github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
consul/website/content/docs/k8s/dns/views/enable.mdx

103 lines
3.9 KiB
Plaintext
Raw Normal View History

docs: Consul DNS views on Kubernetes (#21802) * Backport of ci: update the security-scanner gha token into release/1.20.x (#21754) backport of commit eb9dbc93f88e8b87d60ed55101a577e49e9299e4 Co-authored-by: dduzgun-security <deniz.duzgun@hashicorp.com> * Backport of Initialize 1.20 Release into release/1.20.x (#21753) * backport of commit a33e903cdf367c9be90b61464aee97fdd4294fd9 * backport of commit 37163dc1a81abb4ba88c18c204ccca5ee61dae5d * backport of commit 38f0907c7a9f4851080bdec3bb182f1b9e5bed1e * backport of commit 6ab7ec254b51e6f5012688f8fff3d36a33e8ee57 * backport of commit 7ac4178186a22d1e11cdf0ef69c00a658a6484d0 * backport of commit 5dfebb2cf3a46d3c8a96881b5ab77bd0ff23f5c0 * backport of commit 316d68cb847193f184d3a54fc103996151d1d68a --------- Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * Backport of Stage rc release into release/1.20.x (#21772) backport of commit d311f2b63836e1cae1b342f6b0fc07ff69e93f6c Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> * Backport of Upgrade ubi image to 9.4 into release/1.20.x (#21773) * backport of commit 888e302f6e87f27d0c8a0c6facfd6c3a6c8033c5 * backport of commit 17499dc4dcca4aa6f67b3f95bd24b433cd32556b * backport of commit d933d3727d1ddf4566d0ee7612e3a64029034314 --------- Co-authored-by: Dhia Ayachi <dhia.ayachi@gmail.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * Backport of security: update alpine base image to 3.20 into release/1.20.x (#21774) * backport of commit 4421ce1677605ae118f741f4251fce65faa8ff87 * Upgrade ubi image to 9.4 (#21750) --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * Backport of fix spacing of bash scripts into release/1.20.x (#21769) * backport of commit 1e97297215f985e153dd4e92c4444acebbfce0db * backport of commit b7053f53617fec902a7bf07ebb3b8077334a5cdb * backport of commit a391f2fa3ce1eb250e5c10546cc1459b5649e587 --------- Co-authored-by: jm96441n <john.maguire@hashicorp.com> * Backport of [NET-11150] ci: fix conditional skip and add safeguard into release/1.20.x (#21783) backport of commit c3db6c90013eaa3f4a03d2d06ffea2eb9df3698f Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * initial commit * Initial pages * Edits to other pages + nav & redirects * minor fixes * Backport of security: update alpine base image to 3.20 into release/1.20.x (#21774) * backport of commit 4421ce1677605ae118f741f4251fce65faa8ff87 * Upgrade ubi image to 9.4 (#21750) --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * CE-679 * align with main * Content updates * minor edit * Apply suggestions from code review Co-authored-by: Aimee Ukasick <aimee.ukasick@hashicorp.com> Co-authored-by: Blake Covarrubias <blake@covarrubi.as> * CoreDNS config update * small edits * typo fix --------- Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com> Co-authored-by: dduzgun-security <deniz.duzgun@hashicorp.com> Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Dhia Ayachi <dhia.ayachi@gmail.com> Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> Co-authored-by: jm96441n <john.maguire@hashicorp.com> Co-authored-by: Aimee Ukasick <aimee.ukasick@hashicorp.com> Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2024-10-14 19:38:23 +00:00
---
layout: docs
page_title: Enable Consul DNS proxy for Kubernetes
description: ->
Learn how to schedule a Consul DNS proxy for a Kubernetes Pod so that your services can return Consul DNS results for service discovery.
---
# Enable Consul DNS proxy for Kubernetes
This page describes the process to deploy a Consul DNS proxy in a Kubernetes Pod so that Services can resolve Consul DNS requests. For more information, refer to [Consul DNS views for Kubernetes](/consul/docs/k8s/dns/views).
## Prerequisites
You must meet the following minimum application versions to enable the Consul DNS proxy for Kubernetes:
- Consul v1.20.0 or higher
- Either Consul on Kubernetes or the Consul Helm chart, v1.6.0 or higher
## Update Helm values
To enable the Consul DNS proxy, add the required [Helm values](/consul/docs/k8s/helm) to your Consul on Kubernetes deployment.
```yaml
connectInject:
enabled: true
dns:
enabled: true
proxy: true
```
### ACLs
We recommend you create a dedicated [ACL token with DNS permissions](/consul/docs/security/acl/tokens/create/create-a-dns-token) for the Consul DNS proxy. The Consul DNS proxy requires these ACL permissions.
```hcl
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
```
You can manage ACL tokens with Consul on Kubernetes, or you can configure the DNS proxy to access a token stored in Kubernetes secret. To use a Kubernetes secret, add the following configuration to your Helm chart.
```yaml
dns:
proxy:
aclToken:
secretName: <Consul-DNS-Token>
secretKey: <Token-Value>
```
## Retrieve Consul DNS proxy's address
To look up the IP address for the Consul DNS proxy in the Kubernetes Pod, run the following command.
```shell-session
$ kubectl get services -all-namespaces --selector="app=consul,component=dns-proxy" --output jsonpath='{.spec.clusterIP}'
10.96.148.46
```
Use this address when you update the ConfigMap resource.
## Update Kubernetes ConfigMap
Create or update a [ConfigMap object in the Kubernetes cluster](https://kubernetes.io/docs/concepts/configuration/configmap/) so that Kubernetes forwards DNS requests with the `.consul` domain to the IP address of the Consul DNS proxy.
The following example of a `coredns-custom` ConfigMap configures Kubernetes to forward Consul DNS requests in the cluster to the Consul DNS Proxy running on `10.96.148.46`. This resource modifies the CoreDNS without modifications to the original `Corefile`.
```yaml
kind: ConfigMap
metadata:
name: coredns-custom
namespace: kube-system
data:
consul.server: |
consul:53 {
errors
cache 30
forward . 10.96.148.46
reload
}
```
After updating the DNS configuration, perform a rolling restart of the CoreDNS.
```shell-session
kubectl -n kube-system rollout restart deployment coredns
```
For more information about using a `coredns-custom` resource, refer to the [Rewrite DNS guide in the Azure documentation](https://learn.microsoft.com/en-us/azure/aks/coredns-custom#rewrite-dns). For general information about modifying a ConfigMap, refer to [the Kubernetes documentation](https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#coredns).
## Next steps
After you enable the Consul DNS proxy, services in the Kubernetes cluster can resolve Consul DNS addresses.
- To learn more about Consul DNS for service discovery, refer to [DNS usage overview](/consul/docs/services/discovery/dns-overview).
- If your datacenter has ACLs enabled, create a [Consul ACL token](/consul/docs/security/acl/tokens) for the Consul DNS proxy and then restart the DNS proxy.
- To enable service discovery across admin partitions, [export services between partitions](/consul/docs/connect/config-entries/exported-services).
- To use Consul DNS for service discovery with other runtimes, across cloud regions, or between cloud providers, [establish a cluster peering connection](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering).