我正在运行一个具有主节点和2个工作节点的kubernetes集群。
root@kube-master:~# kubectl get nodes
NAME STATUS ROLES AGE VERSION
kube-master Ready master 4d19h v1.14.3
kube-node-01 Ready <none> 4d18h v1.14.3
kube-node-02 Ready <none> 6h3m v1.14.3
现在,我的traefik入口 Controller 无法解析dns查询。
/ # nslookup acme-v02.api.letsencrypt.org
nslookup: can't resolve '(null)': Name does not resolve
Name: acme-v02.api.letsencrypt.org
Address 1: <my.public.ip> mail.xxx.xxx
现在,在opnsense框上带有tcpdump,我收到的查询都带有内部搜索域,该域附加解析为我的公共(public)IP,这是错误的。
但是由于某些原因...将忙碌的测试箱旋转起来是可行的...
/ # nslookup acme-v02.api.letsencrypt.org
Server: 10.96.0.10
Address 1: 10.96.0.10 kube-dns.kube-system.svc.cluster.local
Name: acme-v02.api.letsencrypt.org
Address 1: 2a02:26f0:ef:197::3a8e g2a02-26f0-00ef-0197-0000-0000-0000-3a8e.deploy.static.akamaitechnologies.com
Address 2: 2a02:26f0:ef:181::3a8e g2a02-26f0-00ef-0181-0000-0000-0000-3a8e.deploy.static.akamaitechnologies.com
Address 3: 104.74.120.43 a104-74-120-43.deploy.static.akamaitechnologies.com
/etc/resolve.conf文件都相同,但
namespace由于kubernetes 1.11 coredns成为默认的DNS解析系统。在this页面上,用coredns调试dns系统说我应该使用
root@kube-master:~# kubectl get pods --namespace=kube-system -l k8s-app=coredns
No resources found.
但这不返回任何东西!使用
kube-dns会返回coredns pods !root@kube-master:~# kubectl get pods --namespace=kube-system -l k8s-app=kube-dns
NAME READY STATUS RESTARTS AGE
coredns-fb8b8dccf-jmhdm 1/1 Running 5 4d19h
coredns-fb8b8dccf-tfw7v 1/1 Running 5 4d19h
这里发生了什么?!文档是否错误或群集中有东西?
最佳答案
我将展示和解释您使用nginx入口 Controller 的示例。我相信traefik入口 Controller 的情况是相同的。
因此,首先-关于kube-dns和coredns混乱,您正在描述:
这是设计使然。您可以参考github coredns is still labeled as kube-dns issue了解更多信息。
在我的集群中,我还拥有称为coredns的kube-dns服务,它引用具有coredns标签的k8s-app=kube-dns容器
kubectl describe service kube-dns -n kube-system
Name: kube-dns
Namespace: kube-system
Labels: k8s-app=kube-dns
kubernetes.io/cluster-service=true
kubernetes.io/name=KubeDNS
Annotations: prometheus.io/port: 9153
prometheus.io/scrape: true
Selector: k8s-app=kube-dns
Type: ClusterIP
IP: 10.96.0.10
Port: dns 53/UDP
TargetPort: 53/UDP
Endpoints: 10.32.0.2:53,10.32.0.9:53
Port: dns-tcp 53/TCP
TargetPort: 53/TCP
Endpoints: 10.32.0.2:53,10.32.0.9:53
Port: metrics 9153/TCP
TargetPort: 9153/TCP
Endpoints: 10.32.0.2:9153,10.32.0.9:9153
Session Affinity: None
Events: <none>
kubectl get pods -n kube-system -l k8s-app=kube-dns -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
coredns-fb8b8dccf-42285 1/1 Running 0 3h26m 10.32.0.9 kubernetessandbox-1-vm <none> <none>
coredns-fb8b8dccf-87j5v 1/1 Running 0 3h26m 10.32.0.2 kubernetessandbox-1-vm <none> <none>
当我旋转新的busybox pod时-它具有/etc/resolv.conf指向服务kube-dns(10.96.0.10)并具有正确的搜索:
cat /etc/resolv.conf
search kube-system.svc.cluster.local svc.cluster.local cluster.local c.myproj.internal. google.internal.
nameserver 10.96.0.10
options ndots:5
但与此同时,我的Nginx入口 Controller Pod具有
nameserver 169.254.169.254,甚至无法nslookup甚至kubernetes.defaultcat /etc/resolv.conf
search c.myproj.internal. google.internal.
nameserver 169.254.169.254
不确定您在trafic pod上的
/etc/resolv.conf中有什么,但是问题出在那儿。而您拥有的/etc/resolv.conf来自您的节点如果入口使用hostNetwork,则设置dnsPolicy:ClusterFirstWithHostNet而不是dnsPolicy:ClusterFirst应该解决此问题。
从dns-pod-service documentation:
从编辑nginx-ingress-controller部署后
dnsPolicy: ClusterFirst
hostNetwork: true
至
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
使用所需的/etc/resolv.conf重新创建了pod:
cat /etc/resolv.conf
search kube-system.svc.cluster.local svc.cluster.local cluster.local c.myproj.internal. google.internal.
nameserver 10.96.0.10
options ndots:5
nslookup kubernetes.default
Server: 10.96.0.10
Address: 10.96.0.10#53
Name: kubernetes.default.svc.cluster.local
Address: 10.96.0.1
与hostNetwork / dnsPolicy相关的问题和解释的网址很少。这是正确配置Traefik的重要部分:
1)Traefik on k8s not listening externally without changing deployment
2)Stack traefik question
3)Ingress with Traefik文章:
dnsPolicy: ClusterFirstWithHostNet
希望能帮助到你
关于kubernetes - 某些查询中附加了kubernetes dns搜索域,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/56737552/