DNS tsvaga muKubernetes

Cherechedza. transl.: DNS dambudziko muKubernetes, kana zvakanyanya, parameter marongero ndots, yakakurumbira zvinoshamisa, uye nechekare Kwete kutanga gore. Mune chimwe chinyorwa chenyaya iyi, munyori wayo, injinjiniya yeDevOps kubva kukambani hombe yebrokerage muIndia, anotaura nenzira yakapfava uye yakapfava pamusoro pezvinobatsira vamwe vanoshanda Kubernetes kuziva.

Imwe yemabhenefiti makuru ekutumira maapplication paKubernetes ndeye musono application kuwanikwa. Intra-cluster yekudyidzana inorerutswa zvakanyanya nekuda kweiyo sevhisi pfungwa (sevhisi), inova IP chaiyo inotsigira seti yepod IP kero. Somuenzaniso, kana sevhisi vanilla anoda kubata basa chocolate, inogona kuwana zvakananga iyo chaiyo IP ye chocolate. Mubvunzo unomuka: ndiani munyaya iyi achagadzirisa chikumbiro cheDNS chocolate Uye Sei?

DNS zita sarudzo inogadziriswa pane Kubernetes cluster uchishandisa CoreDNS. Kubelet inonyoresa pod neCoreDNS sezita rezita mumafaira /etc/resolv.conf mapepa ose. Kana iwe ukatarisa zviri mukati /etc/resolv.conf chero pod, ichaita seizvi:

search hello.svc.cluster.local svc.cluster.local cluster.local
nameserver 10.152.183.10
options ndots:5

Iyi gadziriso inoshandiswa nevatengi veDNS kutumira zvikumbiro kuDNS server. Mufaira resolv.conf ine ruzivo runotevera:

• nameserver: server iyo DNS zvikumbiro zvichatumirwa. Kwatiri, iyi ndiyo kero yeCoreDNS sevhisi;
• kutsvaka: Inotsanangura nzira yekutsvaga yeimwe domain. Zvinonakidza izvozvo google.com kana mrkaran.dev haisi FQDN (mazita anonyatsokwanisa domain) Zvinoenderana neyakajairwa gungano inotevedzwa nevazhinji vanogadzirisa DNS, avo chete anopera aine doti ".", inomiririra midzi yenzvimbo, inoonekwa seyakanyatso kwanisa (FDQN) madomasi. Vamwe vanogadzirisa vanogona kuwedzera poindi ivo pachavo. Saka, mrkaran.dev. ndiro zita rinonyatsokwanisa rezita (FQDN), uye mrkaran.dev - Aihwa;
• ndots: Iyo inonyanya kunakidza parameter (chinyorwa ichi chiri pamusoro pacho). ndots inotsanangura nhamba yezvikumbaridzo muzita rekukumbira isati yaonekwa se "anonyatsokwanisa" zita rezita. Tichazotaura zvakawanda pamusoro peizvi gare gare patinoongorora iyo DNS yekutarisa kutevedzana.

Ngationei zvinoitika patinobvunza mrkaran.dev mune pod:

$ nslookup mrkaran.dev
Server: 10.152.183.10
Address: 10.152.183.10#53

Non-authoritative answer:
Name: mrkaran.dev
Address: 157.230.35.153
Name: mrkaran.dev
Address: 2400:6180:0:d1::519:6001

Kune iyi kuyedza, ini ndakaisa iyo CoreDNS yekutema nhanho kuti all (izvo zvinoita kuti ive verbose chaizvo). Ngatitarisei matanda epodhi coredns:

[INFO] 10.1.28.1:35998 - 11131 "A IN mrkaran.dev.hello.svc.cluster.local. udp 53 false 512" NXDOMAIN qr,aa,rd 146 0.000263728s
[INFO] 10.1.28.1:34040 - 36853 "A IN mrkaran.dev.svc.cluster.local. udp 47 false 512" NXDOMAIN qr,aa,rd 140 0.000214201s
[INFO] 10.1.28.1:33468 - 29482 "A IN mrkaran.dev.cluster.local. udp 43 false 512" NXDOMAIN qr,aa,rd 136 0.000156107s
[INFO] 10.1.28.1:58471 - 45814 "A IN mrkaran.dev. udp 29 false 512" NOERROR qr,rd,ra 56 0.110263459s
[INFO] 10.1.28.1:54800 - 2463 "AAAA IN mrkaran.dev. udp 29 false 512" NOERROR qr,rd,ra 68 0.145091744s

Phew. Zvinhu zviviri zvinobata pfungwa dzako pano:

• Chikumbiro chinopinda mumatanho ese ekutsvaga kusvika mhinduro iine kodhi NOERROR (DNS vatengi vanoinzwisisa uye vanoichengeta semhedzisiro). NXDOMAIN zvinoreva kuti hapana rekodhi yakawanikwa yezita rakapihwa domain. Nokuti iyo mrkaran.dev harisi zita reFQDN (maererano ne ndots=5), solver inotarisa nzira yekutsvaga uye inosarudza kurongeka kwezvikumbiro;
• Zvinyorwa А и АААА kusvika pamwe chete. Chokwadi ndechekuti imwe-nguva inokumbira mukati /etc/resolv.conf Nekumisikidza, ivo vanogadziriswa nenzira yekuti kutsvaga kwakafanana kunoitwa uchishandisa IPv4 uye IPv6 protocol. Unogona kukanzura maitiro aya nekuwedzera sarudzo single-request в resolv.conf.

Cherechedza: glibc inogona kugadzirwa kutumira zvikumbiro izvi zvakatevedzana, uye musl - kwete, saka vashandisi veAlpine vanofanira kucherechedza.

Kuedza nendots

Ngatiedzei zvishoma ndots uye ngatione kuti iyi parameter inoita sei. Pfungwa iri nyore: ndots inosarudza kana mutengi weDNS achabata iyo dura semhedziso kana hama. Semuenzaniso, kana iri nyore google DNS mutengi, inoziva sei kana iyi domain iri mhedziso? Kana ukaisa ndots yakaenzana na1, mutengi achati: "Oo, mukati google hapana kana imwe pfungwa; Ndinofunga ndichaongorora rondedzero yese yekutsvaga." Zvisinei, kana ukabvunza google.com, rondedzero yezvivakashure ichafuratirwa zvachose nekuti zita rakumbirwa rinosangana nechikumbaridzo ndots (pane poindi imwe chete).

Ngative nechokwadi cheizvi:

$ cat /etc/resolv.conf
options ndots:1
$ nslookup mrkaran
Server: 10.152.183.10
Address: 10.152.183.10#53

** server can't find mrkaran: NXDOMAIN

CoreDNS matanda:

[INFO] 10.1.28.1:52495 - 2606 "A IN mrkaran.hello.svc.cluster.local. udp 49 false 512" NXDOMAIN qr,aa,rd 142 0.000524939s
[INFO] 10.1.28.1:59287 - 57522 "A IN mrkaran.svc.cluster.local. udp 43 false 512" NXDOMAIN qr,aa,rd 136 0.000368277s
[INFO] 10.1.28.1:53086 - 4863 "A IN mrkaran.cluster.local. udp 39 false 512" NXDOMAIN qr,aa,rd 132 0.000355344s
[INFO] 10.1.28.1:56863 - 41678 "A IN mrkaran. udp 25 false 512" NXDOMAIN qr,rd,ra 100 0.034629206s

Kubva muna mrkaran hapana kana poindi imwe chete, tsvakiridzo yakaitwa parunyorwa rwese rwezvivakashure.

Cherechedza: mukuita iyo yakanyanya kukosha ndots inogumira ku15; nekusarudzika muKubernetes ndeye 5.

Application mukugadzira

Kana chikumbiro chikaita nhare dzekunze dzakawanda dzekunze, DNS inogona kuita bhodhoro kana paine traffic inoshanda, sezvo kugadziriswa kwezita kuchiita mibvunzo yakawanda isingaite (sitimu isati yasvika kune iyo chaiyo). Zvishandiso kazhinji hazviwedzere nzvimbo yemidzi kumazita emazita, asi izvi zvinonzwika senge hack. Kureva kuti pane kubvunza api.twitter.com, unogona 'hardcode' iyo api.twitter.com. (ine dot) mukushandisa, izvo zvinozoita kuti vatengi veDNS vatarise zvine chiremera zvakananga pane yakakwana domain.

Uyezve, kutanga neKubernetes vhezheni 1.14, mawedzero dnsConfig и dnsPolicy akagamuchira chimiro chakagadzikana. Saka, kana uchitumira pod, unogona kuderedza kukosha ndots, toti, kusvika pa3 (uye kunyange kusvika pa1!). Nekuda kweizvi, meseji yese mukati menode ichafanirwa kusanganisira iyo yakazara domain. Iyi ndeimwe yemhando yepamusoro yekutengeserana kana iwe uchifanirwa kusarudza pakati pekuita uye kutakura. Zvinoita sekuti iwe unofanirwa kungozvinetsa nezve izvi kana ultra-low latency yakakosha kune yako application, sezvo iyo DNS mhedzisiro yakavharirwa mukati.

nezvakanyorwa

Ndakatanga kudzidza pamusoro pechinhu ichi K8s-meetup, yakaitwa musi wa25 January. Pakanga pane nhaurirano pamusoro pedambudziko iri, pakati pezvimwe zvinhu.

Heano mamwe malink ekuwedzera kuongorora:

• Tsananguro, why ndots=5 in Kubernetes;
• Zvinhu zvikuru kuti kuchinja ndots kunokanganisa sei kushandiswa kwekushanda;
• Discrepancies pakati pe musl uye glibc solvers.

Cherechedza: Ndakasarudza kusashandisa dig mune ino nyaya. dig inongowedzera dot (mudzi wenzvimbo identifier), ichiita iyo domain "yakanyatsokodzera" (FQDN), kwete nekutanga kuimhanyisa kuburikidza nerondedzero yekutsvaga. Akanyora pamusoro peizvi mukati chimwe chezvinyorwa zvakapfuura. Nekudaro, zvinokatyamadza kuti, kazhinji, mureza wakasiyana unofanirwa kutsanangurwa kune yakajairwa maitiro.

Kufara DNSing! Ndichakuwona gare gare!

PS kubva kumushanduri

Verenga zvakare pablog yedu:

• «Calico ye networking muKubernetes: sumo uye chiitiko chidiki";
• «CoreDNS - DNS sevha yegore renyika yenyika uye Sevhisi Kuwanikwa kweKubernetes";
• "An Illustrated Guide to Networking muKubernetes": zvikamu 1 uye 2 (network model, overlay network), Chikamu 3 (masevhisi uye kugadzirisa traffic).

Source: www.habr.com