-
-
Notifications
You must be signed in to change notification settings - Fork 385
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: 1.1.1.1 shouldn't be there for Kubernetes sidecar #1523
Comments
This appears to be a dupe of #1443 ? |
Im not sure, because the old server IS in fact being kept. 1.1.1.1 just gets appended… |
Im assuming that is intended behavior, hence this request to give a complete dns=off toggle. |
Any workaround guide for the time being? I need my pods to communicate with an internal Redis cluster and I don't want to expose it to the internet (not to mention the added latency and cost). |
you can override the default DNS by specifying a value for the I managed to solve it like this for the time being |
So I have confirmed through testing that adding:
... this container is STILL injecting 1.1.1.1 into resolv.conf and breaking cluster.local resolution.
There needs to be an option to fully switch this off as per the bug report. This should be, ideally, handled by configuring the upstream in CoreDNS to 1.1.1.1 or setting the DHCP DNS servers to 1.1.1.1, not being forcibly injected by the container. This feature is nice for people who don't have those preferred options, but it should not be the default behaviour. UPDATE:Not sure why but deleting the chart I was using and readding only the two lines below managed to work around the 1.1.1.1 injection, however the need to turn this off entirely is still there.
|
Can you guys try image |
Using |
The code (both old and newer) re-writes the
If we leave the default DNS as it is originally in the container, this will effectively leak out traffic since traffic to the local Docker network is allowed by default. So it's definitely not a good choice to NOT modify the DNS as default behavior. Now say an option is added to leave
|
I never said to change the default, however for kubernetes users NEED to be able to keep the kubernetes DNS as default as kubernetes networking HEAVILY(!!!) relies on DNS for internal communication. This means that adding your container as a sidecart, breaks any internal kubernetes communication by default, making it unusable without workaround (workarounds which require the user to know their Kubernets internal DNS IP, which is also not a given).
Internal kube DNS, where users point kubernetes to forward internet DNS queries is their choice
More okey than a sidecart breaking half of our 800 helm charts by breaking internal kubernetes networking, yes.
K8S requires an upstream DNS server as well. It's the users choice how they configure a local DNS server.
As explained above, a LOT of applications ignore the secondary DNS server. You seem to misunderstand the problem:
|
Worthwhile note: |
Indeed, the documentation was wrong
(Cloudflare is just the DNS provider, it's changeable, I use it for this example)
In my view, 3 is still better than 2, and by far better than 1. 4 being obviously the best choice privacy wise. And by default, it is 4 that gets configured, not 3, so Anyway, the |
THanks, that should work fine :) |
Closed due to being fixed in e556871 |
Awesome 👍 If you ever think of a solution to tunnel DNS traffic whilst not breaking Kubernetes DNS-sing (side node, it also currently breaks resolution of container names in simple bridged Docker networks), please create another issue 😉 Also my apologies for the long delay resolving this. |
@qdm12 in #1443 you stated the following and then asked that we continue the conversation here.
Sorry for the delayed response, but that sounds good to me. To tie this into the previous discussion regarding the 4 options for handling DNS queries, I prefer to have DNS handled by my VPN provider as I'm paying them to keep my traffic private and that is their sole business. While I have no reason to suspect Cloudflare would do anything to compromise my privacy, I have no contract with them and I have doubts they could be held accountable for any privacy issues since their DNS service doesn't require us to accept terms of use, an end user agreement, etc. |
Is this urgent?
Yes
Host OS
Kubernetes, Mixed
CPU arch
None
VPN service provider
AirVPN
What are you using to run the container
Kubernetes
What is the version of Gluetun
Latest
What's the problem 🤔
With kubernetes it's vital to be able to fully resolve internal cluster DNS.
However with both:
It still stupidly adds 1.1.1.1, where the docs state it will "keep your current server".
While it in theory keeps the server, users don't expect the first (primary!) server to be turned into a public DNS server.
That's not expected and causes issues, as a lot of application rely on only the first(!) server in the resolve file, which is set to 1.1.1.1 completely bricking internal cluster resolve on some kubernetes clusters.
While this can be manually adapted against by altering the DNS server, this is not a flexible and expectable setup.
If this is expected behavior (which is still weird), can we at least have something as simple as:
DNS: off
So we can just not have Gluetun try to fuck with DNS settings at all.
This should also be relatively easy to add, as it's just a general toggle.
Share your logs
Share your configuration
No response
The text was updated successfully, but these errors were encountered: