![]() ![]() The only exception to this rule are the DNS packets that have as user and group ID Istio’s user (rules #1,2). The third rule redirects all DNS traffic destined to local resolver (169.254.20.10) to localhost in port 15053, where as we mentioned before Istio proxy DNS listens. REDIRECT udp - anywhere 169.254.20.10 udp dpt:domain redir ports 15053 RETURN udp - anywhere anywhere udp dpt:domain owner GID match 1337 RETURN udp - anywhere anywhere udp dpt:domain owner UID match 1337 Among those, there are three specific rules in the OUTPUT chain of the NAT table. Istio’s init container sets up several iptables rules. All DNS requests for each pod are intercepted and served by Istio if Istio doesn’t have the answer it redirects the query to the main resolvers, gets the answer and replies to the client.īut how does Istio redirect DNS traffic destined to the local resolvers found in ‘/etc/nf’ to its own proxy. Istio is implementing its own DNS proxy in order to serve cross cluster endpoints that are not known to the local cluster resolvers. Istio’s multi cluster implementation is heavily based on DNS and a high level idea is given in one of Istio’s own articles. Multi Cluster Istioīefore jumping into our case, it might be useful to give some background about Istio’s multi cluster architecture. The DNS resolution errors were not consistent and were only for endpoints that belong to different clusters. Occasionally, services from one cluster were failing to resolve services from a different cluster. Not long after enabling it, we got reports from some of our fellow engineers that there were some issues with it. Since we were already using Istio we decided to leverage Istio’s multi cluster capability.Īfter preparing our setup and testing it with some of our home grown tools, we tried to switch one of our lower traffic services to use Istio’s multi cluster discovery. Recently we took the decision to allow services from different clusters to be able to discover each other. ![]() As we have mentioned in our previous posts, Beat’s architecture consists of multiple islands that each one of them contains a separate Kubernetes cluster. ![]()
0 Comments
Leave a Reply. |