Open MrCaedes opened 1 year ago
Action required from @Azure/aks-pm
Issue needing attention of @Azure/aks-leads
Issue needing attention of @Azure/aks-leads
Issue needing attention of @Azure/aks-leads
Issue needing attention of @Azure/aks-leads
Issue needing attention of @Azure/aks-leads
Issue needing attention of @Azure/aks-leads
Issue needing attention of @Azure/aks-leads
Issue needing attention of @Azure/aks-leads
Issue needing attention of @Azure/aks-leads
Issue needing attention of @Azure/aks-leads
Issue needing attention of @Azure/aks-leads
Issue needing attention of @Azure/aks-leads
Issue needing attention of @Azure/aks-leads
Issue needing attention of @Azure/aks-leads
Is your feature request related to a problem?
As it presently stands today, all other Private Endpoint types have a "PrivateDNS Zone Group" integration available, which allows for a strong association to be formed between a Private Endpoint and a "Private DNS Zone". This can be utilised with policy to facilitate a centralised "hub" zone, to enable on-premises resolution in a highly distributed tenancy.
Whilst the Private Endpoint for AKS' API server has this capability, which can be configured, it is not actually utilised for anything - with the cluster self-managing its Private DNS Zone, via the principal aligned to it. In a highly distributed tenant, where developers are in control of deployments, this makes it nigh-on-impossible to facilitate centralised resolution of the PE for the AKS API. This in turn prevents the internalisation of traffic, or utilisation of an on-premises VPN solution.
Describe the solution you'd like
The "Private DNS Zone Group" capability of "Private Endpoints" should work for the "AKS API" Private Endpoint, deployed when deploying a private cluster - this would bring it in line with all other "Private Endpoint" types (e.g., Storage Account, KeyVault, etc).
Describe alternatives you've considered
<region>.azmk8s.io
zones to a hub-like construct, with forwarders setup that can be leveraged by on-premises to support their resolution.I've had a quick scan through, and whilst I can see various requests about Private DNS, I've not been able to find anything specifically about the lack of support for the "Private DNS Zone Group" feature. While some workarounds exist, these are generally a hack - or don't have a quick enough turnaround, leading to the cluster failing.