Anthos Service Mesh and Traffic Director are now Cloud Service Mesh. For more information, see the Cloud Service Mesh overview.

Set up DNS Proxy

DNS Proxy is a feature for providing the following capabilities:

Propagating DNS entries of Services across clusters in a multi-cluster setup.
Populating DNS entries for ServiceEntry.

Kubernetes provides DNS resolution only for Services in the local cluster. When you need to provide name resolution for Services in a remote clusters or use an internal-only hostname with ServiceEntry without having an additional internal-only DNS server, DNS Proxy provides a way to resolve DNS names for such cases.

Configuring DNS Proxy

Cluster wide configuration

To configure DNS proxy in the cluster, add ISTIO_META_DNS_CAPTURE proxy metadata to the ConfigMap for MeshConfig. The name of the ConfigMap has a format of istio-<revision_name>. For the details of revision, refer to the overview of the revision

apiVersion: v1
data:
  mesh: |-
    ...
    defaultConfig:
      proxyMetadata:
        ISTIO_META_DNS_CAPTURE: "true"        
    ...
kind: ConfigMap
metadata:
  name: istio-<revision_name>
  namespace: istio-system

Per-proxy configuration

To configure DNS proxy for a proxy, add the ISTIO_META_DNS_CAPTURE proxy metadata annotation as follows:

kind: Deployment
metadata:
  name: app1
  namespace: ns1
spec:
...
  template:
    metadata:
      annotations:
        proxy.istio.io/config: |
          proxyMetadata:
            ISTIO_META_DNS_CAPTURE: "true"
...

Verifying

Name resolution for `Service` across clusters

After the multi-cluster setup, deploy a Service only in one of the clusters to verify the cross-cluster name resolution.

When you have the following example Service ns1/svc1, you can find ClusterIP in Service.

$ kubectl get -n ns1 svc1
kind: Service
metadata:
  name: svc1
  namespace: ns1
spec:
...
  ClusterIP: 210.200.1.1
...

Then, when using curl from the other cluster to the Service, it should show the ClusterIP as follows.

curl -sS -v svc1.ns1.svc.cluster.local
*   Trying 210.200.1.1:80...

Name resolution for `ServiceEntry`

Add a ServiceEntry with a hostname not registered in your DNS. To verify the name resolution the following example has explicit address 192.168.123.123.

$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: test-service-entry
spec:
  addresses:
  - "192.168.123.123"
  hosts:
  - not-existing-hostname.internal
  ports:
  - name: http
    number: 80
    protocol: HTTP
EOF

Then, try DNS resolution in a Pod where DNS Proxy is enabled. For example, if you run a curl in the Pod, it should display the IP address as follows:

curl -sS -v not-existing-hostname.internal
*   Trying 192.168.123.123:80...