Ceci Ivanov:
Hello, can anyone help me practice more of the dns resolving for pods and services, I am confused from which node or pod I can resolve (with nslookup) another pod/service
Alistair Mackay:
You can do DNS lookups on anything in the cluster from anywhere in the cluster unless somebody put a network policy in the namespace you are doing the lookup from that blocks egress on port 53 (the DNS port), or blocks the IP of the coredns service.
You just need to create a test pod from an image that is known to include nslookup. Default busybox image I think does.
kubectl run test --image busybox -it --restart Never --command -- nslookup ...
Ceci Ivanov:
so by default if there isn’t network policy, all dns lookups are available ?
for example from one pod to another pod even if they are on different node ?
Alistair Mackay:
DNS is a database of name -> IP address, like a phone book.
All DNS lookups within the cluster are sent to the service associated with CoreDNS which is called kube-dns
kubectl get service -n kube-system kube-dns
nslookup contacts the ClusterIP of that service, so for a DNS resolution to work, then no network policy must be blocking access to that IP or port 53.
So, if you are asked to troubleshoot a DNS resolution failure, then
• Is CoreDNS running?
• Is its kube-dns service present?
• Are there any network policies preventing the pod that is making the lookup from reaching the kube-dns service on port 53?
• (Advanced) does /etc/resolv.conf in the pod have the IP of the kube-dns service as a nameserver entry? This is highly unlikely to be the issue in a CKA question, as that’s probably a very sick cluster if that’s not right.
Ceci Ivanov:
great thank you