Ṣiṣayẹwo DNS ni Kubernetes

Akiyesi. itumọ.: Iṣoro DNS ni Kubernetes, tabi diẹ sii ni deede, awọn eto paramita ndots, jẹ iyalẹnu olokiki, ati tẹlẹ Ko akọkọ odun. Ni akọsilẹ miiran lori koko yii, onkọwe rẹ, ẹlẹrọ DevOps lati ile-iṣẹ alagbata nla kan ni India, sọrọ ni ọna ti o rọrun pupọ ati ṣoki nipa ohun ti o wulo fun awọn ẹlẹgbẹ ti nṣiṣẹ Kubernetes lati mọ.

Ọkan ninu awọn anfani akọkọ ti gbigbe awọn ohun elo lori Kubernetes jẹ wiwa ohun elo ti ko ni oju. Ibaraṣepọ inu iṣupọ jẹ irọrun pupọ si ọpẹ si imọran iṣẹ (Service), eyiti o jẹ IP foju kan ti o ṣe atilẹyin ṣeto awọn adirẹsi IP adarọ-ese. Fun apẹẹrẹ, ti iṣẹ naa ba vanilla lopo lopo lati kan si awọn iṣẹ chocolate, o le taara wọle si awọn foju IP fun chocolate. Ibeere naa waye: tani ninu ọran yii yoo yanju ibeere DNS si chocolate Ati Bawo?

Ipinnu orukọ DNS jẹ tunto lori iṣupọ Kubernetes nipa lilo CoreDNS. Kubelet forukọsilẹ adarọ-ese pẹlu CoreDNS bi olupin orukọ ninu awọn faili /etc/resolv.conf gbogbo podu. Ti o ba wo akoonu naa /etc/resolv.conf eyikeyi podu, yoo dabi iru eyi:

search hello.svc.cluster.local svc.cluster.local cluster.local
nameserver 10.152.183.10
options ndots:5

Iṣeto yii jẹ lilo nipasẹ awọn alabara DNS lati firanṣẹ awọn ibeere si olupin DNS. Ninu faili resolv.conf ni alaye wọnyi ninu:

• olupin orukọOlupin si eyiti awọn ibeere DNS yoo firanṣẹ. Ninu ọran wa, eyi ni adirẹsi ti iṣẹ CoreDNS;
• search: Ṣe alaye ọna wiwa fun agbegbe kan pato. O ni awon wipe google.com tabi mrkaran.dev kii ṣe FQDN (ni kikun oṣiṣẹ-ašẹ awọn orukọ). Gẹgẹbi apejọ boṣewa ti ọpọlọpọ awọn ipinnu DNS tẹle, awọn nikan ti o pari pẹlu aami kan “.”, ti o nsoju agbegbe root, ni a gba pe awọn ibugbe ti o pe ni kikun (FDQN). Diẹ ninu awọn ipinnu le ṣafikun aaye kan funrararẹ. Bayi, mrkaran.dev. ni kikun oṣiṣẹ ašẹ orukọ (FQDN), ati mrkaran.dev - Bẹẹkọ;
• ndotsparamita ti o nifẹ julọ (Nkan yii jẹ nipa rẹ). ndots ni pato nọmba ala-ilẹ ti awọn aami ni orukọ ibeere ṣaaju ki o to pe ni orukọ ìkápá “tóótun ni kikun”. A yoo sọrọ diẹ sii nipa eyi nigbamii nigbati a ba ṣe itupalẹ ọna wiwa DNS.

Jẹ ká wo ohun ti o ṣẹlẹ nigbati a beere mrkaran.dev ninu podu:

$ nslookup mrkaran.dev
Server: 10.152.183.10
Address: 10.152.183.10#53

Non-authoritative answer:
Name: mrkaran.dev
Address: 157.230.35.153
Name: mrkaran.dev
Address: 2400:6180:0:d1::519:6001

Fun idanwo yii, Mo ṣeto ipele titẹ CoreDNS si all (eyi ti o mu ki o oyimbo verbose). Jẹ ká wo ni podu ká àkọọlẹ coredns:

[INFO] 10.1.28.1:35998 - 11131 "A IN mrkaran.dev.hello.svc.cluster.local. udp 53 false 512" NXDOMAIN qr,aa,rd 146 0.000263728s
[INFO] 10.1.28.1:34040 - 36853 "A IN mrkaran.dev.svc.cluster.local. udp 47 false 512" NXDOMAIN qr,aa,rd 140 0.000214201s
[INFO] 10.1.28.1:33468 - 29482 "A IN mrkaran.dev.cluster.local. udp 43 false 512" NXDOMAIN qr,aa,rd 136 0.000156107s
[INFO] 10.1.28.1:58471 - 45814 "A IN mrkaran.dev. udp 29 false 512" NOERROR qr,rd,ra 56 0.110263459s
[INFO] 10.1.28.1:54800 - 2463 "AAAA IN mrkaran.dev. udp 29 false 512" NOERROR qr,rd,ra 68 0.145091744s

Phew. Nkan meji gba akiyesi rẹ nibi:

• Ibeere naa lọ nipasẹ gbogbo awọn ipele ti wiwa titi ti idahun yoo fi ni koodu naa NOERROR (Awọn alabara DNS loye rẹ ati tọju rẹ bi abajade). NXDOMAIN tumọ si pe ko si igbasilẹ ti a rii fun orukọ ìkápá ti a fun. Nitori awọn mrkaran.dev kii ṣe orukọ FQDN (gẹgẹbi ndots=5), resolver n wo ọna wiwa ati pinnu aṣẹ ti awọn ibeere;
• Awọn ifiweranṣẹ А и АААА de ni afiwe. Otitọ ni pe awọn ibeere akoko-ọkan ni /etc/resolv.conf Nipa aiyipada, wọn tunto ni iru ọna ti awọn wiwa ti o jọra ṣe ni lilo awọn ilana IPv4 ati IPv6. O le fagilee ihuwasi yii nipa fifi aṣayan kun single-request в resolv.conf.

akiyesi: glibc le ti wa ni tunto lati fi awọn wọnyi ibeere lesese, ati musl - rara, nitorinaa awọn olumulo Alpine yẹ ki o ṣe akiyesi.

Ṣe idanwo pẹlu awọn dots

Jẹ ki a ṣe idanwo diẹ diẹ sii pẹlu ndots ki o si jẹ ki a wo bi paramita yii ṣe huwa. Ero naa rọrun: ndots pinnu boya alabara DNS yoo tọju agbegbe naa bi pipe tabi ibatan. Fun apẹẹrẹ, ninu ọran ti alabara google DNS ti o rọrun, bawo ni o ṣe mọ boya agbegbe yii jẹ pipe? Ti o ba ṣeto ndots dogba si 1, onibara yoo sọ: "Oh, in google ko si aaye kan; Mo ro pe Emi yoo lọ nipasẹ gbogbo atokọ wiwa naa. ” Sibẹsibẹ, ti o ba beere google.com, atokọ ti awọn suffixes yoo jẹ aifiyesi patapata nitori orukọ ti o beere ni ibamu pẹlu ala ndots (o kere ju aaye kan wa).

Jẹ ki a rii daju eyi:

$ cat /etc/resolv.conf
options ndots:1
$ nslookup mrkaran
Server: 10.152.183.10
Address: 10.152.183.10#53

** server can't find mrkaran: NXDOMAIN

Awọn akọọlẹ CoreDNS:

[INFO] 10.1.28.1:52495 - 2606 "A IN mrkaran.hello.svc.cluster.local. udp 49 false 512" NXDOMAIN qr,aa,rd 142 0.000524939s
[INFO] 10.1.28.1:59287 - 57522 "A IN mrkaran.svc.cluster.local. udp 43 false 512" NXDOMAIN qr,aa,rd 136 0.000368277s
[INFO] 10.1.28.1:53086 - 4863 "A IN mrkaran.cluster.local. udp 39 false 512" NXDOMAIN qr,aa,rd 132 0.000355344s
[INFO] 10.1.28.1:56863 - 41678 "A IN mrkaran. udp 25 false 512" NXDOMAIN qr,rd,ra 100 0.034629206s

Niwon ninu mrkaran ko si aaye kan, wiwa naa ni a ṣe kọja gbogbo atokọ ti awọn suffixes.

Akiyesi: ni iṣe iye ti o pọju ndots ni opin si 15; nipa aiyipada ni Kubernetes o jẹ 5.

Ohun elo ni gbóògì

Ti ohun elo kan ba ṣe ọpọlọpọ awọn ipe nẹtiwọọki ita, DNS le di igo ni ọran ti ijabọ ti nṣiṣe lọwọ, nitori ipinnu orukọ jẹ ki ọpọlọpọ awọn ibeere ti ko wulo (ṣaaju ki eto naa to tọ). Awọn ohun elo nigbagbogbo kii ṣe afikun agbegbe root si awọn orukọ ìkápá, ṣugbọn eyi dun bi gige kan. Iyẹn ni, dipo bibeere api.twitter.com, o le 'hardcode' o api.twitter.com. (pẹlu aami kan) ninu ohun elo naa, eyiti yoo tọ awọn alabara DNS lati ṣe awọn wiwa alaṣẹ taara lori aaye pipe.

Ni afikun, bẹrẹ pẹlu ẹya Kubernetes 1.14, awọn amugbooro dnsConfig и dnsPolicy gba ipo iduroṣinṣin. Nitorinaa, nigbati o ba n gbe podu, o le dinku iye naa ndots, sọ, to 3 (ati paapaa to 1!). Nitori eyi, gbogbo ifiranṣẹ laarin apa kan yoo ni lati ni aaye kikun. Eyi jẹ ọkan ninu awọn iṣowo-pipade Ayebaye nigbati o ni lati yan laarin iṣẹ ṣiṣe ati gbigbe. O dabi si mi pe o yẹ ki o ṣe aibalẹ nipa eyi nikan ti aisi-kekere ba ṣe pataki si ohun elo rẹ, nitori awọn abajade DNS tun wa ni ipamọ ninu inu.

jo

Mo kọkọ kọ ẹkọ nipa ẹya yii lori K8s-ipade, ti o waye ni Oṣu Kini Ọjọ 25. Ọrọ kan wa nipa iṣoro yii, laarin awọn ohun miiran.

Eyi ni diẹ ninu awọn ọna asopọ fun iwadii siwaju sii:

• Alaye, kilode ti ndots=5 ni Kubernetes;
• Nkan nla bawo ni iyipada ndots ṣe ni ipa lori iṣẹ ohun elo;
• Iyato laarin musl ati glibc resolvers.

Akiyesi: Mo yan lati ma lo dig ninu nkan yii. dig laifọwọyi ṣe afikun aami kan (oludamọ agbegbe agbegbe gbongbo), ṣiṣe agbegbe naa “oye kikun” (FQDN), kii ṣe nipa ṣiṣe akọkọ nipasẹ atokọ wiwa. Kọ nipa eyi ni ọkan ninu awọn ti tẹlẹ jẹ ti. Bibẹẹkọ, o jẹ iyalẹnu pupọ pe, ni gbogbogbo, asia lọtọ ni lati ni pato fun ihuwasi boṣewa.

Dun DNSing! Ma a ri e laipe!

PS lati onitumọ

Ka tun lori bulọọgi wa:

• «Calico fun Nẹtiwọọki ni Kubernetes: ifihan ati iriri diẹ»;
• «CoreDNS - olupin DNS fun agbaye abinibi awọsanma ati Awari Iṣẹ fun Kubernetes»;
• "Itọsọna Alaworan si Nẹtiwọki ni Kubernetes": awọn ẹya 1 ati 2 (awoṣe nẹtiwọki, awọn nẹtiwọọki agbekọja), apakan 3 (awọn iṣẹ ati ṣiṣe ijabọ).

orisun: www.habr.com