DNS resolution inside AKS pods

Question

DNS resolution inside AKS pods

Subin Sabu 40

Hi, I have multiple AKS running and recently one of my cluster is having issue DNS resolution issue. First I encountered the issue when cert-manager inside my cluster wasn't able to auto renew the certificate. I added dnsconfig to the certmanager with address of google and cloudflare and cert-manager is working fine. But still my other pods can't resolve DNS. curl on my website is giving me curl: (6) Could not resolve host:. I have my core-dns up and running. I tried curl through the core-dns service ip, pod ip etc. While everything is working fine for my other AKS clusters. I saw somewhere that service principal credential expiration can cause issues. My cluster is using msi and secret is expired indeed. I am not sure about the credential reset of msi.

Prrudram-MSFT 28,481 Reputation points Microsoft Employee Moderator

2024-10-30T11:25:20.49+00:00

Hello @Subin Sabu

AKS clusters created with a service principal have a one-year expiration time. As you near the expiration date, you can reset the credentials to extend the service principal for an additional period of time. To reset the credentials you can use the Azure CLI cmdlets in the following document link
https://learn.microsoft.com/en-us/azure/aks/update-credentials#reset-the-existing-service-principal-credentials

If resetting the credentials for the SPN does not resolve the DNS resolution issue, you may want to check if there are any issues with your network configuration or DNS settings.
Subin Sabu 40 Reputation points

2024-10-31T04:24:01.9833333+00:00

Thanks @Prrudram-MSFT for the reply, but I have already tried it and below is the error I got
echo $SP_ID

msi
SP_SECRET=$(az ad app credential reset --id "$SP_ID" --query password -o tsv)

ERROR: Application with identifier URI 'msi' doesn't exist

I presume msi refers for managed service identity, which azure created and when I checked in my app registrations in AAD, secret of msi is indeed expired. I am not sure about how to proceed, although I created a new secret for the msi application.
Prrudram-MSFT 28,481 Reputation points Microsoft Employee Moderator

2024-11-05T06:01:06.8666667+00:00

@Subin Sabu

I am checking on this, I will get back shortly

1 answer

Your answer

Prrudram-MSFT 28,481 Reputation points Microsoft Employee Moderator

2024-10-30T11:25:20.49+00:00

Hello @Subin Sabu

AKS clusters created with a service principal have a one-year expiration time. As you near the expiration date, you can reset the credentials to extend the service principal for an additional period of time. To reset the credentials you can use the Azure CLI cmdlets in the following document link
https://learn.microsoft.com/en-us/azure/aks/update-credentials#reset-the-existing-service-principal-credentials

If resetting the credentials for the SPN does not resolve the DNS resolution issue, you may want to check if there are any issues with your network configuration or DNS settings.
Subin Sabu 40 Reputation points

2024-10-31T04:24:01.9833333+00:00

Thanks @Prrudram-MSFT for the reply, but I have already tried it and below is the error I got
echo $SP_ID

msi
SP_SECRET=$(az ad app credential reset --id "$SP_ID" --query password -o tsv)

ERROR: Application with identifier URI 'msi' doesn't exist

I presume msi refers for managed service identity, which azure created and when I checked in my app registrations in AAD, secret of msi is indeed expired. I am not sure about how to proceed, although I created a new secret for the msi application.
Prrudram-MSFT 28,481 Reputation points Microsoft Employee Moderator

2024-11-05T06:01:06.8666667+00:00

@Subin Sabu

I am checking on this, I will get back shortly

Answer 1

Hello @Subin Sabu

The main functionality of Managed Service Identity- MSI (AKA Managed identity) is to manage a service principal and its credentials. One of the goals of the management is that. customer never need to worry about refreshing credentials. so, technically user doesn’t reset MSI credentials.

What you described here looks like a networking problem, please follow the AKS troubleshooting guide https://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/connectivity/troubleshoot-dns-failure-from-pod-but-not-from-worker-node. I’d recommend opening support case to take a finer look if this doesn't help to locate the problem. If you don't have an active support plan, let me know I can help in enabling one time free support.

If I have answered your question, please accept this as answer as a token of appreciation.

Share via

DNS resolution inside AKS pods

1 answer

Your answer