ingress-controller icon indicating copy to clipboard operation
ingress-controller copied to clipboard

Published 20 hours ago verified publisher icon pomerium

It is assumed that configured cluster domain is always "cluster.local"

Open adrianlzt opened this issue 2 years ago • 7 comments

What happened?

Under some circumstances, Pomerium could configure the destination endpoint with the format BACKEND.NAMESPACE.svc.cluster.local.

This is assuming the cluster domain is always cluster.local, that could be not the case. In Kubspray, for example, you can change that value with cluster_name.

What did you expect to happen?

cluster.local should be a parametrizable value, or, maybe, it could be removed.

If it is removed, BACKEND.NAMESPACE.svc will be tried to be resolved, appending the values in the search domains of the /etc/resolv.conf. But I am not sure if all k8s installs set the needed search values (at least it will need search DOMAIN, like search cluster.local).

The official doc shows an example of the possible /etc/resolv.conf configuration, but in the spec there is no reference about if some search values should be always be present.

I have checked in a Kubespray install and GKE cluster they are present.

Additional context

Related with PR https://github.com/pomerium/ingress-controller/pull/401

adrianlzt avatar Oct 23 '22 16:10 adrianlzt