docs(proposal) DNS using Envoy's DNSFilter

[lahabana]

No description provided.

[nickolaev]

I think it is a good start. Please be careful with how this will operate on Universal and not breaking the "normal" resolving.

[nickolaev]

How is this going to work in the Universal deployments? Today with Transparent Proxying, we do edit /etc/resolv.conf, which is tricky, yet we preserve the original servers.

[lahabana]

I think you'd do the same (update the /etc/resolv.conf).

For example in our universal deployment we set an iptable rule to direct to whatever address you'd like .e.g: -A CNI-o-631b6b8422a8498934cee4 -d 192.168.0.53/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports <passthrough-outbound-port> and the /etc/resolv.conf to this as well.

[nickolaev]

Ahem, in K8s we'll have to add here also whatever ends up in /etc/resolv.conf. We do not want to break the normal K8s service resolving, i.e. resolving to Cluster IPs

[lahabana]

I think you can do either:

1. leave that empty and rely on the rest of the /etc/resolv.conf
2. just rely on this and have envoy in the /etc/resolv.conf (You could be hardcore and redirect all :53 to envoy but that'd be the nuclear option :)).

[jakubdyszkiewicz]

I was also expecting that our Envoy will just do the resolving of Kuma domains.

Do you need this option @lahabana for your deployment?
If not, I'd consider not including this for now

[lahabana]

No we don't I'll remove it then.

[nickolaev]

I like that. We may make this in-Envoy DNS as a 'beta' feature until proven stable and then deprecate the 'old' way.

[jakubdyszkiewicz]

Nice, thank you for this proposal.

The only thing that I'm missing is how are we planning to deploy this on Kubernetes?
Right now we are just changing configuration of CoreDNS for the whole cluster which points DNS to the control plane. In this case I think we need to modify /etc/resolve.conf on every machine when Kuma is injected? Is it possible?

[jakubdyszkiewicz]

I think we should always bind this listener to Dataplane#networking.address

[lahabana]

It's possible I just thought I'd keep it flexible but we can always add it later if it's needed.

[jakubdyszkiewicz]

or redirectOutbound if transparent proxying is set

How would this work? RedirectOutoubnd port will be already taken, you cannot bind 2 listeners to it as far as I know.

[jakubdyszkiewicz]

Also if we are picking port, there probably should be an option to override this for one dataplane. Just like we do with prometheus endpoint.

[lahabana]

Because redirectOutbound is currently only TCP we can add UDP without problem (DNSFilter only works on UDP DNS).

[lahabana]

Also if we are picking port, there probably should be an option to override this for one dataplane. Just like we do with prometheus endpoint.

I guess that would be an extra config in the dataplane spec?

[jakubdyszkiewicz]

Because redirectOutbound is currently only TCP we can add UDP without problem (DNSFilter only works on UDP DNS).

What is the problem that prevents us from binding to any other port? Is it about iptables? I thought we are touching only TCP traffic with iptables.

I guess that would be an extra config in the dataplane spec?

correct

[lahabana]

What is the problem that prevents us from binding to any other port? Is it about iptables? I thought we are touching only TCP traffic with iptables.

If by any you mean any arbitrary port, nothing prevents you from doing this. Would you want to always default to 53 regardless or transparent proxying or not?

[jakubdyszkiewicz]

How about instead of tags + domain we have one field called template that would look like this

template: "{{ kuma.io/protocol}}.{{kuma.io/service}}.mesh"

This way you can have more powerful mechanism of defining DNS name.

You could just replace it with string.Replace or execute full blown gotemplate which would give even more options like

template: "{{ kuma.io/service | replace '_' '.' }}.mesh"

What od you think?

[lahabana]

I think this would be very cool. The only thing we lose with this is the ability for DNSFilter to ignore all requests not within a TLD, though I'm not sure it changes much TBH

[jakubdyszkiewicz]

I was also expecting that our Envoy will just do the resolving of Kuma domains.

Do you need this option @lahabana for your deployment?
If not, I'd consider not including this for now

[lahabana]

The only thing that I'm missing is how are we planning to deploy this on Kubernetes?
Right now we are just changing configuration of CoreDNS for the whole cluster which points DNS to the control plane. In this case I think we need to modify /etc/resolve.conf on every machine when Kuma is injected? Is it possible?

So here you are touching my lack of familiarity of Kuma on k8s.
Here are some possible solutions:

• Add a PodDNSConfig which would enable you to set a different DNS than coreDNS.
  You could also inject this in the Admission webhook like we override probes currently.
  The one issue with this is that /etc/resolv.conf only allows port 53.
• Do everything with iptables and have envoy "replace" coreDNS in the init-container. Istio does this code.

Now this makes me think again about upstreamResolvers, maybe it makes sense from a user point of view to define the DNS for the mesh in the service mesh configuration instead of a per deployment platform configuration (.e.g you'd need to configure DNS in K8s or in whatever Universal is for you).
WDYT?

[jakubdyszkiewicz]

If it's possible to override DNSConfig in such a way to redirect only .mesh domain to Envoy then I think I'd go this way.
I think the less "intrusive" our implementation is the better.

@nickolaev thoughts?

[lahabana]

The way I see this possible is by appending Envoy as a resolver to the nameservers seems like a DNSConfig with a DNSPolicy and Envoy DNS always listening on the same IP:53 would do the trick.
We should probably do this setting in the pod_controller no?
I can update the doc with this if @nickolaev is ok with it.

[nickolaev]

The way I see this possible is by appending Envoy as a resolver to the nameservers seems like a DNSConfig with a DNSPolicy and Envoy DNS always listening on the same IP:53 would do the trick.
We should probably do this setting in the pod_controller no?
I can update the doc with this if @nickolaev is ok with it.

Let's put iptables aside for now. Please proceed with the DNSConfing in the proposal. I guess we are mostly aligned on everything else?

[lahabana]

Agreed I'll update the doc to make it ready for a final review with the details around CoreDNS

[lahabana]

@nickolaev @jakubdyszkiewicz updated with the latest conversations. If we're all ok with this I'll start the work on this probably tomorrow and early next week.

[nickolaev]

@nickolaev @jakubdyszkiewicz updated with the latest conversations. If we're all ok with this I'll start the work on this probably tomorrow and early next week.

Perfect, I think you can start with the implementation. I am sure there will be corner cases we'll find down the road. This is fine, as I don't expect we can foresee everything without touching the code.
Great stuff!