dns-discovery

command module

v0.0.0-...-1a80962 Latest Latest Go to latest Published: Aug 13, 2019 License: Apache-2.0 Imports: 9 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/istio-ecosystem/dns-discovery

Links

Open Source Insights

README ¶

dns-discovery

In a Nutshell

dns-discovery automatically detects egress traffic in a Kubernetes cluster and creates a matching Service Entry object for each host. This improves visibility to the cluster traffic and allows cluster operators to enforce a tight network security policy.

The Problem

When deploying Istio onto a Kubernetes cluster, the user needs to explicitly define each external end-point that the application relies on – this process, which usually involves trial and error, makes it harder to deploy Istio.

For example, if the application relies on storage.googleapis.com, the user must instruct Istio to allow access to this end-point by adding a Service Entry definition.

In Istio 1.0 and earlier versions, the default behavior was to block access to external end-points - this created a connectivity issue and applications were breaking until the operator could discover all the end-points and configure them manually.

Istio 1.1 changed the default to allow access to all external end-points - this resolved the connectivity problem but created a security problem instead; now any traffic can leave the cluster – including malicious traffic.

The Solution

dns-discovery is a container that is deployed into the Kubernetes cluster as a proxy in front of the Kubernetes DNS service.

The proxy sees all attempts to connect to external end-points by monitoring DNS lookups and automatically configures Istio to allow them by adding an Istio Service Entry for each hostname.

The proxy can be easily configured to learn the egress communication patterns automatically. When the learning phase is done, the service entries can be deployed into a production environment to enforce a tight security policy.

Installation

Mac

$ make install

Linux

$ ./deploy.sh

Building

$ make build && make docker

Kubernetes Network Policies

If you are restricting access to your DNS service with a Kubernetes network policy, please note that this will change the DNS pod to listen on UDP port 54 instead of the standard port 53 and you should update the policy. The DNS service continues to listen on the standard port UDP 53.

Changing Istio's Default Behavior for External End-Points

https://istio.io/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
dns
istio

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL