DocsICP FilingConsole
官方文档
首页

Use a DNS proxy in ASM

更新时间:
复制 MD 格式
产品详情
我的收藏

The DNS proxy feature in a Service Mesh allows the sidecar proxy to act as a caching DNS proxy. When an application sends a DNS query, the Service Mesh transparently intercepts and resolves the query. This topic describes how to enable and use the DNS proxy feature in ASM.

Prerequisites

Background

By default, each ACK cluster deploys a DNS service to provide domain name resolution for workloads. This allows applications that run in a Kubernetes cluster to use DNS to discover other services in the cluster.

A DNS server runs in each Kubernetes cluster, and every pod uses this internal DNS server for domain name resolution. By default, DNS requests are not intercepted by the sidecar proxy, and each application attempts to resolve DNS names before it opens connections to other services. After you enable the DNS proxy feature in ASM, the sidecar proxy transparently intercepts and resolves DNS queries from applications, accelerating domain name resolution.

Enable DNS proxy

Scenario 1: Enable DNS proxy globally

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Data Plane Component Management > Sidecar Proxy Setting.

  3. On the global tab, click DNS Proxy, turn on the Enable DNS Proxy Feature switch, and then click Update Settings.

  4. Restart the pod to apply the DNS configuration.

    1. Log on to the ACK console. In the left navigation pane, click Clusters.

    2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Workloads > Pods.

    3. On the Pods page, find the target pod and choose More > Delete in the Actions column.

    4. In the Message dialog box, click Confirm.

      The new configuration takes effect when the pod restarts.

Scenario 2: Enable DNS proxy for a specific namespace

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Data Plane Component Management > Sidecar Proxy Setting.

  3. On the Configure the agent parameters of the injected Sidecar page, click the Namespaces tab.

  4. Select a Namespaces, click DNS Proxy, turn on the Enable DNS Proxy Feature switch, and then click Update Settings.

  5. Restart the pod to apply the DNS configuration.

    1. Log on to the ACK console. In the left navigation pane, click Clusters.

    2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Workloads > Pods.

    3. On the Pods page, find the target pod and choose More > Delete in the Actions column.

    4. In the Message dialog box, click Confirm.

      The new configuration takes effect when the pod restarts.

Scenario 3: Enable DNS proxy for a specific pod

To enable the DNS proxy feature for a specific pod, add an annotation to the pod's YAML configuration.

  1. Log on to the ACK console. In the left navigation pane, click Clusters.

  2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Workloads > Deployments.

  3. On the Deployments page, find the target application and choose More > View YAML from the Actions column.

  4. In the Edit YAML dialog box, add the following annotation to spec.template.metadata.annotations, and then click Update.

    annotations:
  proxy.istio.io/config: |
    proxyMetadata:
      ISTIO_META_DNS_CAPTURE: "true"
      ISTIO_META_DNS_AUTO_ALLOCATE: "true"

  5. Restart the pod to apply the DNS configuration.

    1. Log on to the ACK console. In the left navigation pane, click Clusters.

    2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Workloads > Pods.

    3. On the Pods page, find the target pod and choose More > Delete in the Actions column.

    4. In the Message dialog box, click Confirm.

      The new configuration takes effect when the pod restarts.

Use DNS proxy

Step 1: Create a ServiceEntry

Create a ServiceEntry to add aliyun.com to the internal service registry of the Service Mesh.

  1. Log on to the ASM console.

  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.

  4. On the details page of the ASM instance, choose Cluster & Workload Management > External Service(ServiceEntry). On the page that appears, click Create from YAML.

  5. On the Create page, select a Namespaces, choose a Scenario Template, copy the following content into the text box, and then click Create.

    apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
 name: test1-mydnsproxying
spec:
 hosts:
 - aliyun.com
 location: MESH_EXTERNAL
 ports:
 - number: 443
   name: https
   protocol: TLS
 resolution: DNS

Step 2: Deploy a sample application

  1. Obtain the KubeConfig file of a cluster and use kubectl to connect to the cluster.

  2. Create a file named sleep.yaml that contains the following content.

    View sleep.yaml

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: sleep
---
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
    service: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      terminationGracePeriodSeconds: 0
      serviceAccountName: sleep
      containers:
      - name: sleep
        image: curlimages/curl
        command: ["/bin/sleep", "3650d"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: sleep-secret
          optional: true

  3. Run the following command to deploy the sleep application.

    kubectl apply -f sleep.yaml

  4. Run the following command to check whether the sleep pod has started.

    kubectl get pod |grep sleep

    Expected output:

    NAME                       READY   STATUS    RESTARTS   AGE
sleep-66cd8f684f-nxw8v     2/2     Running   0          16m

Step 3: Enable DNS proxy for the sleep container

  1. Log on to the ACK console. In the left navigation pane, click Clusters.

  2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Workloads > Deployments.

  3. On the Deployments page, find the target application and choose More > View YAML from the Actions column.

  4. In the Edit YAML dialog box, add the following annotation to spec.template.metadata.annotations, and then click Update.

    annotations:
  proxy.istio.io/config: |
    proxyMetadata:
      ISTIO_META_DNS_CAPTURE: "true"
      ISTIO_META_DNS_AUTO_ALLOCATE: "true"

  5. Restart the pod to apply the DNS configuration.

    1. Log on to the ACK console. In the left navigation pane, click Clusters.

    2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Workloads > Pods.

    3. On the Pods page, find the target pod and choose More > Delete in the Actions column.

    4. In the Message dialog box, click Confirm.

      The new configuration takes effect when the pod restarts.

Step 4: Verify the DNS proxy

  1. Check the logs of the istio-init container.

    1. Log on to the ACK console. In the left navigation pane, click Clusters.

    2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Workloads > Pods.

    3. On the Pods page, click the name of the sleep pod.

    4. On the pod details page, click the Logs tab and set Containers to istio-init.

      The following logs are displayed:

      -A OUTPUT -p udp --dport 53 -d 192.168.0.10/32 -j REDIRECT --to-port 15053
-A ISTIO_OUTPUT -p tcp --dport 53 -d 192.168.0.10/32 -j REDIRECT --to-ports 15053

      The sidecar proxy intercepts all DNS queries from the application container by using iptables rules, just as it intercepts other types of traffic. Istio adds additional iptables rules to redirect all DNS packets on port 53 (TCP and UDP) that are destined for the Kubernetes DNS service, such as the CoreDNS service, to port 15053.

  2. Check the port on which the pilot-agent process listens.

    1. In the left navigation pane of the cluster management page, choose Workload > Pods.

    2. On the Pods page, find the sleep pod, click Terminal in the Actions column, and then select istio-proxy.

    3. In the istio-proxy container, run the following command to check the port that the pilot-agent process listens on.

      netstat -anp |grep 15053

      Expected output:

      tcp        0      0 127.0.0.1:15053         0.0.0.0:*               LISTEN      1/pilot-agent
udp        0      0 127.0.0.1:15053         0.0.0.0:*                           1/pilot-agent

      DNS queries are redirected to the pilot-agent process that runs in the sidecar proxy container. The output shows that the process is listening on port 15053.

  3. Access aliyun.com.

    1. In the left navigation pane of the cluster management page, choose Workload > Pods.

    2. On the Pods page, find the sleep pod, click Terminal in the Actions column, and then select sleep.

    3. In the sleep container, run the following command to access aliyun.com.

      curl -v https://aliyun.com

      Expected output:

      *   Trying 240.240.**.**:443...
* Connected to aliyun.com (240.240.**.**) port 443 (#0)

      The returned IP address is 240.240.**.**. This is a Service Mesh automatically assigned by the Service Mesh, not the real public IP address. The service mesh uses iptables to hijack requests to kube-dns and routes them to the sidecar proxy that runs in the pod. When the application sends a request to this virtual IP address, the sidecar proxy translates it to the actual public IP address.

Enable debug logging for the DNS proxy

You can enable debug logging for the DNS proxy. When enabled, pilot-agent records every DNS query from the application container.

  1. Log on to the ACK console. In the left navigation pane, click Clusters.

  2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Workloads > Deployments.

  3. On the Deployments page, find the target application and choose More > View YAML from the Actions column.

  4. In the Edit YAML dialog box, add the following annotation under the spec parameter and click Update.

    annotations:
  sidecar.istio.io/agentLogLevel: "dns:debug"
    spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: sleep
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: sleep
      annotations:
        sidecar.istio.io/agentLogLevel: "dns:debug"

  5. Run the following command in the cluster to view the debug logs.

    kubectl logs -n default sleep-85fdfd8896-2ctq4 -c istio-proxy | grep debug

    View the expected output

    2022-03-28T12:15:05.064562Z    debug    dns    request ;; opcode: QUERY, status: NOERROR, id: 16390
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;alibabacloud.com.default.svc.cluster.local.    IN     AAAA
    protocol=udp edns=false id=1c71c9f1-e051-49e9-8d04-d7c82ee****
2022-03-28T12:15:05.064572Z    debug    dns    request ;; opcode: QUERY, status: NOERROR, id: 16016
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;alibabacloud.com.default.svc.cluster.local.    IN     A
    protocol=udp edns=false id=4cec8078-5355-4d1b-b496-ab57367****
2022-03-28T12:15:05.064593Z    debug    dns    response for hostname "alibabacloud.com.default.svc.cluster.local." (found=true): ;; opcode: QUERY, status: NOERROR, id: 16390
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;alibabacloud.com.default.svc.cluster.local.    IN     AAAA
    protocol=udp edns=false id=1c71c9f1-e051-49e9-8d04-d7c82ee****
2022-03-28T12:15:05.064614Z    debug    dns    response for hostname "alibabacloud.com.default.svc.cluster.local." (found=true): ;; opcode: QUERY, status: NOERROR, id: 16016
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;alibabacloud.com.default.svc.cluster.local.    IN     A
;; ANSWER SECTION:
alibabacloud.com.default.svc.cluster.local.    30    IN    CNAME    alibabacloud.com.
alibabacloud.com.    30    IN    A    240.240.**.**
    protocol=udp edns=false id=4cec8078-5355-4d1b-b496-ab573670****

    The log entry contains found=true, indicating that the domain name was resolved from the service mesh's internal registry.

Previous:Bypass the sidecar proxy for specific trafficNext:Configure Sidecar extensions