mirror of https://github.com/hashicorp/consul
docs: Consul DNS views on Kubernetes (#21802)
* Backport of ci: update the security-scanner gha token into release/1.20.x (#21754) backport of commitpull/21833/headeb9dbc93f8
Co-authored-by: dduzgun-security <deniz.duzgun@hashicorp.com> * Backport of Initialize 1.20 Release into release/1.20.x (#21753) * backport of commita33e903cdf
* backport of commit37163dc1a8
* backport of commit38f0907c7a
* backport of commit6ab7ec254b
* backport of commit7ac4178186
* backport of commit5dfebb2cf3
* backport of commit316d68cb84
--------- Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * Backport of Stage rc release into release/1.20.x (#21772) backport of commitd311f2b638
Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> * Backport of Upgrade ubi image to 9.4 into release/1.20.x (#21773) * backport of commit888e302f6e
* backport of commit17499dc4dc
* backport of commitd933d3727d
--------- Co-authored-by: Dhia Ayachi <dhia.ayachi@gmail.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * Backport of security: update alpine base image to 3.20 into release/1.20.x (#21774) * backport of commit4421ce1677
* Upgrade ubi image to 9.4 (#21750) --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * Backport of fix spacing of bash scripts into release/1.20.x (#21769) * backport of commit1e97297215
* backport of commitb7053f5361
* backport of commita391f2fa3c
--------- Co-authored-by: jm96441n <john.maguire@hashicorp.com> * Backport of [NET-11150] ci: fix conditional skip and add safeguard into release/1.20.x (#21783) backport of commitc3db6c9001
Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * initial commit * Initial pages * Edits to other pages + nav & redirects * minor fixes * Backport of security: update alpine base image to 3.20 into release/1.20.x (#21774) * backport of commit4421ce1677
* Upgrade ubi image to 9.4 (#21750) --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * CE-679 * align with main * Content updates * minor edit * Apply suggestions from code review Co-authored-by: Aimee Ukasick <aimee.ukasick@hashicorp.com> Co-authored-by: Blake Covarrubias <blake@covarrubi.as> * CoreDNS config update * small edits * typo fix --------- Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com> Co-authored-by: dduzgun-security <deniz.duzgun@hashicorp.com> Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Dhia Ayachi <dhia.ayachi@gmail.com> Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> Co-authored-by: jm96441n <john.maguire@hashicorp.com> Co-authored-by: Aimee Ukasick <aimee.ukasick@hashicorp.com> Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
parent
1648c890dd
commit
8f78d7cafd
@ -0,0 +1 @@
|
||||
Subproject commit 0d85bbc3131ce8be23c57e30b213ba6056623976
|
@ -1 +1 @@
|
||||
1.21.0-dev
|
||||
1.21.0-dev
|
@ -0,0 +1,48 @@
|
||||
---
|
||||
layout: docs
|
||||
page_title: Consul DNS views for Kubernetes
|
||||
description: ->
|
||||
Kubernetes clusters can use the Consul DNS proxy to return service discovery results from the Consul catalog. Learn about how to configure your k8s cluster so that applications can resolve Consul DNS addresses without gossip communication.
|
||||
---
|
||||
|
||||
# Consul DNS views for Kubernetes
|
||||
|
||||
This topic describes how to schedule a dedicated Consul DNS proxy in a Kubernetes Pod so that applications in Kubernetes can resolve Consul DNS addresses. You can use the Consul DNS proxy to enable service discovery across admin partitions in Kubernetes deployments without needing to deploy Consul client agents.
|
||||
|
||||
## Introduction
|
||||
|
||||
Kubernetes operators typically choose networking tools such as [kube-dns](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/) or [CoreDNS](https://kubernetes.io/docs/tasks/administer-cluster/coredns/) for their service discovery operations, and choose to bypass Consul DNS entirely. These DNS options are often sufficient for service networking operations within a single Kubernetes cluster.
|
||||
|
||||
Consul on Kubernetes supports [configuring Kubernetes to resolve Consul DNS](/consul/docs/k8s/dns). However, two common challenges result when you rely on these configurations:
|
||||
|
||||
- Kubernetes requires Consul to use gossip communication with agents or dataplanes in order to enable Consul DNS.
|
||||
- Consul requires that admin partitions be included in the DNS address. Otherwise, DNS queries assume the `default` partition by default.
|
||||
|
||||
The `consul-dns` proxy does not require the presence of Consul client agents or Consul dataplanes, removing gossip communication as a requirement for Consul DNS on Kubernetes. The proxy is also designed for deployment in a Kubernetes cluster with [external servers enabled](/consul/docs/k8s/deployment-configurations/servers-outside-kubernetes). When a cluster runs in a non-default admin partition and uses the proxy to query external servers, Consul automatically recognizes the admin partition that originated the request and returns service discovery results scoped to that specific admin partition.
|
||||
|
||||
To use Consul DNS for service discovery on Kubernetes, deploy a `dns-proxy` service in each Kubernetes Pod that needs to resolve Consul DNS. Kubernetes sends all DNS requests to the Kubernetes controller first. The controller forwards requests for the `.consul` domain to the `dns-proxy` service, which then queries the Consul catalog and returns service discovery results.
|
||||
|
||||
## Workflows
|
||||
|
||||
The process to enable Consul DNS views for service discovery in Kubernetes deployments consists of the following steps:
|
||||
|
||||
1. In a cluster configured to use [external Consul servers](/consul/docs/k8s/deployment-configurations/servers-outside-kubernetes), update the Helm values for your Consul on Kubernetes deployment so that `dns.proxy.enabled=true`. When you apply the updated configuration, Kubernetes deploys the Consul DNS proxy.
|
||||
1. Look up the IP address for the Consul DNS proxy in the Kubernetes cluster.
|
||||
1. Update the ConfigMap resource in the Kubernetes cluster so that it forwards requests for the `.consul` domain to the IP address of the Consul DNS proxy.
|
||||
|
||||
For more information about the underlying concepts described in this workflow, refer to [DNS forwarding overview](/consul/docs/services/discovery/dns-forwarding).
|
||||
|
||||
## Benefits
|
||||
|
||||
Consul on Kubernetes currently uses [Consul dataplanes](/consul/docs/connect/dataplane) by default. These lightweight processes provide Consul access to the sidecar proxies in the service mesh, but leave Kubernetes in charge of most other service discovery and service mesh operations.
|
||||
|
||||
- **Use Kubernetes DNS and Consul DNS in a single deployment**. The Consul DNS proxy enables any application in a Pod to resolve an address through Consul DNS without disrupting the underlying Kubernetes DNS functionality.
|
||||
- **Consul service discovery using fewer resources**. When you use the Consul DNS proxy for service discovery, you do not need to schedule Consul client agents or dataplanes as sidecars. One Kubernetes Service that uses the same resources as a single Consul dataplane provides Pods access to the Consul service catalog.
|
||||
- **Consul DNS without gossip communication**. The Consul DNS service runs on both Consul server and Consul client agents, which use [gossip communication](/consul/docs/security/encryption/gossip) to ensure that service discovery results are up-to-date. The Consul DNS proxy provides access to Consul DNS without the security overhead of agent-to-agent gossip.
|
||||
|
||||
## Constraints and limitations
|
||||
|
||||
If you experience issues using the Consul DNS proxy for Kubernetes, refer to the following list of technical constraints and limitations.
|
||||
|
||||
- You must use Kubernetes as your runtime to use the Consul DNS proxy. You cannot schedule the Consul DNS proxy in other container-based environments.
|
||||
- To perform DNS lookups on other admin partitions, you must [export services between partitions](/consul/docs/connect/config-entries/exported-services) before you can query them.
|
Loading…
Reference in new issue