Anthos Service Mesh and Traffic Director are now Cloud Service Mesh. For more information, see the Cloud Service Mesh overview.

Set up DNS Proxy

DNS Proxy is a feature for providing the following capabilities:

Propagating DNS entries of Services across clusters in a multi-cluster setup.
Populating DNS entries for ServiceEntry.

Kubernetes provides DNS resolution only for Services in the local cluster. When you need to provide name resolution for Services in a remote clusters or use an internal-only hostname with ServiceEntry without having an additional internal-only DNS server, DNS Proxy provides a way to resolve DNS names for such cases.

Configuring DNS Proxy

Cluster wide configuration

To configure DNS proxy in the cluster, add ISTIO_META_DNS_CAPTURE proxy metadata to the ConfigMap for MeshConfig. The name of the ConfigMap has a format of istio-<revision_name>. For the details of revision, refer to the overview of the revision

apiVersion: v1 data:  mesh: |-  ...  defaultConfig:  proxyMetadata:  ISTIO_META_DNS_CAPTURE: "true"   ... kind: ConfigMap metadata:  name: istio-<revision_name>  namespace: istio-system

Per-proxy configuration

To configure DNS proxy for a proxy, add the ISTIO_META_DNS_CAPTURE proxy metadata annotation as follows:

kind: Deployment metadata:  name: app1  namespace: ns1 spec: ...  template:  metadata:  annotations:  proxy.istio.io/config: |  proxyMetadata:  ISTIO_META_DNS_CAPTURE: "true" ...

Verifying

Name resolution for `Service` across clusters

After the multi-cluster setup, deploy a Service only in one of the clusters to verify the cross-cluster name resolution.

When you have the following example Service ns1/svc1, you can find ClusterIP in Service.

$ kubectl get -n ns1 svc1 kind: Service metadata:  name: svc1  namespace: ns1 spec: ...  ClusterIP: 210.200.1.1 ...

Then, when using curl from the other cluster to the Service, it should show the ClusterIP as follows.

curl -sS -v svc1.ns1.svc.cluster.local * Trying 210.200.1.1:80...

Name resolution for `ServiceEntry`

Add a ServiceEntry with a hostname not registered in your DNS. To verify the name resolution the following example has explicit address 192.168.123.123.

$ kubectl apply -f - <<EOF apiVersion: networking.istio.io/v1beta1 kind: ServiceEntry metadata:  name: test-service-entry spec:  addresses:  - "192.168.123.123"  hosts:  - not-existing-hostname.internal  ports:  - name: http  number: 80  protocol: HTTP EOF

Then, try DNS resolution in a Pod where DNS Proxy is enabled. For example, if you run a curl in the Pod, it should display the IP address as follows:

curl -sS -v not-existing-hostname.internal * Trying 192.168.123.123:80...