DNS Capture and Auto-Allocation Issues After Rancher Istio Upgrade
Article Number: 000022149
Environment
Rancher Istio chart upgraded to 107.2.0+up1.26.2 from any lower version.
Situation
- After upgrading from rancher-istio v1.24 to v1.26 via Rancher UI, DNS capture and auto-allocation stopped working as expected.
meshConfig:
defaultConfig:
proxyMetadata:
ISTIO_META_DNS_CAPTURE: "true"
ISTIO_META_DNS_AUTO_ALLOCATE: "true"
- When accessing services, DNS resolves incorrectly, sometimes pointing to another service’s IP or port. This happens particularly when multiple ServiceEntries use the same domain but different ports.
- Prior to the upgrade, this setup worked without issues.
Cause
In rancher-istio v1.26, an upstream change causes each ServiceEntry with the same domain to receive its own VIP, resulting in DNS resolution conflicts.
# kubectl get se local-ssh -o yaml | yq '.status.addresses'
- host: sshhttps.test
value: 240.240.0.5
# kubectl get se local-https -o yaml | yq '.status.addresses'
- host: sshhttps.test
value: 240.240.0.4
Resolution
This can be handled by any of the approaches mentioned below:
1] Maintain a single ServiceEntry that uses the same domain with different ports:
apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
name: local
spec:
hosts: ["sshhttps.test"]
location: MESH_EXTERNAL
resolution: DNS
ports:
- number: 443
name: tls-https
protocol: TLS
- number: 22
name: tcp-ssh
protocol: TCP
2] Manually hardcode the same IP address for each ServiceEntry that shares the same domain name.
apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
name: local-https
spec:
hosts: ["dummy.local"]
addresses:
- 240.240.0.5
location: MESH_EXTERNAL
resolution: DNS
ports:
- number: 443
name: tls-port
protocol: TLS
---
apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
name: local-ssh
spec:
hosts: ["dummy.local"]
addresses:
- 240.240.0.5
location: MESH_EXTERNAL
resolution: DNS
ports:
- number: 22
name: tcp-port
protocol: TCP