Kubernetes 集群内没有解析外部 DNS 请求

No external DNS requests are being resolved inside Kubernetes cluster

在我的 pods 中,我无法访问外部主机。在我的例子中,这将是 https://login.microsoftonline.com.

我一直在关注 https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/ 上的调试 DNS 问题部分,但缺乏关于 Kubernetes 的知识阻碍了我应用给出的说明。

进行本地查找工作正常:

microk8s kubectl exec -i -t dnsutils -- nslookup kubernetes.default
Server:         10.152.183.10
Address:        10.152.183.10#53

Name:   kubernetes.default.svc.cluster.local
Address: 10.152.183.1

但是,尝试访问任何外部域都失败了:

microk8s kubectl exec -i -t dnsutils -- nslookup whosebug.com
Server:         10.152.183.10
Address:        10.152.183.10#53

** server can't find whosebug.com.internal-domain.com: SERVFAIL

command terminated with exit code 1

已知问题部分包含以下段落:

Some Linux distributions (e.g. Ubuntu) use a local DNS resolver by default (systemd-resolved). Systemd-resolved moves and replaces /etc/resolv.conf with a stub file that can cause a fatal forwarding loop when resolving names in upstream servers. This can be fixed manually by using kubelet's --resolv-conf flag to point to the correct resolv.conf (With systemd-resolved, this is /run/systemd/resolve/resolv.conf). kubeadm automatically detects systemd-resolved, and adjusts the kubelet flags accordingly.

鉴于 microk8s 实例在 Ubuntu 上 运行,这可能值得研究,但我不知道在哪里以及如何应用那个 --resolv-conf 标志。

我很感谢任何关于如何追踪这个问题的提示,因为 DNS 包括 nslookup、traceroute 等在主机系统上运行完美。

更新/etc/resolv.conf

nameserver 127.0.0.53
options edns0 trust-ad
search internal-domain.com

那是 dnsutils pod 中的 /etc/resolv.conf:

search default.svc.cluster.local svc.cluster.local cluster.local internal-domain.com
nameserver 10.152.183.10
options ndots:5

配置映射:

 Corefile: |
    .:53 {
        errors
        health {
          lameduck 5s
        }
        ready
        log . {
          class error
        }
        kubernetes cluster.local in-addr.arpa ip6.arpa {
          pods insecure
          fallthrough in-addr.arpa ip6.arpa
        }
        prometheus :9153
        forward . 8.8.8.8 8.8.4.4
        cache 30
        loop
        reload
        loadbalance
    }

最后我想不通,这种行为的原因是什么,所以我对节点进行了完全重置:

microk8s reset
sudo snap remove microk8s
sudo snap install microk8s --classic --channel=1.19

接下来是配置机密等的其余说明

向前改变。 8.8.8.8 8.8.4.4 转发。 /etc/resolv.conf