DNS Policies for Pods in Kubernetes

Introduction

In Kubernetes, each pod can have it’s own configuration for DNS resolution which can be controlled by dnsPolicy configuration in the Pod Specifications.

These DNS Policies decides which DNS servers will be used for DNS resolution happening from inside the pod. In the post, we will try to understand different DNS policies supported by Kubernetes.

You can check the DNS configuration in any Pod or Node by inspecting the /etc/resolv.conf file.

dnsPolicy configuration in Pod Spec

Here is an example showing the dnsPolicy configuration in a sample Pod manifest.

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: nginx
    image: nginx
  dnsPolicy: ClusterFirst 
  dnsConfig: 
    nameservers:
      - 10.1.0.2
      - 8.8.8.8

In the above sample code, we are setting up the dnsPolicy to ClusterFirst and also updating the nameservers via the dnsConfig parameter.

DNS policies supported in Kubernetes

Let’s have a look at different types of DNS policies supported in Kubernetes.

Default

• The Pod inherits the DNS configuration from the node on which it is running.
• It will be using the DNS configuration defined in the /etc/resolv.conf file of the underlying Node where the pod is running.
• Here is a sample pod manifest to set the dnsPolicy to Default.
• When this Policy is set, the /etc/resolv.conf in Pods are same as /etc/resolv.conf in the Node where pod is running.

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: nginx
    image: nginx
  dnsPolicy: Default 

Default is not the default DNS policy. If dnsPolicy is not explicitly specified, then ClusterFirst is used.

ClusterFirst

• It is the default DNS policy if dnsPolicy is not explicitly specified.
• It uses the DNS servers provided by the Kubernetes cluster (such as CoreDNS) and all the internal DNS queries (specified by the --cluster-domain) are replied by the CoreDNS.
• Any DNS query which does not match the cluster domain, will be redirected to the upstream DNS servers specified in the CoreDNS configuration.
• When this policy is set, the kubelet configures the cluster’s DNS Service IP in the pod’s /etc/resolv.conf.

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: nginx
    image: nginx
  dnsPolicy: ClusterFirst 

ClusterFirstWithHostNet

• For Pods running with hostNetwork (hostNetwork: true in pod spec), its DNS policy must be set to ClusterFirstWithHostNet to apply the DNS behavior of ClusterFirst.
• Otherwise, Pods running with hostNetwork and ClusterFirst will fallback to the behavior of the Default policy.

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  hostNetwork: true
  containers:
  - name: nginx
    image: nginx
  dnsPolicy: ClusterFirstWithHostNet

None

• This dnsPolicy ignores all the DNS settings from the Kubernetes environment.
• With this dnsPolicy, all DNS configurations are supposed to be provided using the dnsConfig field in the Pod Spec.
• To know what all is supported by pod’s dnsConfig parameter, you can check here.

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: nginx
    image: nginx
  dnsPolicy: None
  dnsConfig:
    nameservers:
      - 8.8.8.8
      - 1.1.1.1
    searches:
      - internal-domain.com
    options:
      - name: ndots
        value: "2"

References

• Pod’s DNS Policy
• Pod’s DNS Config