From eb23cce1a766ee37cbfc884928f668dac4d0ddff Mon Sep 17 00:00:00 2001 From: Chris O'Haver Date: Thu, 26 Mar 2020 03:42:32 -0400 Subject: [PATCH] add known issue (#3770) Signed-off-by: Chris O'Haver --- plugin/autopath/README.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/plugin/autopath/README.md b/plugin/autopath/README.md index 86266c5fa..52156ba5c 100644 --- a/plugin/autopath/README.md +++ b/plugin/autopath/README.md @@ -12,6 +12,8 @@ failures, the original reply is returned. Because *autopath* returns a reply for the original question it will add a CNAME that points from the original name (with the search path element in it) to the name of this answer. +**Note**: There are several known issues. See section below. + ## Syntax ~~~ @@ -50,6 +52,16 @@ Use the search path dynamically retrieved from the *kubernetes* plugin. ## Known Issues -In Kubernetes, *autopath* is not compatible with pods running from Windows nodes. +In Kubernetes, *autopath* can derive the wrong namespace of a client Pod (and therefore wrong search path) +in the following case. To properly build the search path of a client *autopath* needs to +know the namespace of the a Pod making a DNS request. To do this, it relies on the +*kubernetes* plugin's Pod cache to resolve the client's IP address to a Pod. The Pod cache is maintained by +an API watch on Pods. When Pod IP assignments change, the Kubernetes API notifies CoreDNS via the API watch. +However, that notification is not instantaneous. In the case that a Pod is deleted, and it's IP is +immediately provisioned to a Pod in another namespace, and that new Pod make a DNS lookup *before* the API watch +can notify CoreDNS of the change, *autopath* will resolve the IP to the previous Pod's namespace. -If the server side search ultimately results in a negative answer (e.g. `NXDOMAIN`), then the client will fruitlessly search all paths manually, thus negating the *autopath* optimization. +In Kubernetes, *autopath* is not compatible with Pods running from Windows nodes. + +If the server side search ultimately results in a negative answer (e.g. `NXDOMAIN`), then the client will +fruitlessly search all paths manually, thus negating the *autopath* optimization.