Use NodeLocal DNSCache in your cluster

Big picture

Set up NodeLocal DNSCache to improve DNS lookup latency.

Before you begin

Required

Follow these steps to enable NodeLocal DNSCache connectivity.

Create a policy to allow traffic from NodeLocal DNSCache

The following is a sample network policy that allows all incoming TCP traffic (including incoming traffic from node-local-dns pods) on port 53 on kube-dns.

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: default.local-dns-to-core-dns
  namespace: kube-system
spec:
  tier: default
  selector: k8s-app == "kube-dns"
  ingress:
    - action: Allow
      protocol: TCP
      destination:
        selector: k8s-app == "kube-dns"
        ports:
          - '53'
  types:
    - Ingress

To refine the sources permitted by this policy, take into account that NodeLocal DNSCache pods are host networked, and make sure to allow traffic from the addresses of your hosts. If you're using encapsulation, you will need to allow connectivity from the tunnel IPs.

The Tigera operator creates policy to allow Tigera components to connect to NodeLocal DNSCache when detected. Felix accounts for the NodeLocal DNSCache in creating DNS Logs and enforcing DNS Policy.

Use NodeLocal DNSCache in your cluster

Big picture​

Before you begin​

Required​

Create a policy to allow traffic from NodeLocal DNSCache​

Big picture

Before you begin

Required

Create a policy to allow traffic from NodeLocal DNSCache