k8gb-io / k8gb

A cloud native Kubernetes Global Balancer
https://www.k8gb.io
Apache License 2.0
877 stars 93 forks source link

Describe posiible ways to workaround Private Hosted zones issues #846

Open k0da opened 2 years ago

k0da commented 2 years ago

At lest Rote53 have lack of support of NS record types for Private Hosted Zones. We need to cover such cases and document ways around such issues.

somaritane commented 2 years ago

Adding a few supporting facts as food for thought:

jkremser commented 2 years ago

I assume that "Private Hosted zones issues" is mostly the inability to create NS records + glue A records (aka zone delegation) in private VPC environments, well for aws we are somehow able to create them, but then they do not work.

Can't we put the public hosted zone@Route53 as a requirement for k8gb also for the VPC use-case? They have that hybrid thing called ClassicLink:

"By default, if you use a public DNS hostname to address an instance in a VPC from a linked EC2-Classic instance, the hostname resolves to the instance's public IP address. The same occurs if you use a public DNS hostname to address a linked EC2-Classic instance from an instance in the VPC. If you want the public DNS hostname to resolve to the private IP address, you can enable ClassicLink DNS support for the VPC. For more information, see Enable ClassicLink DNS support." --https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/vpc-classiclink.html#classiclink-enable-dns-support

So that if company wants to have their stuff to be private in VPC but at the same time use k8gb for failover for instance, they need to have at least one public hosted zone that will set up the host delegation test.k8gb.io -> ${foobar_cloud_id}.test.k8gb.io where there we have a way to update the records in the coredns.

If the initiator of the DNS call lives in the VPC, this is ok, because all the resolved IPs should reachable, but if it's the client from "public internets", then one of the dns servers will be private and this mechanism will fail, but it's kinda expected because they don't have the access to vpc.

somaritane commented 2 years ago

@jkremser not sure we can raise that as a requirement, but rather as a recommendation, it is up to users to decide about their infra. There might be security reasons behind the decision to use a private hosted zone only, so that company DNS resources are not publicly resolvable.

jkremser commented 2 years ago

so that company DNS resources are not publicly resolvable.

right, that also came to my mind. On the other hand there is no zone transfer support for route53 afaik, so one/attacker can't easily list all the records with something like this