I have setup a php:7.4-apache pod in k8s and curling to any domain works only if a . is appended to the back of the domain name.
Standalone docker container works as expected.
For example:
root@testpod1-67655784f8-lbzlw:/var/www/html# curl -I https://www.google.com.sg.
HTTP/2 200
content-type: text/html; charset=ISO-8859-1
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
date: Mon, 15 Mar 2021 07:28:29 GMT
server: gws
x-xss-protection: 0
x-frame-options: SAMEORIGIN
expires: Mon, 15 Mar 2021 07:28:29 GMT
cache-control: private
set-cookie: 1P_JAR=2021-03-15-07; expires=Wed, 14-Apr-2021 07:28:29 GMT; path=/; domain=.google.com.sg; Secure
set-cookie: NID=211=diZZqWJ8q_Z2Uv76GGJB3hCVZgW3DJdshJC6046-lim-eupG0XaiLz9jtCGdrYJ0H06ihwwuB8QSTWyDX1oJ5bn-s_NdSn0qnPCc3YFl-lgi1fHRc3PQ-Zzm43c1WC462MOLDniIpRsWd8ixCxGcmCK6OE7l7dyI_mh72DdKYSM; expires=Tue, 14-Sep-2021 07:28:29 GMT; path=/; domain=.google.com.sg; HttpOnly
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
# kubectl logs --follow -n kube-system --selector 'k8s-app=kube-dns'
[INFO] 10.244.0.11:51529 - 65397 "AAAA IN www.google.com.sg. udp 35 false 512" NOERROR qr,rd,ra 80 0.003877824s
[INFO] 10.244.0.11:51529 - 62826 "A IN www.google.com.sg. udp 35 false 512" NOERROR qr,rd,ra 68 0.00382946s
root@testpod1-67655784f8-lbzlw:/var/www/html# curl -I https://www.google.com.sg
curl: (35) error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name
# kubectl logs --follow -n kube-system --selector 'k8s-app=kube-dns'
[INFO] 10.244.0.11:41210 - 18404 "AAAA IN www.google.com.sg.production.svc.cluster.local. udp 64 false 512" NXDOMAIN qr,aa,rd 157 0.000227919s
[INFO] 10.244.0.11:41210 - 44759 "A IN www.google.com.sg.production.svc.cluster.local. udp 64 false 512" NXDOMAIN qr,aa,rd 157 0.000222998s
[INFO] 10.244.0.11:37292 - 52263 "AAAA IN www.google.com.sg.svc.cluster.local. udp 53 false 512" NXDOMAIN qr,aa,rd 146 0.000149362s
[INFO] 10.244.0.11:37292 - 6177 "A IN www.google.com.sg.svc.cluster.local. udp 53 false 512" NXDOMAIN qr,aa,rd 146 0.000220946s
[INFO] 10.244.0.11:33258 - 6845 "AAAA IN www.google.com.sg.cluster.local. udp 49 false 512" NXDOMAIN qr,aa,rd 142 0.00012002s
[INFO] 10.244.0.11:33258 - 51638 "A IN www.google.com.sg.cluster.local. udp 49 false 512" NXDOMAIN qr,aa,rd 142 0.000140393s
[INFO] 10.244.0.11:42947 - 8517 "A IN www.google.com.sg.xxxx.com. udp 46 false 512" NOERROR qr,rd,ra 144 0.006529064s
[INFO] 10.244.0.11:42947 - 57930 "AAAA IN www.google.com.sg.xxxx.com. udp 46 false 512" NOERROR qr,rd,ra 209 0.00684084s
Pods's /etc/resolv.conf
root@testpod1-67655784f8-lbzlw:/var/www/html# cat /etc/resolv.conf
nameserver 10.96.0.10
search production.svc.cluster.local svc.cluster.local cluster.local xxxx.com
options ndots:5
This is the expected behavior:
www.google.com.sg. is a fully qualified name while www.google.com.sg is not.
The problem is with your ndot option value, read the following from the resolv.conf man:
ndots:n
sets a threshold for the number of dots which must appear in a name before an initial absolute query will be made. The default for n is 1, meaning that if there are any dots in a name, the name will be tried first as an absolute name before any search list elements are appended to it.
Basically reducing the ndot in your example to 3 would allow curl to work on the pod.
Here is a good read about this topic: https://mrkaran.dev/posts/ndots-kubernetes/