Allow a service to resolve to a CNAME from DNS #13748
Comments
|
Implications:
|
|
This is a more likely integration scenario than #11838. @kubernetes/goog-cluster |
|
@thockin @bgrant0607 feelings on this? This is pretty important to us for external service integration - if we can agree it's useful I'd like to scope out the API so we can implement something. This enables two paths for external integration - when you need to manage the endpoints, and when you don't. It's strictly simpler to do CNAME integration than to load balance, and makes referencing external services much easier. |
|
Of course CNAMEs can't let a client verify against the aliased name, only the original, and TLSA doesn't do what I would want it to do. It would be best if a client could chase the CNAMEs, but I don't see that pattern in wide use anywhere. If hypothetically this was another In the load balancer case, the cluster signer can sign for the service (to attest that yes, the service oracle.mynamespace.svc.cluster.local refers to oracle-mydb.mycompany.com) and it could terminate TLS at the service endpoint. |
|
This feels like a new API: ServiceAlias or somesuch. |
bgrant0607
added
area/api
|
Is it different than a service? Can a ServiceAlias and a Service overlap On Wed, Sep 16, 2015 at 2:05 PM, Brian Grant notifications@github.com
Clayton Coleman | Lead Engineer, OpenShift |
|
As a concrete reference, here's the design work we're doing on elements of
We want to have very lightweight service-like objects in order to |
|
@kubernetes/rh-cluster-infra @kubernetes/rh-networking |
ArtfulCoder
added
the
sig/network
|
cc @ggogolowicz |
|
@smarterclayton this got buried like so many other ideas. What's the On Mon, Nov 30, 2015 at 2:51 PM, Brian Grant notifications@github.com
|
|
@thockin we are still interested in finding a way to solve the underlying use case, where there is an off-cluster service that we want to manage and treat like an on-cluster service. This meshes with the service catalog/linking proposal (#17543), which I still need to find time to do another update pass to. I think one of the biggest hurdles is TLS hostname verification if we proceed with CNAMEs. |
|
And I have not had any clever ideas other than making it easy for the In practice, a lot of serious shops use ramp nodes or other intermediate So, hypothetically: Define a new service type / behavior "reference" I think the goal should be to allow that composition without enforcing it. On Dec 1, 2015, at 9:13 AM, Andy Goldstein notifications@github.com wrote: @thockin https://github.com/thockin we are still interested in finding a I think one of the biggest hurdles is TLS hostname verification if we — |
|
On one hand this is orthogonal to I think the import has to be entirely within the Service object, and not in the Endpoints object, otherwise the validation of Endpoints depends on values from Service (you can't have more than one CNAME value for name). Ideas:
|
|
I think having a direct CNAME option would be more desirable for cluster users that don;t have access to manage DNS configurations, possibly other use cases. However, I could see how this could get out of control with lots of CNAMES for resources that already exist in another DNS server anyways. I don't think that is what anyone would want. If all we're doing here is providing a way to access services in some DNS system that are outside the scope of skydns but already routable, then why not use the skydns api and add a DNS forwarder? Perhaps a yaml object to add a forwarder would be easier for folks in that case? curl -XPUT http://127.0.0.1:4001/v2/keys/skydns/config \ -d value='{"nameservers": ["xxx.xxx.xxx.xxx:53","xxx.xxx.xxx.xxx:53"]}' |
|
Well, the use case is specifically to create local indirection to make
the local application portable. A forwarder configuration is global,
not local, or in the control of the cluster admin, not the local code
that is running inside a namespace.
I tend to agree with Tim that additional names has little value above
and beyond the single name - and also that a service of this type
tends not to be another type at the same time. I an concerned that
imported service varies slightly from referential service if we need
to do something interesting to make TLS useful (my personal bias is
that solving tls referential here is critical).
|
|
TLS definitely makes this harder.
|
|
Do you agree it's important? The idea of services abstracting remote
endpoints is (in my head) paired with the ability to trust the remote
endpoint. The age of trusting the network as secure is over. If
services are the foundation of the next generation of apps, not
understanding how transport security becomes integral seems to leave a
large story unsolved.
|
|
I agree it is important for this use case, though there's a certain amount If you're importing, e.g., google.com - I'm not sure what to do with that. On Mon, Jan 18, 2016 at 8:46 PM, Clayton Coleman notifications@github.com
|
This is a proposal to address: kubernetes#13748.
Automatic merge from submit-queue Add proposal for service externalName This is a proposal to address: #13748. @smarterclayton @ncdc @thockin. Please check this out when you have time, hopefully this is okay :-D I created the proposal because was unsure if the feature would be able to go in if there isn't a proposal already merged, because of this mail to kubernetes-pm: https://groups.google.com/forum/#!topic/kubernetes-pm/Ki63EztfZMo. So, IIUC it would be nice to have the proposal merged ASAP (I think the interface looks ok for all, so hopefully this will be easy) so we can have this feature in 1.4 as you guys ( @smarterclayton @ncdc ) need.
This is a proposal to address: kubernetes#13748.
ExternalName allows kubedns to return CNAME records for external services. No proxying is involved. See original issue at kubernetes#13748 Feature tracking at kubernetes/enhancements#33
ExternalName allows kubedns to return CNAME records for external services. No proxying is involved. See original issue at kubernetes#13748 Feature tracking at kubernetes/enhancements#33
ExternalName allows kubedns to return CNAME records for external services. No proxying is involved. See original issue at kubernetes#13748 Feature tracking at kubernetes/enhancements#33
ExternalName allows kubedns to return CNAME records for external services. No proxying is involved. See original issue at kubernetes#13748 Feature tracking at kubernetes/enhancements#33
ExternalName allows kubedns to return CNAME records for external services. No proxying is involved. See original issue at kubernetes#13748 Feature tracking at kubernetes/enhancements#33
ExternalName allows kubedns to return CNAME records for external services. No proxying is involved. See original issue at kubernetes#13748 Feature tracking at kubernetes/enhancements#33
ExternalName allows kubedns to return CNAME records for external services. No proxying is involved. See original issue at kubernetes#13748 Feature tracking at kubernetes/enhancements#33
ExternalName allows kubedns to return CNAME records for external services. No proxying is involved. See original issue at kubernetes#13748 Feature tracking at kubernetes/enhancements#33
Automatic merge from submit-queue Add Service type "ExternalName" which results in CNAME DNS ExternalName allows kubedns to return CNAME records for external services. No proxying is involved. First step for kubernetes/enhancements#33 See original issue at #13748 No release note yet, that will come with the kubedns change. ```release-note NONE ```
Automatic merge from submit-queue Add ExternalName kube-dns e2e test ExternalName allows kubedns to return CNAME records for external services. No proxying is involved. Built on top of and includes #30599 See original issue at #13748 Feature tracking at kubernetes/enhancements#33 The e2e test is at least as comprehensive as the one for headless services (namely, only to some degree) ```release-note Add ExternalName services as CNAME references to external ones ```
bgrant0607
added
sig/service-catalog
|
Can anyone please tell me which release is going to include this feature? |
|
This was in Kube 1.4. On Mon, Nov 21, 2016 at 1:17 PM, leslie-wang notifications@github.com
|
This is a proposal to address: kubernetes#13748.
Automatic merge from submit-queue Add proposal for service externalName This is a proposal to address: kubernetes#13748. @smarterclayton @ncdc @thockin. Please check this out when you have time, hopefully this is okay :-D I created the proposal because was unsure if the feature would be able to go in if there isn't a proposal already merged, because of this mail to kubernetes-pm: https://groups.google.com/forum/#!topic/kubernetes-pm/Ki63EztfZMo. So, IIUC it would be nice to have the proposal merged ASAP (I think the interface looks ok for all, so hopefully this will be easy) so we can have this feature in 1.4 as you guys ( @smarterclayton @ncdc ) need.
|
As this is not obvious from the thread, this is actually tracked here: |
As per original discussion in kubernetes/kubernetes#13748
A service that is represented by a real internet service is best resolved via DNS from internal name to external CNAME. This feels like a new service type, but the use case would be:
I have an external service "oracle" with dns name "oracle-1.testdev.mycompany.com". I don't want to have to keep DNS in sync. I don't want to create a different signing cert. I just want "oracle.mynamespace.svc.cluster.local" to CNAME resolve to "oracle-1.testdev.mycompany.com". I might want to resolve DNS periodically to the endpoints so I can load balance... but it's not a requirement.
The text was updated successfully, but these errors were encountered: