Address sporadic DNS resolution issues when using `nginx.ingress.kubernetes.io/auth-url`
Opened this issue · 0 comments
martinohmann commented
Whenever a coredns pod is restarted it can happen that ingresses using the nginx.ingress.kubernetes.io/auth-url
annotation start returning 5xx because nginx attempts to resolve the DNS name against a non-existent coredns pod, which fails for obvious reasons.
The problem is caused by cilium without kube-proxy but with eBPF enabled as described in kubernetes/ingress-nginx#9222 (comment).
The mitigation when this happens is to restart the nginx-ingress pods which makes the DNS resolution issues go away, but this shouldn't be the longterm solution here.
I have a few ingresses making use of the authentik-output-proxy
to implement auth via:
nginx.ingress.kubernetes.io/auth-url: http://authentik-outpost-proxy.identity.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
I need to come up with a solution for this since I don't want to disable eBPF.