Contact UsGet started

Integrating Yandex Managed Service for Kubernetes with a corporate DNS zone

Written by
Updated at May 5, 2025

To integrate a Managed Service for Kubernetes cluster with a private corporate zone DNS:

  1. Configure the DNS server.
  2. Specify a corporate DNS zone.
  3. Create a dns-utils pod.
  4. Check DNS integration.

If you no longer need the resources you created, delete them.

The support cost includes:

Getting started

  1. Create Managed Service for Kubernetes resources:

    1. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

      Warning

      The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

    2. Create a Managed Service for Kubernetes cluster. When creating a cluster, specify the preconfigured security groups.

      For Yandex Cloud internal network usage, your cluster does not need a public IP address. To enable internet access to your cluster, assign it a public IP address.

    3. Create a node group. To enable internet access for your node group (e.g., for Docker image pulls), assign it a public IP address. Specify the preconfigured security groups.

    1. If you do not have Terraform yet, install it.

    2. Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.

    3. Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.

    4. Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.

    5. Download the k8s-cluster.tf configuration file of the Managed Service for Kubernetes cluster to the same working directory. This file describes:

      • Network.

      • Subnet.

      • Managed Service for Kubernetes cluster.

      • Managed Service for Kubernetes node group.

      • Service account required to create the Managed Service for Kubernetes cluster and node group.

      • Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.

        Warning

        The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

    6. Specify the folder ID in the configuration file.

    7. Make sure the Terraform configuration files are correct using this command:

      terraform validate

      If there are any errors in the configuration files, Terraform will point them out.

    8. Create the required infrastructure:

      1. Run this command to view the planned changes:

        terraform plan

        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

      2. If everything looks correct, apply the changes:

        1. Run this command:

          terraform apply

        2. Confirm updating the resources.

        3. Wait for the operation to complete.

      All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

  2. Install kubect and configure it to work with the new cluster.

    If a cluster has no public IP address assigned and kubectl is configured via the cluster's private IP address, run kubectl commands on a Yandex Cloud VM that is in the same network as the cluster.

Configure the DNS server

When configuring, it is important to achieve IP connectivity between the Managed Service for Kubernetes cluster nodes and the DNS servers. The DNS servers themselves can either reside in Yandex Virtual Private Cloud or be accessible via VPN or Yandex Cloud Interconnect. In the example below, a DNS server with the 10.129.0.3 address and ns.example.com name serves the example.com zone.

Specify a corporate DNS zone

  1. Prepare the custom-zone.yaml file with the following content:

    kind: ConfigMap
apiVersion: v1
metadata:
  name: coredns-user
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
data:
  Corefile: |
    # User can put their additional configurations here, for example:
    example.com {
      errors
      cache 30
      forward . 10.129.0.3
    }

  2. Run this command:

    kubectl replace -f custom-zone.yaml

    Result:

    configmap/coredns-user replaced

Create a dns-utils pod

  1. Create a pod.

    kubectl run jessie-dnsutils \
  --image=registry.k8s.io/jessie-dnsutils \
  --restart=Never \
  --command sleep infinity

    Result:

    pod/jessie-dnsutils created

  2. View details of the pod created:

    kubectl describe pod jessie-dnsutils

    Result:

    ...
Status:  Running
...

Check DNS integration

Run the nslookup command in the active container:

kubectl exec jessie-dnsutils -- nslookup ns.example.com

Result:

Server:   10.96.128.2
Address:  10.96.128.2#53
Name:     ns.example.com
Address:  10.129.0.3

Note

If the corporate DNS zone is unavailable, make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If a rule is missing, add it. The rules must allow access to resources from the cluster.

Delete the resources you created

Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need:

  1. Delete the Managed Service for Kubernetes cluster:

    1. In the terminal window, go to the directory containing the infrastructure plan.

      Warning

      Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.

    2. Delete resources:

      1. Run this command:

        terraform destroy

      2. Confirm deleting the resources and wait for the operation to complete.

      All the resources described in the Terraform manifests will be deleted.

  2. Delete the VM with the DNS server.

  3. Delete the DNS zone.

Previous
Scanning Container Registry for vulnerabilities during continuous deployment of applications using GitLab
Next
DNS autoscaling based on cluster size