coredns forward plugin to use a k8s service name

Question

For configuring a multicluster Isito with replicated control planes, one of the requirements is to configure the k8s coredns service in the kube-system namespace, to forward zone "global" to the IP of the "istiocoredns" service deployed in the istio-system namespace. Like this:

    global:53 {
        errors
        cache 30
        forward . $(kubectl get svc -n istio-system istiocoredns -o jsonpath={.spec.clusterIP}):53
    }

In the example the use that command expansion to get the IP of the istiocoredns ClusterIP type of service.

As that is a non static IP and could be modified, I am looking for a way to use something more dynamic and change aware. Using the istiocoredns service FQDN name would be great, but coredns documentation is not mentioning anything about it.

Is there any coredns plugin or workaround this?

Thank you.

Answer 1

Is there any coredns plugin or workaround this?

There is istio coredns plugin, but as mentioned in the usage section they set here the IP of the coredns anyway.

Update the kube-dns config map to point to this coredns service as the upstream DNS service for the *.global domain. You will have to find out the cluster IP of coredns service and update the config map (or write a controller for this purpose!).

apiVersion: v1
kind: ConfigMap
metadata:
  name: kube-dns
  namespace: kube-system
data:
  stubDomains: |
    {"global": ["10.2.3.4"]}

But here's some interesting information

UPDATE: This plugin is no longer necessary as of Istio 1.8. DNS is built into the istio agent in the sidecar. Sidecar DNS is enabled by default in the preview profile. You can also enable it manually by setting the following config in the istio operator

  meshConfig:
    defaultConfig:
      proxyMetadata:
        ISTIO_META_DNS_CAPTURE: "true"
        ISTIO_META_PROXY_XDS_VIA_AGENT: "true"

You can find more information about it here.

There are a few efforts in progress that will help simplify the DNS story:

Istio will soon support DNS interception for all workloads with a sidecar proxy. This will allow Istio to perform DNS lookup on behalf of the application.

Admiral is an Istio community project that provides a number of multicluster capabilities, including automatic creation of service DNS entries.

Kubernetes Multi-Cluster Services is a Kubernetes Enhancement Proposal (KEP) that defines an API for exporting services to multiple clusters. This effectively pushes the responsibility of service visibility and DNS resolution for the entire clusterset onto Kubernetes. There is also work in progress to build layers of MCS support into Istio, which would allow Istio to work with any cloud vendor MCS controller or even act as the MCS controller for the entire mesh.

While Admiral is available today, the Istio and Kubernetes communities are actively building more general solutions into their platforms. Stay tuned!

---

There is article about that in 1.8 prelim docs.