Reassign a namespace from one DNS-controller instance to another#

Introduction#

You can reassign a namespace from one DNS-controller instance to another. The steps you follow depend on whether the source and destination DNS-controller instances are general or realm-specific.

Warning

Reassigning a namespace from one DNS-controller instance to another may cause a temporary service outage.

How to use these instructions#

Choose the appropriate task below.

Reassign a namespace from a general to a realm-specific DNS-controller instance#

  1. Add a realm label to the namespace using the name of the realm:

    $ kubectl label namespace <namespaceName> dnscontroller/realm=<realmName>
    

    Aspen Mesh DNS static entries in the namespace will now be managed by the realm-specific DNS-controller instance, which may use a different Kubernetes DNS server.

  2. Make sure that the on-mesh workloads in the namespace use the same Kubernetes DNS server as the realm-specific DNS-controller instance.

    For example, if you installed a mutating webhook that changes the .spec.dnsConfig.nameservers field for workloads based on a DNS-server label (for example, dns-server=spk), add the DNS-server label to the namespace and restart all pods with sidecars in the namespace:

    $ kubectl label namespace <namespaceName> dns-server=spk
    $ kubectl delete pods --namespace <namespaceName> --selector security.istio.io/tlsMode=istio
    

Reassign a namespace from a realm-specific to a general DNS-controller instance#

  1. Remove the realm label from the namespace:

    $ kubectl label namespace <namespaceName> dnscontroller/realm-
    

    Aspen Mesh DNS static entries in the namespace will now be managed by the general DNS-controller instance, which may use a different Kubernetes DNS server.

  2. Make sure that the on-mesh workloads in the namespace use the same Kubernetes DNS server as the general DNS-controller instance.

    For example, if you installed a mutating webhook that changes the .spec.dnsConfig.nameservers field for workloads based on a DNS-server label (for example, dns-server=spk), and the namespace has a DNS-server label, remove the DNS-server label from the namespace and restart all pods with sidecars in the namespace:

    $ kubectl label namespace <namespaceName> dns-server-
    $ kubectl delete pods --namespace <namespaceName> --selector security.istio.io/tlsMode=istio
    

Reassign a namespace from a realm-specific to a realm-specific DNS-controller instance#

  1. Change the realm label for the namespace using the name of the new realm:

    $ kubectl label namespace <namespaceName> dnscontroller/realm=<realmName>
    

    Aspen Mesh DNS static entries in the namespace will now be managed by the new realm-specific DNS-controller instance, which may use a different Kubernetes DNS server.

  2. Make sure that the on-mesh workloads in the namespace use the same Kubernetes DNS server as the new realm-specific DNS-controller instance.

    For example, if you installed a mutating webhook that changes the .spec.dnsConfig.nameservers field for workloads based on a DNS-server label (for example, dns-server=spk), change the DNS-server label on the namespace and restart all pods with sidecars in the namespace:

    $ kubectl label namespace <namespaceName> dns-server=alt
    $ kubectl delete pods --namespace <namespaceName> --selector security.istio.io/tlsMode=istio