-
Notifications
You must be signed in to change notification settings - Fork 4.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: Consul DNS views on Kubernetes (#21802)
* Backport of ci: update the security-scanner gha token into release/1.20.x (#21754) backport of commit eb9dbc9 Co-authored-by: dduzgun-security <[email protected]> * Backport of Initialize 1.20 Release into release/1.20.x (#21753) * backport of commit a33e903 * backport of commit 37163dc * backport of commit 38f0907 * backport of commit 6ab7ec2 * backport of commit 7ac4178 * backport of commit 5dfebb2 * backport of commit 316d68c --------- Co-authored-by: Sarah Alsmiller <[email protected]> Co-authored-by: sarahalsmiller <[email protected]> * Backport of Stage rc release into release/1.20.x (#21772) backport of commit d311f2b Co-authored-by: Sarah Alsmiller <[email protected]> * Backport of Upgrade ubi image to 9.4 into release/1.20.x (#21773) * backport of commit 888e302 * backport of commit 17499dc * backport of commit d933d37 --------- Co-authored-by: Dhia Ayachi <[email protected]> Co-authored-by: sarahalsmiller <[email protected]> * Backport of security: update alpine base image to 3.20 into release/1.20.x (#21774) * backport of commit 4421ce1 * Upgrade ubi image to 9.4 (#21750) --------- Co-authored-by: Michael Zalimeni <[email protected]> Co-authored-by: Sarah Alsmiller <[email protected]> Co-authored-by: sarahalsmiller <[email protected]> * Backport of fix spacing of bash scripts into release/1.20.x (#21769) * backport of commit 1e97297 * backport of commit b7053f5 * backport of commit a391f2f --------- Co-authored-by: jm96441n <[email protected]> * Backport of [NET-11150] ci: fix conditional skip and add safeguard into release/1.20.x (#21783) backport of commit c3db6c9 Co-authored-by: Michael Zalimeni <[email protected]> * initial commit * Initial pages * Edits to other pages + nav & redirects * minor fixes * Backport of security: update alpine base image to 3.20 into release/1.20.x (#21774) * backport of commit 4421ce1 * Upgrade ubi image to 9.4 (#21750) --------- Co-authored-by: Michael Zalimeni <[email protected]> Co-authored-by: Sarah Alsmiller <[email protected]> Co-authored-by: sarahalsmiller <[email protected]> * CE-679 * align with main * Content updates * minor edit * Apply suggestions from code review Co-authored-by: Aimee Ukasick <[email protected]> Co-authored-by: Blake Covarrubias <[email protected]> * CoreDNS config update * small edits * typo fix --------- Co-authored-by: hc-github-team-consul-core <[email protected]> Co-authored-by: dduzgun-security <[email protected]> Co-authored-by: Sarah Alsmiller <[email protected]> Co-authored-by: sarahalsmiller <[email protected]> Co-authored-by: Dhia Ayachi <[email protected]> Co-authored-by: Michael Zalimeni <[email protected]> Co-authored-by: jm96441n <[email protected]> Co-authored-by: Aimee Ukasick <[email protected]> Co-authored-by: Blake Covarrubias <[email protected]>
- Loading branch information
1 parent
1648c89
commit 8f78d7c
Showing
10 changed files
with
220 additions
and
17 deletions.
There are no files selected for viewing
Submodule consul-k8s
added at
0d85bb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
1.21.0-dev | ||
1.21.0-dev |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
--- | ||
layout: docs | ||
page_title: Enable Consul DNS proxy for Kubernetes | ||
description: -> | ||
Learn how to schedule a Consul DNS proxy for a Kubernetes Pod so that your services can return Consul DNS results for service discovery. | ||
--- | ||
|
||
# Enable Consul DNS proxy for Kubernetes | ||
|
||
This page describes the process to deploy a Consul DNS proxy in a Kubernetes Pod so that Services can resolve Consul DNS requests. For more information, refer to [Consul DNS views for Kubernetes](/consul/docs/k8s/dns/views). | ||
|
||
## Prerequisites | ||
|
||
You must meet the following minimum application versions to enable the Consul DNS proxy for Kubernetes: | ||
|
||
- Consul v1.20.0 or higher | ||
- Either Consul on Kubernetes or the Consul Helm chart, v1.6.0 or higher | ||
|
||
## Update Helm values | ||
|
||
To enable the Consul DNS proxy, add the required [Helm values](/consul/docs/k8s/helm) to your Consul on Kubernetes deployment. | ||
|
||
```yaml | ||
connectInject: | ||
enabled: true | ||
dns: | ||
enabled: true | ||
proxy: true | ||
``` | ||
### ACLs | ||
We recommend you create a dedicated [ACL token with DNS permissions](/consul/docs/security/acl/tokens/create/create-a-dns-token) for the Consul DNS proxy. The Consul DNS proxy requires these ACL permissions. | ||
```hcl | ||
node_prefix "" { | ||
policy = "read" | ||
} | ||
|
||
service_prefix "" { | ||
policy = "read" | ||
} | ||
``` | ||
|
||
You can manage ACL tokens with Consul on Kubernetes, or you can configure the DNS proxy to access a token stored in Kubernetes secret. To use a Kubernetes secret, add the following configuration to your Helm chart. | ||
|
||
```yaml | ||
dns: | ||
proxy: | ||
aclToken: | ||
secretName: <Consul-DNS-Token> | ||
secretKey: <Token-Value> | ||
``` | ||
## Retrieve Consul DNS proxy's address | ||
To look up the IP address for the Consul DNS proxy in the Kubernetes Pod, run the following command. | ||
```shell-session | ||
$ kubectl get services –-all-namespaces --selector="app=consul,component=dns-proxy" --output jsonpath='{.spec.clusterIP}' | ||
10.96.148.46 | ||
``` | ||
|
||
Use this address when you update the ConfigMap resource. | ||
|
||
## Update Kubernetes ConfigMap | ||
|
||
Create or update a [ConfigMap object in the Kubernetes cluster](https://kubernetes.io/docs/concepts/configuration/configmap/) so that Kubernetes forwards DNS requests with the `.consul` domain to the IP address of the Consul DNS proxy. | ||
|
||
The following example of a `coredns-custom` ConfigMap configures Kubernetes to forward Consul DNS requests in the cluster to the Consul DNS Proxy running on `10.96.148.46`. This resource modifies the CoreDNS without modifications to the original `Corefile`. | ||
|
||
```yaml | ||
kind: ConfigMap | ||
metadata: | ||
name: coredns-custom | ||
namespace: kube-system | ||
data: | ||
consul.server: | | ||
consul:53 { | ||
errors | ||
cache 30 | ||
forward . 10.96.148.46 | ||
reload | ||
} | ||
``` | ||
After updating the DNS configuration, perform a rolling restart of the CoreDNS. | ||
```shell-session | ||
kubectl -n kube-system rollout restart deployment coredns | ||
``` | ||
|
||
For more information about using a `coredns-custom` resource, refer to the [Rewrite DNS guide in the Azure documentation](https://learn.microsoft.com/en-us/azure/aks/coredns-custom#rewrite-dns). For general information about modifying a ConfigMap, refer to [the Kubernetes documentation](https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#coredns). | ||
|
||
## Next steps | ||
|
||
After you enable the Consul DNS proxy, services in the Kubernetes cluster can resolve Consul DNS addresses. | ||
|
||
- To learn more about Consul DNS for service discovery, refer to [DNS usage overview](/consul/docs/services/discovery/dns-overview). | ||
- If your datacenter has ACLs enabled, create a [Consul ACL token](/consul/docs/security/acl/tokens) for the Consul DNS proxy and then restart the DNS proxy. | ||
- To enable service discovery across admin partitions, [export services between partitions](/consul/docs/connect/config-entries/exported-services). | ||
- To use Consul DNS for service discovery with other runtimes, across cloud regions, or between cloud providers, [establish a cluster peering connection](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
--- | ||
layout: docs | ||
page_title: Consul DNS views for Kubernetes | ||
description: -> | ||
Kubernetes clusters can use the Consul DNS proxy to return service discovery results from the Consul catalog. Learn about how to configure your k8s cluster so that applications can resolve Consul DNS addresses without gossip communication. | ||
--- | ||
|
||
# Consul DNS views for Kubernetes | ||
|
||
This topic describes how to schedule a dedicated Consul DNS proxy in a Kubernetes Pod so that applications in Kubernetes can resolve Consul DNS addresses. You can use the Consul DNS proxy to enable service discovery across admin partitions in Kubernetes deployments without needing to deploy Consul client agents. | ||
|
||
## Introduction | ||
|
||
Kubernetes operators typically choose networking tools such as [kube-dns](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/) or [CoreDNS](https://kubernetes.io/docs/tasks/administer-cluster/coredns/) for their service discovery operations, and choose to bypass Consul DNS entirely. These DNS options are often sufficient for service networking operations within a single Kubernetes cluster. | ||
|
||
Consul on Kubernetes supports [configuring Kubernetes to resolve Consul DNS](/consul/docs/k8s/dns). However, two common challenges result when you rely on these configurations: | ||
|
||
- Kubernetes requires Consul to use gossip communication with agents or dataplanes in order to enable Consul DNS. | ||
- Consul requires that admin partitions be included in the DNS address. Otherwise, DNS queries assume the `default` partition by default. | ||
|
||
The `consul-dns` proxy does not require the presence of Consul client agents or Consul dataplanes, removing gossip communication as a requirement for Consul DNS on Kubernetes. The proxy is also designed for deployment in a Kubernetes cluster with [external servers enabled](/consul/docs/k8s/deployment-configurations/servers-outside-kubernetes). When a cluster runs in a non-default admin partition and uses the proxy to query external servers, Consul automatically recognizes the admin partition that originated the request and returns service discovery results scoped to that specific admin partition. | ||
|
||
To use Consul DNS for service discovery on Kubernetes, deploy a `dns-proxy` service in each Kubernetes Pod that needs to resolve Consul DNS. Kubernetes sends all DNS requests to the Kubernetes controller first. The controller forwards requests for the `.consul` domain to the `dns-proxy` service, which then queries the Consul catalog and returns service discovery results. | ||
|
||
## Workflows | ||
|
||
The process to enable Consul DNS views for service discovery in Kubernetes deployments consists of the following steps: | ||
|
||
1. In a cluster configured to use [external Consul servers](/consul/docs/k8s/deployment-configurations/servers-outside-kubernetes), update the Helm values for your Consul on Kubernetes deployment so that `dns.proxy.enabled=true`. When you apply the updated configuration, Kubernetes deploys the Consul DNS proxy. | ||
1. Look up the IP address for the Consul DNS proxy in the Kubernetes cluster. | ||
1. Update the ConfigMap resource in the Kubernetes cluster so that it forwards requests for the `.consul` domain to the IP address of the Consul DNS proxy. | ||
|
||
For more information about the underlying concepts described in this workflow, refer to [DNS forwarding overview](/consul/docs/services/discovery/dns-forwarding). | ||
|
||
## Benefits | ||
|
||
Consul on Kubernetes currently uses [Consul dataplanes](/consul/docs/connect/dataplane) by default. These lightweight processes provide Consul access to the sidecar proxies in the service mesh, but leave Kubernetes in charge of most other service discovery and service mesh operations. | ||
|
||
- **Use Kubernetes DNS and Consul DNS in a single deployment**. The Consul DNS proxy enables any application in a Pod to resolve an address through Consul DNS without disrupting the underlying Kubernetes DNS functionality. | ||
- **Consul service discovery using fewer resources**. When you use the Consul DNS proxy for service discovery, you do not need to schedule Consul client agents or dataplanes as sidecars. One Kubernetes Service that uses the same resources as a single Consul dataplane provides Pods access to the Consul service catalog. | ||
- **Consul DNS without gossip communication**. The Consul DNS service runs on both Consul server and Consul client agents, which use [gossip communication](/consul/docs/security/encryption/gossip) to ensure that service discovery results are up-to-date. The Consul DNS proxy provides access to Consul DNS without the security overhead of agent-to-agent gossip. | ||
|
||
## Constraints and limitations | ||
|
||
If you experience issues using the Consul DNS proxy for Kubernetes, refer to the following list of technical constraints and limitations. | ||
|
||
- You must use Kubernetes as your runtime to use the Consul DNS proxy. You cannot schedule the Consul DNS proxy in other container-based environments. | ||
- To perform DNS lookups on other admin partitions, you must [export services between partitions](/consul/docs/connect/config-entries/exported-services) before you can query them. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.