Description of problem: No Kubernetes ExternalName Services can be resolved via DNS when they point to in-cluster resources. An example of the kind of ExternalName Service that this breaks: apiVersion: v1 kind: Service metadata: name: external-internal spec: externalName: image-registry.openshift-image-registry.svc.cluster.local type: ExternalName This is an upstream bug in CoreDNS, which OpenShift moved to in 4.0. Upstream bug report - https://github.com/coredns/coredns/issues/2038 Upstream fix - https://github.com/coredns/coredns/pull/2040 Pull request to move us to a newer version of CoreDNS with this fix in our openshift/coredns fork - https://github.com/openshift/coredns/pull/6 Version-Release number of selected component (if applicable): Anything in 4.0 How reproducible: This can be reproduced every time. Steps to Reproduce: # Create two ExternalName services - one pointing to a domain # inside the cluster and one pointing outside the cluster cat <<EOF | oc apply -f - --- apiVersion: v1 kind: Service metadata: name: external-internal spec: externalName: image-registry.openshift-image-registry.svc.cluster.local type: ExternalName --- apiVersion: v1 kind: Service metadata: name: external-external spec: externalName: redhat.com type: ExternalName EOF # Start a busybox pod so we can test DNS resolution oc run busybox -it --rm=true --restart=Never --image=busybox # From inside the running pod, try pinging a few addresses # PASS: resolve the ExternalName service that points to an external domain ping -c 1 external-external | grep PING PING external-external (209.132.183.105): 56 data bytes # FAIL: resolve the ExternalName service that points to an internal domain ping -c 1 external-internal | grep PING ping: bad address 'external-internal' # PASS: resolve the internal domain that the external-internal service points to ping -c 1 image-registry.openshift-image-registry.svc.cluster.local | grep PING PING image-registry.openshift-image-registry.svc.cluster.local (172.30.3.178): 56 data bytes Actual results: The external-internal domain cannot resolve. That is the ExternalName service that points to an in-cluster resource. Expected results: The external-internal domain should resolve. I've verified that when running a newer CoreDNS inside OpenShift 4 (built from the openshift/coredns PR linked above), it does resolve.
verified with 4.0.0-0.nightly-2019-02-17-024922 and issue has been fixed. $ oc exec dns-default-64v7s -c dns -- coredns -version CoreDNS-1.3.1 linux/amd64, go1.10.8, $ oc rsh centos-pod sh-4.2$ sh-4.2$ nslookup external-external Server: 172.30.0.10 Address: 172.30.0.10#53 external-external.hongli.svc.cluster.local canonical name = redhat.com. Name: redhat.com Address: 209.132.183.105 sh-4.2$ sh-4.2$ nslookup external-internal Server: 172.30.0.10 Address: 172.30.0.10#53 external-internal.hongli.svc.cluster.local canonical name = image-registry.openshift-image-registry.svc.cluster.local. Name: image-registry.openshift-image-registry.svc.cluster.local Address: 172.30.174.31
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758