跳至主要內容

Kubernetes 的 DNS & CoreDNS:容器化环境中的服务发现机制

老马啸西风2025/8/31大约 7 分钟LoadBalanceload-balance

在容器化和Kubernetes主导的云原生时代,服务发现机制发生了根本性的变化。Kubernetes通过内置的DNS服务和CoreDNS组件,为容器化应用提供了强大而灵活的服务发现能力。本文将深入探讨Kubernetes中的DNS机制、CoreDNS的工作原理以及在实际应用中的配置和优化。

Kubernetes DNS概述

Kubernetes DNS是Kubernetes集群中的一项核心服务,它为集群内的Pod和服务提供域名解析服务。通过DNS,应用可以使用易于记忆的服务名称而不是复杂的IP地址来访问其他服务。

DNS在Kubernetes中的作用

1. 服务发现

Kubernetes DNS使得Pod可以通过服务名称发现和访问其他服务,而无需硬编码IP地址。

2. 负载均衡

DNS解析会返回服务背后所有健康Pod的IP地址,客户端可以通过轮询等方式实现负载均衡。

3. 服务抽象

应用只需要知道服务名称,而不需要关心服务的具体实现和部署位置。

4. 环境隔离

不同命名空间中的服务可以通过DNS名称进行隔离和访问控制。

DNS域名结构

Kubernetes中的DNS域名遵循特定的结构:

<service-name>.<namespace>.svc.<cluster-domain>

例如:

  • my-service.my-namespace.svc.cluster.local
  • database.default.svc.cluster.local

其中:

  • service-name:服务名称
  • namespace:命名空间名称
  • svc:服务类型标识
  • cluster-domain:集群域名,默认为cluster.local

CoreDNS详解

CoreDNS是Kubernetes 1.13版本之后默认的DNS服务器,它是一个灵活、可扩展的DNS服务器,使用Go语言编写。

CoreDNS架构

CoreDNS采用插件化的架构设计,通过配置不同的插件来实现各种DNS功能:

# Corefile示例
.:53 {
    errors
    health {
        lameduck 5s
    }
    ready
    kubernetes cluster.local in-addr.arpa ip6.arpa {
        pods insecure
        fallthrough in-addr.arpa ip6.arpa
        ttl 30
    }
    prometheus :9153
    forward . /etc/resolv.conf {
        max_concurrent 1000
    }
    cache 30
    loop
    reload
    loadbalance
}

核心插件

1. kubernetes插件

kubernetes插件是CoreDNS与Kubernetes API集成的核心组件,负责从Kubernetes中获取服务和Pod信息:

kubernetes cluster.local in-addr.arpa ip6.arpa {
    pods verified
    endpoint_pod_names
    upstream
    fallthrough in-addr.arpa ip6.arpa
}

主要功能:

  • 监听Kubernetes API中的Service和Endpoint变化
  • 为服务生成DNS记录
  • 支持Pod级别的DNS记录(当启用pods选项时)

2. forward插件

forward插件用于将无法在本地解析的DNS查询转发到上游DNS服务器:

forward . /etc/resolv.conf {
    max_concurrent 1000
    expire 90s
}

3. cache插件

cache插件提供DNS查询结果的缓存功能,提高解析性能:

cache 30 {
    success 9984 30
    denial 9984 5
}

4. health插件

health插件提供CoreDNS健康检查端点:

health {
    lameduck 5s
}

CoreDNS配置详解

1. 基本配置

apiVersion: v1
kind: ConfigMap
metadata:
  name: coredns
  namespace: kube-system
data:
  Corefile: |
    .:53 {
        errors
        health {
            lameduck 5s
        }
        ready
        kubernetes cluster.local in-addr.arpa ip6.arpa {
            pods insecure
            fallthrough in-addr.arpa ip6.arpa
            ttl 30
        }
        prometheus :9153
        forward . /etc/resolv.conf
        cache 30
        loop
        reload
        loadbalance
    }

2. 自定义域名解析

.:53 {
    # 标准Kubernetes配置
    kubernetes cluster.local in-addr.arpa ip6.arpa {
        pods insecure
        fallthrough in-addr.arpa ip6.arpa
    }
    
    # 自定义域名解析
    hosts {
        192.168.1.100 external-service.example.com
        10.0.0.1 internal-api.corp.local
        fallthrough
    }
    
    # 转发其他查询
    forward . /etc/resolv.conf
    cache 30
}

3. 多集群DNS配置

.:53 {
    kubernetes cluster.local in-addr.arpa ip6.arpa {
        pods insecure
        fallthrough in-addr.arpa ip6.arpa
    }
    
    # 跨集群服务发现
    kubernetes east-cluster.local in-addr.arpa ip6.arpa {
        endpoint https://east-cluster-api:6443
        tls /etc/coredns/east-cluster.crt /etc/coredns/east-cluster.key /etc/coredns/east-cluster-ca.crt
        pods insecure
        fallthrough in-addr.arpa ip6.arpa
    }
    
    kubernetes west-cluster.local in-addr.arpa ip6.arpa {
        endpoint https://west-cluster-api:6443
        tls /etc/coredns/west-cluster.crt /etc/coredns/west-cluster.key /etc/coredns/west-cluster-ca.crt
        pods insecure
        fallthrough in-addr.arpa ip6.arpa
    }
    
    forward . /etc/resolv.conf
    cache 30
}

服务发现实现机制

Service DNS记录生成

Kubernetes会为每个Service自动生成以下DNS记录:

1. A记录

# 为ClusterIP服务生成A记录
my-service.my-namespace.svc.cluster.local. 30 IN A 10.96.0.10

# 为Headless服务生成A记录(指向所有Pod IP)
my-headless-service.my-namespace.svc.cluster.local. 30 IN A 10.244.1.10
my-headless-service.my-namespace.svc.cluster.local. 30 IN A 10.244.2.15

2. SRV记录

# 为命名端口生成SRV记录
_my-port-name._tcp.my-service.my-namespace.svc.cluster.local. 30 IN SRV 0 50 8080 my-service.my-namespace.svc.cluster.local.

3. PTR记录

# 为Pod IP生成反向解析记录
10.244.1.10.in-addr.arpa. 30 IN PTR my-pod-1.my-service.my-namespace.svc.cluster.local.

Pod DNS记录

当启用Pod DNS记录时,CoreDNS会为每个Pod生成DNS记录:

# Pod DNS记录格式
<pod-ip-with-dashes>.<namespace>.pod.cluster.local

# 示例
10-244-1-10.my-namespace.pod.cluster.local. 30 IN A 10.244.1.10

自定义DNS配置

1. Pod级别DNS配置

apiVersion: v1
kind: Pod
metadata:
  name: custom-dns-pod
spec:
  dnsPolicy: "None"
  dnsConfig:
    nameservers:
      - 1.2.3.4
    searches:
      - ns1.svc.cluster.local
      - my.dns.search.suffix
    options:
      - name: ndots
        value: "2"
      - name: edns0

2. Service级别DNS注解

apiVersion: v1
kind: Service
metadata:
  name: my-service
  annotations:
    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
spec:
  selector:
    app: my-app
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376

CoreDNS性能优化

缓存优化

1. 调整缓存大小和TTL

cache 300 {
    success 9984 300
    denial 9984 30
    prefetch 10 10m 10%
}

2. 预取机制

cache 30 {
    prefetch 10 5m 20%
}

并发处理优化

1. 限制并发查询

forward . /etc/resolv.conf {
    max_concurrent 1000
    health_check 5s
}

2. 连接池优化

forward . /etc/resolv.conf {
    max_fails 3
    expire 90s
    policy sequential
}

资源限制优化

1. CPU和内存限制

apiVersion: apps/v1
kind: Deployment
metadata:
  name: coredns
  namespace: kube-system
spec:
  template:
    spec:
      containers:
      - name: coredns
        resources:
          limits:
            cpu: 100m
            memory: 128Mi
          requests:
            cpu: 100m
            memory: 128Mi

2. 自动扩缩容

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: coredns
  namespace: kube-system
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: coredns
  minReplicas: 2
  maxReplicas: 10
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 70

监控与故障排除

CoreDNS监控指标

1. Prometheus指标

CoreDNS内置了Prometheus指标端点,可以监控以下关键指标:

# DNS查询统计
coredns_dns_requests_total
coredns_dns_responses_total

# 查询延迟
coredns_dns_request_duration_seconds

# 缓存命中率
coredns_cache_hits_total
coredns_cache_misses_total

# 转发统计
coredns_forward_requests_total
coredns_forward_responses_total

2. Grafana仪表板

{
  "dashboard": {
    "title": "CoreDNS Dashboard",
    "panels": [
      {
        "title": "DNS Query Rate",
        "type": "graph",
        "targets": [
          {
            "expr": "rate(coredns_dns_requests_total[5m])",
            "legendFormat": "{{server}} {{zone}} {{type}}"
          }
        ]
      },
      {
        "title": "DNS Response Time",
        "type": "graph",
        "targets": [
          {
            "expr": "histogram_quantile(0.99, rate(coredns_dns_request_duration_seconds_bucket[5m]))",
            "legendFormat": "{{server}} 99th percentile"
          }
        ]
      }
    ]
  }
}

常见故障排除

1. DNS解析失败

# 检查CoreDNS Pod状态
kubectl get pods -n kube-system -l k8s-app=kube-dns

# 检查CoreDNS日志
kubectl logs -n kube-system -l k8s-app=kube-dns

# 在Pod中测试DNS解析
kubectl exec -it <pod-name> -- nslookup kubernetes.default

2. DNS解析缓慢

# 检查CoreDNS配置
kubectl get configmap coredns -n kube-system -o yaml

# 检查节点DNS配置
kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}'

# 测试外部DNS解析
kubectl exec -it <pod-name> -- nslookup google.com

3. 缓存问题

# 清除DNS缓存
kubectl delete pod -n kube-system -l k8s-app=kube-dns

# 调整缓存配置
kubectl edit configmap coredns -n kube-system

高级功能与扩展

自定义插件开发

1. 插件结构

package myplugin

import (
    "context"
    "github.com/coredns/coredns/plugin"
    "github.com/miekg/dns"
)

type MyPlugin struct {
    Next plugin.Handler
}

func (m MyPlugin) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error) {
    // 实现自定义DNS处理逻辑
    // ...
    
    return plugin.NextOrFailure(m.Name(), m.Next, ctx, w, r)
}

func (m MyPlugin) Name() string { return "myplugin" }

2. 插件配置

.:53 {
    myplugin {
        option1 value1
        option2 value2
    }
    kubernetes cluster.local in-addr.arpa ip6.arpa
    forward . /etc/resolv.conf
    cache 30
}

多集群服务发现

1. 联邦DNS配置

.:53 {
    kubernetes cluster.local in-addr.arpa ip6.arpa {
        pods insecure
        fallthrough in-addr.arpa ip6.arpa
    }
    
    # 东区集群
    kubernetes east.cluster.local in-addr.arpa ip6.arpa {
        endpoint https://east-cluster-api:6443
        tls /etc/coredns/east.crt /etc/coredns/east.key /etc/coredns/ca.crt
        pods insecure
        fallthrough in-addr.arpa ip6.arpa
    }
    
    # 西区集群
    kubernetes west.cluster.local in-addr.arpa ip6.arpa {
        endpoint https://west-cluster-api:6443
        tls /etc/coredns/west.crt /etc/coredns/west.key /etc/coredns/ca.crt
        pods insecure
        fallthrough in-addr.arpa ip6.arpa
    }
    
    forward . /etc/resolv.conf
    cache 30
}

2. 服务网格集成

.:53 {
    kubernetes cluster.local in-addr.arpa ip6.arpa {
        pods verified
        endpoint_pod_names
        upstream
        fallthrough in-addr.arpa ip6.arpa
    }
    
    # Istio服务发现
    istio {
        endpoint https://istiod.istio-system.svc:15012
        tls /etc/coredns/istio.crt /etc/coredns/istio.key /etc/coredns/istio-ca.crt
    }
    
    forward . /etc/resolv.conf
    cache 30
}

最佳实践

1. 安全配置

apiVersion: v1
kind: ConfigMap
metadata:
  name: coredns
  namespace: kube-system
data:
  Corefile: |
    .:53 {
        errors
        health {
            lameduck 5s
        }
        ready
        kubernetes cluster.local in-addr.arpa ip6.arpa {
            pods verified
            upstream
            fallthrough in-addr.arpa ip6.arpa
        }
        prometheus :9153
        forward . /etc/resolv.conf {
            max_concurrent 1000
            expire 90s
        }
        cache 30 {
            success 9984 30
            denial 9984 5
            prefetch 10 1m 10%
        }
        loop
        reload
        loadbalance
    }

2. 高可用部署

apiVersion: apps/v1
kind: Deployment
metadata:
  name: coredns
  namespace: kube-system
spec:
  replicas: 2
  selector:
    matchLabels:
      k8s-app: kube-dns
  template:
    metadata:
      labels:
        k8s-app: kube-dns
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: k8s-app
                  operator: In
                  values: ["kube-dns"]
              topologyKey: kubernetes.io/hostname
      containers:
      - name: coredns
        image: k8s.gcr.io/coredns:1.8.0
        resources:
          limits:
            memory: 170Mi
          requests:
            cpu: 100m
            memory: 70Mi

3. 监控告警

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: coredns
  namespace: kube-system
spec:
  selector:
    matchLabels:
      k8s-app: kube-dns
  endpoints:
  - port: metrics
    interval: 30s
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
  name: coredns-rules
  namespace: kube-system
spec:
  groups:
  - name: coredns.rules
    rules:
    - alert: CoreDNSDown
      expr: up{job="coredns"} == 0
      for: 5m
      labels:
        severity: page
      annotations:
        summary: "CoreDNS down"
        description: "CoreDNS has disappeared from Prometheus target discovery."

总结

Kubernetes DNS和CoreDNS为容器化环境提供了强大而灵活的服务发现机制。通过理解其工作原理、配置选项和优化策略,可以构建高性能、高可用的云原生应用架构。

CoreDNS的插件化架构使其具有很好的扩展性,可以满足各种复杂的DNS需求。在实际应用中,需要根据具体的业务场景和性能要求来调整配置,并建立完善的监控和告警机制,确保DNS服务的稳定运行。

随着云原生技术的不断发展,Kubernetes DNS和CoreDNS也在持续演进,未来将提供更多高级功能和更好的性能表现,为构建复杂的分布式系统提供更好的支撑。

我是老马,期待与你的下次重逢
Copyright © 2025 老马啸西风