How to prevent kube-dns from forwarding request to 8.8.8.8:53

2
votes

How can I prevent kube-dns from forwarding request to Google's name servers (8.8.8.8:53 and 8.8.4.4:53)? I just want to launch pods only for internal use, which means containers in pods are not supposed to connect to the outside at all. When a Zookeeper client connects to a Zookeeper server using hostname (e.g. zkCli.sh -server zk-1.zk-headless), it takes 10 seconds for the client to change its state from [Connecting] to [Connected]. The reason I suspect kube-dns is that, with pods' IP address, the client gets connected instantly. When I take a look at the log of kube-dns, I found the following two lines:

07:25:35:170773       1 logs.go:41] skydns: failure to forward request "read udp 10.244.0.13:43455->8.8.8.8:53: i/o timeout"
07:25:39:172847       1 logs.go:41] skydns: failure to forward request "read udp 10.244.0.13:42388->8.8.8.8:53: i/o timeout"

It was around 07:25:30 when the client starts to connect to the server.

I'm running Kubernetes on a private cluster where internal servers are communicating to internet via http_proxy/https_proxy, which means I cannot connect to 8.8.8.8 for name resolution, AFAIK.

I found the followings from https://github.com/skynetservices/skydns:

  • The default value of an environmental variable named SKYDNS_NAMESERVERS is "8.8.8.8:53,8.8.4.4:53"
  • I could achieve my purpose by setting no_rec to true

I've been initiating Kubernetes using kubeadm and I couldn't find a way to modify the environmental variable and set the property value of skydns.

How can I prevent kube-dns from forwarding request to the outside of an internal Kubernetes cluster which is deployed by kubeadm?

1
kubernetesapache-zookeeperkube-dnsskydns
Can you post the output of kubectl get deploy --namespace=kube-system kube-dns -o yaml ? It's either configured with the -nameserver flag or the SKYDNS_NAMESERVERS environment variable.Janos Lenart
I cannot find neither -nameserver flag nor SKYDNS_NAMESERVERS env from kube get deployments.eastcirclek
It seems like the following is used to create a kube-dns container : - args: - --domain=cluster.local - --dns-port=10053 - --config-map=kube-dns - --v=2 env: - name: PROMETHEUS_PORT value: "10055" image: gcr.io/google_containers/kubedns-amd64:1.9 imagePullPolicy: IfNotPresenteastcirclek
There's no ConfigMap object called kube-dns, and kube-dns container says in log that it cannot find Configmap named kube-system:kube-dns with the following log message: dns.go:190] Error getting initial ConfigMap: configmaps "kube-dns" not found, starting with default values.eastcirclek
Did this issue get resolved? I am facing the same issue.Himaprasoon

1 Answers

1
votes

I don't think there is an option to completely prevent the kube-dns addon from forwarding requests. There certainly isn't an option directly in kubeadm for that.

Your best bet is to edit the kube-dns Deployment (e.g. kubectl edit -n kube-system deploy kube-dns) yourself after kubeadmin has started the cluster and change things to work for you.

You may want to try changing the upstream nameserver to something other than 8.8.8.8 that is accessible by the cluster. You should be able to do that by adding --nameservers=x.x.x.x to the args for the kubedns container.