | ||
- Users pick the address and port at which the DNS server runs, thus being able to run both setups concurrently | ||
|
||
In a future version it will be possible to have a default DNS policy to replace Kuma DNS altogether. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like that. We may make this in-Envoy DNS as a 'beta' feature until proven stable and then deprecate the 'old' way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, thank you for this proposal.
The only thing that I'm missing is how are we planning to deploy this on Kubernetes?
Right now we are just changing configuration of CoreDNS for the whole cluster which points DNS to the control plane. In this case I think we need to modify /etc/resolve.conf on every machine when Kuma is injected? Is it possible?
docs/proposals/dns-using-envoy.md
Outdated
upstreamResolvers: # [Optional] A list of resolvers to use when we resolving names not in the TLD | ||
- "8.8.8.8" | ||
- "4.4.4.4" | ||
address: "169.254.53.53" # [Optional defaults to 0.0.0.0] the address on which the UDP listener should bind in envoy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should always bind this listener to Dataplane#networking.address
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's possible I just thought I'd keep it flexible but we can always add it later if it's needed.
docs/proposals/dns-using-envoy.md
Outdated
- "8.8.8.8" | ||
- "4.4.4.4" | ||
address: "169.254.53.53" # [Optional defaults to 0.0.0.0] the address on which the UDP listener should bind in envoy | ||
port: "53" # [Optional defaults to 53 or redirectOutbound if transparent proxying is set] the port on which the UDP listener should bind in envoy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or redirectOutbound if transparent proxying is set
How would this work? RedirectOutoubnd port will be already taken, you cannot bind 2 listeners to it as far as I know.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also if we are picking port, there probably should be an option to override this for one dataplane. Just like we do with prometheus endpoint.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because redirectOutbound is currently only TCP we can add UDP without problem (DNSFilter only works on UDP DNS).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also if we are picking port, there probably should be an option to override this for one dataplane. Just like we do with prometheus endpoint.
I guess that would be an extra config in the dataplane spec?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because redirectOutbound is currently only TCP we can add UDP without problem (DNSFilter only works on UDP DNS).
What is the problem that prevents us from binding to any other port? Is it about iptables? I thought we are touching only TCP traffic with iptables.
I guess that would be an extra config in the dataplane spec?
correct
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the problem that prevents us from binding to any other port? Is it about iptables? I thought we are touching only TCP traffic with iptables.
If by any you mean any arbitrary port, nothing prevents you from doing this. Would you want to always default to 53 regardless or transparent proxying or not?
- "4.4.4.4" | ||
address: "169.254.53.53" # [Optional defaults to 0.0.0.0] the address on which the UDP listener should bind in envoy | ||
port: "53" # [Optional defaults to 53 or redirectOutbound if transparent proxying is set] the port on which the UDP listener should bind in envoy | ||
tags: ["kuma.io/protocol", "kuma.io/service"] # [Optional defaults to ["kuma.io/service"]] A list of tags to use to build domnains they are joined with "." for example: "http.my-service.mesh" would be a final name. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about instead of tags
+ domain
we have one field called template
that would look like this
template: "{{ kuma.io/protocol}}.{{kuma.io/service}}.mesh"
This way you can have more powerful mechanism of defining DNS name.
You could just replace it with string.Replace
or execute full blown gotemplate which would give even more options like
template: "{{ kuma.io/service | replace '_' '.' }}.mesh"
What od you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this would be very cool. The only thing we lose with this is the ability for DNSFilter to ignore all requests not within a TLD, though I'm not sure it changes much TBH
docs/proposals/dns-using-envoy.md
Outdated
domain: "kuma" # [Optional defaults to "mesh"] the TLD to use for services exposed with the DNS | ||
upstreamResolvers: # [Optional] A list of resolvers to use when we resolving names not in the TLD | ||
- "8.8.8.8" | ||
- "4.4.4.4" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was also expecting that our Envoy will just do the resolving of Kuma domains.
Do you need this option @lahabana for your deployment?
If not, I'd consider not including this for now
So here you are touching my lack of familiarity of Kuma on k8s.
Now this makes me think again about |
If it's possible to override DNSConfig in such a way to redirect only @nickolaev thoughts? |
The way I see this possible is by appending Envoy as a resolver to the nameservers seems like a DNSConfig with a DNSPolicy and Envoy DNS always listening on the same IP:53 would do the trick. |
Let's put iptables aside for now. Please proceed with the DNSConfing in the proposal. I guess we are mostly aligned on everything else? |
Agreed I'll update the doc to make it ready for a final review with the details around CoreDNS |
Signed-off-by: Charly Molter <charly@koyeb.com>
Signed-off-by: Charly Molter <charly@koyeb.com>
3771d70
to
0ca95bf
Compare
Signed-off-by: Charly Molter <charly@koyeb.com>
0ca95bf
to
28cb8d3
Compare
@nickolaev @jakubdyszkiewicz updated with the latest conversations. If we're all ok with this I'll start the work on this probably tomorrow and early next week. |
Perfect, I think you can start with the implementation. I am sure there will be corner cases we'll find down the road. This is fine, as I don't expect we can foresee everything without touching the code. |
No description provided.