@@ -252,6 +252,54 @@ linux/amd64, go1.10.3, 2e322f6
2522522018/09/07 15:29:04 [INFO] Reloading complete
253253172.17.0.18:41675 - [07/Sep/2018:15:29:11 +0000] 59925 "A IN kubernetes.default.svc.cluster.local. udp 54 false 512" NOERROR qr,aa,rd,ra 106 0.000066649s
254254```
255+ ### Does CoreDNS have sufficient permissions?
256+
257+ CoreDNS must be able to list {{< glossary_tooltip text="service"
258+ term_id="service" >}} and {{< glossary_tooltip text="endpoint"
259+ term_id="endpoint" >}} related resources to properly resolve service names.
260+
261+ Sample error message:
262+ ```
263+ 2022-03-18T07:12:15.699431183Z [INFO] 10.96.144.227:52299 - 3686 "A IN serverproxy.contoso.net.cluster.local. udp 52 false 512" SERVFAIL qr,aa,rd 145 0.000091221s
264+ ```
265+
266+ First, get the current ClusterRole of ` system:coredns ` :
267+
268+ ``` shell
269+ kubectl describe clusterrole system:coredns -n kube-system
270+ ```
271+
272+ Expected output:
273+ ```
274+ PolicyRule:
275+ Resources Non-Resource URLs Resource Names Verbs
276+ --------- ----------------- -------------- -----
277+ nodes [] [] [get]
278+ endpoints [] [] [list watch]
279+ namespaces [] [] [list watch]
280+ pods [] [] [list watch]
281+ services [] [] [list watch]
282+ endpointslices.discovery.k8s.io [] [] [list watch]
283+ ```
284+
285+ If any permissions are missing, edit the ClusterRole to add them:
286+
287+ ``` shell
288+ kubectl edit clusterrole system:coredns -n kube-system
289+ ```
290+
291+ Example insertion of EndpointSlices permissions:
292+ ```
293+ ...
294+ - apiGroups:
295+ - discovery.k8s.io
296+ resources:
297+ - endpointslices
298+ verbs:
299+ - list
300+ - watch
301+ ...
302+ ```
255303
256304### Are you in the right namespace for the service?
257305
0 commit comments