I recently ran into a problem.
Our kube-apiserver is configured with OIDC authentication and the OIDC issuer is added with dns server records, but for some reason I need to override the dns server resolution and use the hostAlias IP address instead, but the actual test found that it always took DNS resolution, although the
/etc/hosts file file has been added with custom hosts records. The domain names that are not registered with the dns server can still be resolved by
The reason is that the base image of kube-apiserver is busybox, and unlike centos, it does not have
/etc/nsswitch.conf file, so it always gives priority to DNS resolution and ignores
The solution is simple, just add
/etc/nsswitch.conf file to the mirror to specify the resolution order, the content is as follows.
That is, files takes precedence over dns.
By the way, let’s organize the complete process of golang resolving domain name in linux system.
There are two methods of domain name resolution in golang: the built-in Go resolver; and the cgo-based system resolver. Configured through the environment variable GODEBUG.
The built-in Go resolver is used by default, because when DNS resolution blocks, the built-in Go resolver just blocks a goroutine, while cgo’s resolver blocks an OS-level thread.
resolv.conf and force cgo if it fails.
When using the built-in Go parser, there are four other subdivisions depending on the parsing priority.
/etc/nsswitch.conf file does not exist or does not specify the
hostLookupDNSFiles is used under linux, which means that dns resolution takes precedence over hosts resolution, so the problem mentioned at the beginning of the article occurs.
The parsing order can be specified via
nsswitch.conf. The code is quite simple.
So by specifying
hosts: files dns, the resolution policy is
/etc/hosts is used first.
See hostLookupOrder for the detailed resolution order.