Resolving through kube-dns on managed Kubernetes nodes

Posted June 10, 2019 1.1k views

Hi Digital Ocean,

I am trying to set up an internal Docker registry within a DO managed Kubernetes cluster. I have the registry up and running and can access the registry from the worker nodes by using the service cluster ip, but I can not pull images in deployments through the url provided for the internal Docker registry with kube-dns. I believe the problem is that the worker nodes themselves are not set up to use the kube-dns name server.

As the worker nodes are to be treated as ephemeral, I do not wish to manually set up resolv.conf, as it would probably be overwritten at cluster upgrades, recycles etc.

What can be done? Would it be possible to upgrade the default managed Kubernetes nodes to resolve through kube-dns first?

Thanks for your time and kind regards.

1 comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

3 answers

I figured out that it was possible to create a privileged DaemonSet putting self-signed certificates into the host nodes’ Docker certificate stores and editing resolv.conf to include the kube-dns nameserver.

However, I ended up exposing the Docker registry on the internet through an HAProxy Ingress, secured with HTTPS and using Basic Auth credentials, as I deemed the registry as being secure enough to be exposed for now (It will be easier to maintain and more easily accessible for other developers/machines/clusters).

You’re correct. The nodes are not setup to use the clusters DNS to hit services. However, what your can do is use the registry services’ clusterIP to specify the internal registry.That IP will not change unless you recreate the service. This way you can use the IP in your deployments to reference the registry and the provide the repo and tag for your image.


John Kwiatkoski
Senior Developer Support Engineer

  • I think it’s a really severe problem. If a worker node can not resolve through kube-dns, such services like nfs for static PV provisioning will not work. Is there any roadmap or solution to solve this problem?

    Known issues:
    Kubernetes installs do not configure the nodes’ resolv.conf files to use the cluster DNS by default, because that process is inherently distribution-specific. This should probably be implemented eventually.

    • This is correct that nodes themselves cannot resolve service names. You should be able to get around this by using the clusterIP of you services as those should not change, unless you are creating and deleting them.

      This sounds like a great candidate for submission to

      Until this gets implemented services should be addressed by internalIP instead of service name or internal dns.

You could potentially set up ExternalDNS for your docker registry as discussed in I believe it would mean exposing your registry to the internet, so you’d need to secure it.

Submit an Answer