Understanding Kubernetes DNS Behavior: Why Does proxy_pass Work but Not rewrite?

Explore the intricacies of Kubernetes DNS behavior in Nginx to understand why `proxy_pass` resolves service names while `rewrite` does not.
---
This video is based on the question https://stackoverflow.com/q/68659478/ asked by the user 'dman' ( https://stackoverflow.com/u/1483954/ ) and on the answer https://stackoverflow.com/a/68660033/ provided by the user 'coderanger' ( https://stackoverflow.com/u/78722/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.

Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: Kubernetes uses dns for nginx proxy_pass but not rewrite

Also, Content (except music) licensed under CC BY-SA https://meta.stackexchange.com/help/l...
The original Question post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license.

If anything seems off to you, please feel free to write me at vlogize [AT] gmail [DOT] com.
---
Understanding Kubernetes DNS Behavior: Why Does proxy_pass Work but Not rewrite?

When setting up Nginx as a reverse proxy within a Kubernetes environment, particularly using Minikube, you may encounter an interesting behavior regarding how DNS resolution works. Specifically, why does Kubernetes resolve service names in proxy_pass, yet not in a rewrite directive? Let's break this down and provide clarity on the subject.

The Problem at Hand

Using Nginx within a Kubernetes cluster involves configuring various directives to properly route traffic to services. Consider the following configurations:

[[See Video to Reveal this Text or Code Snippet]]

In this case, the proxy_pass directive uses the service name (auth-proxy-service.default) which Kubernetes resolves to an internal IP address, allowing requests to be properly routed.

However, when it comes to a rewrite configuration:

[[See Video to Reveal this Text or Code Snippet]]

Here, the service name does not get resolved into an IP address, and instead, the URL remains unchanged in the browser to http://auth-proxy-service.default:590.... You might wonder: why does Kubernetes handle these directives so differently?

The Solution Explained

The key to understanding this behavior lies in the fundamental differences between how Nginx handles proxy_pass versus rewrite directives. Let's delve into these concepts.

Proxy Pass Overview

Reverse Proxy: When you use proxy_pass, Nginx forwards the request to the specified upstream server. This is a transparent process, meaning that the client (browser) does not see the upstream server details. Instead, it interacts with the Nginx server.

DNS Resolution: Kubernetes automatically resolves service names in proxy_pass. The client does not see service names; they see only what Nginx exposes. This operation is seamless, ensuring that the backend service can handle requests appropriately.

Rewrite Directive Overview

Redirect Behavior: In contrast, the rewrite directive is user-facing. When you rewrite a URL, the client is shown the new URL that it should access. This means that if you send a request that is rewritten, the response to the client will include the full rewired URL.

No DNS Resolution: Kubernetes does not resolve service names in rewrite directives. Consequently, when you try to redirect a service name, it remains as-is. This is because rewrite is trying to provide transparency about the new path. Essentially, it allows the browser to see what it's being redirected to, which includes the service name itself instead of an IP address.

Conclusion

Ultimately, the distinct treatment of proxy_pass and rewrite in Nginx when used in a Kubernetes context comes down to the nature of how these directives operate. proxy_pass focuses on backend routing, while rewrite deals with altering the incoming request URLs presented to the client. Therefore, Kubernetes ensures that the service names resolve appropriately only for the proxy_pass, preserving the integrity of user-facing URLs in rewrite scenarios.

This understanding is crucial for setting up Nginx efficiently in a Kubernetes environment. Being aware of how services are resolved can help in avoiding potential pitfalls while designing your application's routing logic.

With this information, you should now have a clearer picture of why you encounter these differences in DNS resolution between proxy_pass and rewrite directives in Nginx while operating within Kubernetes. Happy coding!