Address sporadic DNS resolution issues when using `nginx.ingress.kubernetes.io/auth-url`

Question

Address sporadic DNS resolution issues when using `nginx.ingress.kubernetes.io/auth-url`

Opened this issue 5 months ago · 0 comments

Whenever a coredns pod is restarted it can happen that ingresses using the nginx.ingress.kubernetes.io/auth-url annotation start returning 5xx because nginx attempts to resolve the DNS name against a non-existent coredns pod, which fails for obvious reasons.

The problem is caused by cilium without kube-proxy but with eBPF enabled as described in kubernetes/ingress-nginx#9222 (comment).

The mitigation when this happens is to restart the nginx-ingress pods which makes the DNS resolution issues go away, but this shouldn't be the longterm solution here.

I have a few ingresses making use of the authentik-output-proxy to implement auth via:

nginx.ingress.kubernetes.io/auth-url: http://authentik-outpost-proxy.identity.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx

I need to come up with a solution for this since I don't want to disable eBPF.