search

Azure / AKS

Azure Kubernetes Service
https://azure.github.io/AKS/
1.95k stars 305 forks source link

[Feature] Support for Private DNS Zone Group from Private Endpoint Implementation #3577

Open MrCaedes opened 1 year ago

MrCaedes commented 1 year ago

Is your feature request related to a problem?

As it presently stands today, all other Private Endpoint types have a "PrivateDNS Zone Group" integration available, which allows for a strong association to be formed between a Private Endpoint and a "Private DNS Zone". This can be utilised with policy to facilitate a centralised "hub" zone, to enable on-premises resolution in a highly distributed tenancy.

Whilst the Private Endpoint for AKS' API server has this capability, which can be configured, it is not actually utilised for anything - with the cluster self-managing its Private DNS Zone, via the principal aligned to it. In a highly distributed tenant, where developers are in control of deployments, this makes it nigh-on-impossible to facilitate centralised resolution of the PE for the AKS API. This in turn prevents the internalisation of traffic, or utilisation of an on-premises VPN solution.

Describe the solution you'd like

The "Private DNS Zone Group" capability of "Private Endpoints" should work for the "AKS API" Private Endpoint, deployed when deploying a private cluster - this would bring it in line with all other "Private Endpoint" types (e.g., Storage Account, KeyVault, etc).

Describe alternatives you've considered

  1. Automatically linking <region>.azmk8s.io zones to a hub-like construct, with forwarders setup that can be leveraged by on-premises to support their resolution.
    • We would like to avoid this, as it then gives the related development team full control over that zone - to add any additional records they wish.
  2. Utilising an Event Hub, alongside a multi-subscription integration with Activity Logs, to automatically query and pull the required DNS records into a centralised zone.

I've had a quick scan through, and whilst I can see various requests about Private DNS, I've not been able to find anything specifically about the lack of support for the "Private DNS Zone Group" feature. While some workarounds exist, these are generally a hack - or don't have a quick enough turnaround, leading to the cluster failing.

microsoft-github-policy-service[bot] commented 7 months ago

Action required from @Azure/aks-pm

microsoft-github-policy-service[bot] commented 6 months ago

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] commented 6 months ago

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] commented 5 months ago

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] commented 5 months ago

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] commented 4 months ago

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] commented 4 months ago

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] commented 3 months ago

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] commented 3 months ago

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] commented 2 months ago

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] commented 2 months ago

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] commented 1 month ago

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] commented 1 month ago

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] commented 3 weeks ago

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] commented 1 week ago

Issue needing attention of @Azure/aks-leads