Explanation of pod DNS configuration & cases of DNS resolution failure

This article will be based on Dockerd Run time to describe the deployment .

Docker Inside the container resolv.conf

（ Here is a docker container As an example to describe ）

Run a... On the node nginx container.

$ docker run -d nginx:latest 
da30536de35915abe1214a25e1c6278f95e5c8af157517ddefc5eaa1d3b36d93

Execute in container findmnt.

$ docker exec  da30536de35915abe1214a25e1c6278f95e5c8af157517ddefc5eaa1d3b36d93 findmnt
...

|-/etc/resolv.conf                    /dev/vda1[/var/lib/docker/containers/da30536de35915abe1214a25e1c6278f95e5c8af157517ddefc5eaa1d3b36d93/resolv.conf] ext4    rw,noatime
|-/etc/hostname                       /dev/vda1[/var/lib/docker/containers/da30536de35915abe1214a25e1c6278f95e5c8af157517ddefc5eaa1d3b36d93/hostname]    ext4    rw,noatime
`-/etc/hosts                          /dev/vda1[/var/lib/docker/containers/da30536de35915abe1214a25e1c6278f95e5c8af157517ddefc5eaa1d3b36d93/hosts]       ext4    rw,noatime
...

You can see , Inside the container /etc/resolv.conf Is attached to the host file （/var/lib/docker/containers/da30536de35915abe1214a25e1c6278f95e5c8af157517ddefc5eaa1d3b36d93/resolv.conf）.

（ Take a closer look at the contents of the document , On the same node /etc/resolv.conf The content is consistent ）

stay Docker Container Creation time ,Docker Will be based on /etc/resolv.conf File to generate what the container needs resolv.conf, Generated resolv.conf Be put in container In the configuration directory of （/var/lib/docker/contaienrs/...）.

in addition , You can also view a by using the following command Docker Container resolv.conf The real source of .

$ docker inspect da30536de35915abe1214a25e1c6278f95e5c8af157517ddefc5eaa1d3b36d93 -f {{.ResolvConfPath}}

Pod Internal resolv.conf

pod Support the following 4 Kind of dnsPolicy：

• "Default": Pod Inherit the domain name resolution configuration from the running node .
• "ClusterFirst":   Default configuration , All requests will take priority in the cluster domain （ such as cluster.local） Inquire about , If not, it will be forwarded to the upstream DNS.
• "ClusterFirstWithHostNet"： In the hostNetwork Way to run Pod, It should be set explicitly DNS Strategy "ClusterFirstWithHostNet"; Otherwise, the domain name resolution configuration will be inherited from the running node .
• "None": Allow users to give Pod To configure DNS.

When pod After scheduling to the node ,kubelet Will come to pod The configuration is specific resolv.conf Content ：

1 kubelet Will first create and run pod Of sandbox, And then get sandbox Of ResolvConfPath（/var/lib/docker/containers/xxxxxxx/resolv.conf）, Next , hold dns policy The specific content of this article is written as sandbox Of ResolvConfPath（ Write directly over ）.

2 kubelet Continue to create the same pod In the other container, And use the same ResolvConfPath（ The same pod Of all containers ResolvConfPath The real source on the host is the same ）.

therefore , You can see ,pod Internal resolv.conf yes pod It was determined at the time of creation .

DNS Impassable cases

Problem description ：

After the customer has created the cluster , Manually changed the on the node /etc/resolv.conf file , take nameserver Configure self built domain name resolution , Lead to in pod Inside （dnsPolicy yes ClusterFirst） The internal domain name cannot be resolved normally .

The root cause of the problem is ：

Business pod（dnsPolicy yes ClusterFirst） Will DNS The request is sent to... In the cluster Coredns, Because it is an internal domain name ,Coredns Will forward the request to /etc/resolv.conf（coredns pod Inside resolv.conf）, instead of Coredns pod On the node where the instance is located resolv.conf, The customer cannot resolve the internal domain name .

Repair plan ：

The reconstruction Coredns pod example .