Troubleshooting Namespace Issues, Known DNS Problems, and Further Reading

2022-03-18T07:12:15.699431183Z [INFO] 10.96.144.227:52299 - 3686 "A IN serverproxy.contoso.net.cluster.local. udp 52 false 512" SERVFAIL qr,aa,rd 145 0.000091221s ``` First, get the current ClusterRole of `system:coredns`: ```shell kubectl describe clusterrole system:coredns -n kube-system ``` Expected output: ``` PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- endpoints [] [] [list watch] namespaces [] [] [list watch] pods [] [] [list watch] services [] [] [list watch] endpointslices.discovery.k8s.io [] [] [list watch] ``` If any permissions are missing, edit the ClusterRole to add them: ```shell kubectl edit clusterrole system:coredns -n kube-system ``` Example insertion of EndpointSlices permissions: ``` ... - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - list - watch ... ``` ### Are you in the right namespace for the service? DNS queries that don't specify a namespace are limited to the pod's namespace. If the namespace of the pod and service differ, the DNS query must include the namespace of the service. This query is limited to the pod's namespace: ```shell kubectl exec -i -t dnsutils -- nslookup <service-name> ``` This query specifies the namespace: ```shell kubectl exec -i -t dnsutils -- nslookup <service-name>.<namespace> ``` To learn more about name resolution, see [DNS for Services and Pods](/docs/concepts/services-networking/dns-pod-service/#what-things-get-dns-names). ## Known issues Some Linux distributions (e.g. Ubuntu) use a local DNS resolver by default (systemd-resolved). Systemd-resolved moves and replaces `/etc/resolv.conf` with a stub file that can cause a fatal forwarding loop when resolving names in upstream servers. This can be fixed manually by using kubelet's `--resolv-conf` flag to point to the correct `resolv.conf` (With `systemd-resolved`, this is `/run/systemd/resolve/resolv.conf`). kubeadm automatically detects `systemd-resolved`, and adjusts the kubelet flags accordingly. Kubernetes installs do not configure the nodes' `resolv.conf` files to use the cluster DNS by default, because that process is inherently distribution-specific. This should probably be implemented eventually. Linux's libc (a.k.a. glibc) has a limit for the DNS `nameserver` records to 3 by default and Kubernetes needs to consume 1 `nameserver` record. This means that if a local installation already uses 3 `nameserver`s, some of those entries will be lost. To work around this limit, the node can run `dnsmasq`, which will provide more `nameserver` entries. You can also use kubelet's `--resolv-conf` flag. If you are using Alpine version 3.17 or earlier as your base image, DNS may not work properly due to a design issue with Alpine. Until musl version 1.24 didn't include TCP fallback to the DNS stub resolver meaning any DNS call above 512 bytes would fail. Please upgrade your images to Alpine version 3.18 or above. ## {{% heading "whatsnext" %}} - See [Autoscaling the DNS Service in a Cluster](/docs/tasks/administer-cluster/dns-horizontal-autoscaling/). - Read [DNS for Services and Pods](/docs/concepts/services-networking/dns-pod-service/)

This section focuses on ensuring DNS queries specify the correct namespace, especially when pods and services reside in different namespaces. It highlights common issues like local DNS resolvers (systemd-resolved) causing forwarding loops, glibc's nameserver limit, and DNS problems in older Alpine versions. Finally, it directs readers to resources about autoscaling the DNS service and understanding DNS for Services and Pods.