在私有子网中运行时 AWS EKS 上的 DNS 问题 [英] DNS problem on AWS EKS when running in private subnets

问题描述

我在 VPC 中设置了 EKS 集群.工作节点在私有子网中启动.我可以成功部署 Pod 和服务.

I have an EKS cluster setup in a VPC. The worker nodes are launched in private subnets. I can successfully deploy pods and services.

但是，我无法从 Pod 内执行 DNS 解析.(它在容器外的工作节点上运行良好.)

However, I'm not able to perform DNS resolution from within the pods. (It works fine on the worker nodes, outside the container.)

使用 https://kubernetes.io/docs/tasks 进行故障排除/administer-cluster/dns-debugging-resolution/ 从 nslookup 得到以下结果(一分钟左右超时):

Troubleshooting using https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/ results in the following from nslookup (timeout after a minute or so):

服务器:172.20.0.10地址一:172.20.0.10

Server: 172.20.0.10 Address 1: 172.20.0.10

nslookup:无法解析 'kubernetes.default'

nslookup: can't resolve 'kubernetes.default'

当我在全公共 VPC 中启动集群时，我没有这个问题.我是否遗漏了私有子网中 DNS 解析的任何必要步骤?

When I launch the cluster in an all-public VPC, I don't have this problem. Am I missing any necessary steps for DNS resolution from within a private subnet?

非常感谢，丹尼尔

推荐答案

我觉得我必须给出一个正确的答案，因为这个问题是我连续 10 个小时调试的答案.正如@Daniel 在他的评论中所说，我发现的问题是我的 ACL 阻止了 UDP 端口 53 上的出站流量，显然 kubernetes 使用它来解析 DNS 记录.

I feel like I have to give this a proper answer because coming upon this question was the answer to 10 straight hours of debugging for me. As @Daniel said in his comment, the issue I found was with my ACL blocking outbound traffic on UDP port 53 which apparently kubernetes uses to resolve DNS records.

这个过程让我特别困惑，因为我的一个 pod 实际上一直在工作，因为(我认为?)它恰好与 kubernetes DNS 解析器位于同一区域.

The process was especially confusing for me because one of my pods worked actually worked the entire time since (I think?) it happened to be in the same zone as the kubernetes DNS resolver.

这篇关于在私有子网中运行时 AWS EKS 上的 DNS 问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！