Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Be able to detect search domain misconfiguration #1391

Closed
danj-replicated opened this issue Nov 17, 2023 · 0 comments · Fixed by #1534
Closed

Be able to detect search domain misconfiguration #1391

danj-replicated opened this issue Nov 17, 2023 · 0 comments · Fixed by #1534
Assignees
@nvanthao

Comments

@danj-replicated
Copy link
Contributor

danj-replicated commented Nov 17, 2023
edited
Loading

Describe the rationale for the suggested feature.
In cases where a search domain exists and resolves to a wildcard dns record (i.e: the search domain example.com resolves to *.example.com) kubernetes will inadvertently resolve in-cluster records via the search record. i.e: test.svc.cluster.local.example.com

Describe the feature
to better detect this misconfiguration we can compare a manual dns query inside the cluster to what the kubernetes API asserts as the cluster IP of a service. to ensure portability we can use the kubernetes service in the default namespace, as it's guaranteed to exist.

we can compare the outputs of:
kubectl get svc kubernetes -o jsonpath='{.spec.clusterIP}'
and
dig +short kubernetes.default.svc.cluster.local run from inside a pod

there are three possible states for the output:

  1. the outputs match, and it's likely that DNS is configured correctly
  2. dig returns NXDOMAIN, and it's likely that coredns is down or misconfigured
  3. the outputs differ, and it's likely that the search domains are interfering with cluster name resolution

It might be necessary to write a custom analyzer for this, as it would require comparing data from both the cluster-resources collector and a custom run-pod.

Describe alternatives you've considered

It might be possible to chain together existing collectors to output a file in a format that a text analyser can compare.
@nvanthao nvanthao self-assigned this Apr 28, 2024
@nvanthao nvanthao linked a pull request Apr 29, 2024 that will close this issue
feat: [sc-103754] Be able to detect search domain misconfiguration #1391 #1534
Merged
@nvanthao nvanthao mentioned this issue Apr 29, 2024
Merged
nvanthao added a commit that referenced this issue Apr 30, 2024
@nvanthao
feat: [sc-103754] Be able to detect search domain misconfiguration #1391
6b368f2 
 (#1534)

* new collector dns

* implement DNS collector

* add dns service and endpoints check

* add nil check on retrieve endpoints
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nvanthao nvanthao

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: [sc-103754] Be able to detect search domain misconfiguration #1391 replicatedhq/troubleshoot
2 participants
@nvanthao @danj-replicated