Lowers the default nodelocaldns denial cache TTL

Similar to `--no-negcache` on dnsmasq, this prevents issues which poll DNS for orchestration such as operators with StatefulSets. It can also be very confusing for users when negative caching results in a change they just made seeming to be broken until the cache expires. This assumes that 5 seconds is reasonable and will still catch repeated AAAA negative responses. We could also set the denial cache size to zero which should effectively fully disable it like dnsmasq in kube-dns but testing shows this approach seems to work well in our (albeit small) test clusters.
2019-02-13 13:23:53 -08:00 · 2019-02-13 13:23:53 -08:00 · e51c9025ac
parent f7c4389b79
commit e51c9025ac
2 changed files with 8 additions and 1 deletions
--- a/cluster/addons/dns/nodelocaldns/README.md
+++ b/cluster/addons/dns/nodelocaldns/README.md
@ -35,3 +35,7 @@ spec:
  - Ingress
  - Egress
 ```
+
+### Negative caching
+
+The `denial` cache TTL has been reduced to the minimum of 5 seconds [here](https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml#L37). In the unlikely event that this impacts performance, setting this TTL to a higher value make help alleviate issues, but be aware that operations that rely on DNS polling for orchestration may fail (for example operators with StatefulSets).
--- a/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml
+++ b/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml
@ -34,7 +34,10 @@ data:
  Corefile: |
    __PILLAR__DNS__DOMAIN__:53 {
        errors
-        cache 30
+        cache {
+                success 10000 30
+                denial 10000 5
+        }
        reload
        loop
        bind __PILLAR__LOCAL__DNS__