ProHoster > Ibhulogi > Ulawulo > Ukukhangela kwe-DNS kwi-Kubernetes

Ukukhangela kwe-DNS kwi-Kubernetes

Phawula. transl.: Ingxaki ye-DNS kwi-Kubernetes, okanye ngokuchanekileyo, useto lweparameter ndots, idume ngokumangalisayo, kwaye sele ikhona Hayi kuqala kunyaka. Kwelinye inqaku ngalo mxholo, umbhali wayo, injineli ye-DevOps evela kwinkampani enkulu yorhwebo e-Indiya, uthetha ngendlela elula kakhulu nemfutshane malunga nokuba yintoni eluncedo koogxa abasebenza i-Kubernetes ukuba bazi.

Ukukhangela kwe-DNS kwi-Kubernetes

Enye yeenzuzo eziphambili zokuthumela izicelo kwi-Kubernetes kukufunyanwa kwesicelo esingenamthungo. Unxibelelwano lwe-Intra-cluster lwenziwa lula kakhulu enkosi kumbono wenkonzo (inkonzo), eyi IP enenyani exhasa iseti yeedilesi ze-pod IP. Umzekelo, ukuba inkonzo vanilla unqwenela ukuqhagamshelana nenkonzo chocolate, inokufikelela ngokuthe ngqo kwi-IP yenyani ye chocolate. Umbuzo uvela: ngubani kule meko oya kusombulula isicelo se-DNS chocolate Kwaye Njani?

Isisombululo segama le-DNS siqwalaselwe kwiqela leKubernetes kusetyenziswa CoreDNS. I-Kubelet ibhalisa i-pod nge-CoreDNS njenge-nameserver kwiifayile /etc/resolv.conf zonke iifosholo. Ukuba ujonga umxholo /etc/resolv.conf nayiphi na i-pod, iya kujongeka ngolu hlobo:

search hello.svc.cluster.local svc.cluster.local cluster.local
nameserver 10.152.183.10
options ndots:5

Olu qwalaselo lusetyenziswa ngabaxhasi beDNS ukuthumela izicelo kwiseva yeDNS. Kwifayile resolv.conf iqulethe ulwazi olulandelayo:

  • iseva yegama: iseva apho izicelo ze-DNS ziya kuthunyelwa khona. Kwimeko yethu, le yidilesi yenkonzo ye-CoreDNS;
  • ukufuna: Ichaza indlela yokukhangela kwindawo ethile. Inika umdla loo nto google.com okanye mrkaran.dev ayiyo FQDN (amagama esizinda afanelekileyo). Ngokwengqungquthela eqhelekileyo elandelwa uninzi lwabasombululi be-DNS, kuphela ezo ziphela ngechaphaza ".", ezimele indawo eyingcambu, zithathwa njengemimandla ekufanelekeleyo (FDQN). Abanye abasombululi banokongeza inqaku ngokwabo. Ngoko, mrkaran.dev. ligama lesizinda eliqeqeshwe ngokupheleleyo (FQDN), kunye mrkaran.dev - Hayi;
  • ndots: Ipharamitha enomdla kakhulu (eli nqaku lithetha ngayo). ndots ixela inani eliqingqiweyo lamachaphaza kwigama lesicelo phambi kokuba lithathwe njengegama ledomeyini “elifaneleke ngokupheleleyo”. Siza kuthetha ngakumbi malunga noku kamva xa sihlalutya ulandelelwano lokujonga i-DNS.

Ukukhangela kwe-DNS kwi-Kubernetes

Makhe sibone ukuba kwenzeka ntoni xa sibuza mrkaran.dev kwi pod:

$ nslookup mrkaran.dev
Server: 10.152.183.10
Address: 10.152.183.10#53

Non-authoritative answer:
Name: mrkaran.dev
Address: 157.230.35.153
Name: mrkaran.dev
Address: 2400:6180:0:d1::519:6001

Kolu vavanyo, ndibeka inqanaba lokungena kwi-CoreDNS all (nto leyo eyenza ukuba ibe nesenzi kakhulu). Makhe sijonge iinkuni zepod coredns:

[INFO] 10.1.28.1:35998 - 11131 "A IN mrkaran.dev.hello.svc.cluster.local. udp 53 false 512" NXDOMAIN qr,aa,rd 146 0.000263728s
[INFO] 10.1.28.1:34040 - 36853 "A IN mrkaran.dev.svc.cluster.local. udp 47 false 512" NXDOMAIN qr,aa,rd 140 0.000214201s
[INFO] 10.1.28.1:33468 - 29482 "A IN mrkaran.dev.cluster.local. udp 43 false 512" NXDOMAIN qr,aa,rd 136 0.000156107s
[INFO] 10.1.28.1:58471 - 45814 "A IN mrkaran.dev. udp 29 false 512" NOERROR qr,rd,ra 56 0.110263459s
[INFO] 10.1.28.1:54800 - 2463 "AAAA IN mrkaran.dev. udp 29 false 512" NOERROR qr,rd,ra 68 0.145091744s

Phew. Zimbini izinto ezitsala umdla wakho apha:

  • Isicelo sihamba kuzo zonke izigaba zokukhangela de impendulo iqulethe ikhowudi NOERROR (Abaxhasi be-DNS bayayiqonda kwaye bayigcine njengesiphumo). NXDOMAIN kuthetha ukuba akukho rekhodi ifunyenweyo yegama lesizinda elinikiweyo. Ngenxa yokuba mrkaran.dev ayilogama le-FQDN (ngokwe ndots=5), umxazululi ujonga indlela yokukhangela kwaye umisela umyalelo wezicelo;
  • Iingxelo А и АААА fika ngaxeshanye. Inyani kukuba izicelo zexesha elinye ngaphakathi /etc/resolv.conf Ngokungagqibekanga, zibunjwa ngendlela yokuba uphendlo oluhambelanayo lwenziwe kusetyenziswa i-IPv4 kunye ne-IPv6 protocol. Ungayirhoxisa le ndlela yokuziphatha ngokongeza ukhetho single-request в resolv.conf.

Qaphela: glibc ingaqwalaselwa ukuthumela ezi zicelo ngokulandelelanayo, kwaye musl - hayi, ngoko abasebenzisi beAlpine kufuneka bathathele ingqalelo.

Ukuzama nge ndots

Masikhe silinge ngakumbi ndots kwaye makhe sibone ukuba le parameter iziphatha njani. Umbono ulula: ndots igqiba ukuba umxhasi we-DNS uyakuyiphatha i-domain njenge-absolute okanye isihlobo. Umzekelo, kwimeko ye-google DNS client elula, iyazi njani ukuba le domain iphelele? Ukuba useta ndots ilingana no-1, umxhasi uya kuthi: "Owu, ngaphakathi google akukho nqaku elinye; Ndicinga ukuba ndiza kulujonga lonke uluhlu lokukhangela. " Nangona kunjalo, ukuba uyabuza google.com, uluhlu lwezimamva aluyi kuhoywa ngokupheleleyo kuba igama eliceliweyo lidibana nomda ndots (kukho ubuncinane inqaku elinye).

Masiqinisekise ngale nto:

$ cat /etc/resolv.conf
options ndots:1
$ nslookup mrkaran
Server: 10.152.183.10
Address: 10.152.183.10#53

** server can't find mrkaran: NXDOMAIN

Iilog zeCoreDNS:

[INFO] 10.1.28.1:52495 - 2606 "A IN mrkaran.hello.svc.cluster.local. udp 49 false 512" NXDOMAIN qr,aa,rd 142 0.000524939s
[INFO] 10.1.28.1:59287 - 57522 "A IN mrkaran.svc.cluster.local. udp 43 false 512" NXDOMAIN qr,aa,rd 136 0.000368277s
[INFO] 10.1.28.1:53086 - 4863 "A IN mrkaran.cluster.local. udp 39 false 512" NXDOMAIN qr,aa,rd 132 0.000355344s
[INFO] 10.1.28.1:56863 - 41678 "A IN mrkaran. udp 25 false 512" NXDOMAIN qr,rd,ra 100 0.034629206s

Ukusukela nge mrkaran akukho nenqaku elinye, uphendlo lwenziwe kulo lonke uluhlu lwezimamva.

Qaphela: ekusebenzeni elona xabiso liphezulu ndots kuphela kwi-15; ngokungagqibekanga kwi-Kubernetes yi-5.

Isicelo kwimveliso

Ukuba isicelo senza iifowuni ezininzi zangaphandle zothungelwano, i-DNS inokuba ngumqobo kwimeko yetrafikhi esebenzayo, kuba isisombululo samagama senza imibuzo emininzi engeyomfuneko (phambi kokuba inkqubo ifike kweyiyo). Usetyenziso aludli ngokudibanisa indawo yengcambu kumagama wesizinda, kodwa oku kuvakala ngathi kukukhohlisa. Oko kukuthi, endaweni yokubuza api.twitter.com, ungayi 'hardcode' api.twitter.com. (ngechaphaza) kwisicelo, nto leyo eya kukhuthaza abathengi be-DNS ukuba benze ukhangelo olugunyazisiweyo ngokuthe ngqo kwi-domain epheleleyo.

Ukongeza, ukuqala ngeKubernetes inguqulo 1.14, izandiso dnsConfig и dnsPolicy ifumene iwonga elizinzileyo. Ngaloo ndlela, xa uhambisa i-pod, unokunciphisa ixabiso ndots, yithi, ukuya ku-3 (kunye nokuya ku-1!). Ngenxa yoku, wonke umyalezo ongaphakathi kwendawo kuya kufuneka ubandakanye i-domain epheleleyo. Le yenye yeendlela zokurhweba zakudala xa kufuneka ukhethe phakathi kokusebenza kunye nokuphatheka. Kum kubonakala ngathi kufuneka ukhathazeke malunga noku ukuba i-latency esezantsi ibalulekile kwisicelo sakho, kuba iziphumo ze-DNS zigcinwe ngaphakathi.

iimbekiselo

Ndiqale ndafunda ngeli nqaku K8s-indibano, ebibanjwe ngoJanuwari 25. Kwakukho ingxoxo malunga nale ngxaki, phakathi kwezinye izinto.

Nanga amanye amakhonkco ophononongo oluthe kratya:

  • Inkcazo, kutheni ndots=5 e Kubernetes;
  • Izinto ezintle indlela ukutshintsha i-ndots kuchaphazela ngayo ukusebenza kwesicelo;
  • Ukungangqinelani phakathi kwezisulu ze-musl kunye ne-glibc.

Qaphela: Ndikhethe ukungasebenzisi dig kweli nqaku. dig yongeza ngokuzenzekelayo ichaphaza (i-root zone identifier), yenza i-domain "ifaneleke ngokupheleleyo" (FQDN), hayi ngokuyiqhuba kuqala kuluhlu lophendlo. Ubhale malunga noku enye yeempapasho zangaphambili. Nangona kunjalo, kuyamangalisa ukuba, ngokubanzi, iflegi eyahlukileyo kufuneka ichazwe kwindlela yokuziphatha esemgangathweni.

I-DNSing eyonwabileyo! Mandikubone emva kwexesha!

PS evela kumguquleli

Funda nakwibhlog yethu:

umthombo: www.habr.com

Yongeza izimvo