Pod作为集群中提供具体服务的实体,也可以像Service一样设置DNS域名。另外,系统为客户端应用Pod提供需要使用的DNS策略提供多种选择。
Pod 域名
对Pod来说,Kubernetes会为其设置一个<pod-ip>.<namespace>.pod.<cluster-domain>
格式的DNS域名,其中Pod IP部分需要用"-"替换"."符号,例如:
[root@master1 data]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
busybox 1/1 Running 1 81m 10.0.104.22 node2 <none> <none>
webapp-5bc8768bd6-4skln 1/1 Running 0 47m 10.0.104.26 node2 <none> <none>
webapp-5bc8768bd6-mh6v8 1/1 Running 0 47m 10.0.104.25 node2 <none> <none>
webapp-5bc8768bd6-v4dll 1/1 Running 0 47m 10.0.166.151 node1 <none> <none>
[root@master1 data]#
[root@master1 data]# kubectl exec -it busybox -- nslookup 10-0-104-25.default.pod.cluster.local
Server: 172.16.0.254
Address 1: 172.16.0.254 kube-dns.kube-system.svc.cluster.local
Name: 10-0-104-25.default.pod.cluster.local
Address 1: 10.0.104.25 10-0-104-25.webapp.default.svc.cluster.local
这里的CoreDNS中,Corefile里的kubernetes插件需要配置pods模式。比如:
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
}
在coredns.io里提到:
pods POD-MODE sets the mode for handling IP-based pod A records, e.g. 1-2-3-4.ns.pod.cluster.local. in A 1.2.3.4. This option is provided to facilitate use of SSL certs when connecting directly to pods. Valid values for POD-MODE:
- disabled: Default. Do not process pod requests, always returning NXDOMAIN
- insecure: Always return an A record with IP from request (without checking k8s). This option is vulnerable to abuse if used maliciously in conjunction with wildcard SSL certs. This option is provided for backward compatibility with kube-dns.
- verified: Return an A record if there exists a pod in same namespace with matching IP. This option requires substantially more memory than in insecure mode, since it will maintain a watch on all pods.
pods POD-MODE 设置处理基于IP的pod A记录的模式,例如1-2-3-4.ns.pod.cluster.local.在A 1.2.3.4
。
Service 域名
对于以 Deployment 或 Daemonset 类型创建的 Pod,kubernetes 会为每个 Pod 都以其 IP 地址和控制器名称设置一个 DNS 域名,格式为<pod-ip>.<deployment/daemonset-name>.<namespace>.svc.<cluster-doamin>
,其中 Pod IP 地址段字符串需要用-
替换.
符号,例如下面的 IP 地址为:10.0.104.25。
系统为这个 Pod 设置的 DNS 域名为 10-0-104-25.webapp.default.svc.cluster.local,用 nslookup 进行验证:
[root@master1 data]# kubectl get deployments -o wide
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
webapp 3/3 3 3 51m webapp kubeguide/tomcat-app:v1 app=webapp
[root@master1 data]#
[root@master1 data]# kubectl get svc webapp
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
webapp ClusterIP 172.16.154.183 <none> 8080/TCP 6m26s
[root@master1 data]#
[root@master1 data]# kubectl exec -it busybox -- nslookup 10-0-104-25.webapp.default.svc.cluster.local
Server: 172.16.0.254
Address 1: 172.16.0.254 kube-dns.kube-system.svc.cluster.local
Name: 10-0-104-25.webapp.default.svc.cluster.local
Address 1: 10.0.104.25 10-0-104-25.webapp.default.svc.cluster.local
这里需要注意的是要有一个service IP,才能使用svc域名查询,否则会查询不成功。