一、下载配置文件和镜像
官方镜像
docker pull k8s.gcr.io/coredns:1.3.1
其中提到了设置上游地址的方式,与配置方式,但是不够具体,有坑。
需要注意的是所有的coredns的配置目前均是通过corefile的来进行配置的,coredns提供了丰富的插件机制来进行dns的额外工作。关于coredns的插件实现与原理:
https://zhengyinyong.com/coredns-plugin-system-implementation.html
二、需求分析
- 正常访问公网域名
- 正常访问内网域名
- 在没有内网DNS系统的情况下,自建DNS数据库,实现内网域名解析
针对以上需求完成以下步骤:
- 默认安装coredns
将coredns模板文件中的”REVERSE_CIDRS”、”CLUSTER_DNS_IP”、”CLUSTER_DOMAIN”替换成当前的集群配置部署即可。
### set_coredns_param.sh
#!/bin/bash
basedir=$(cd `dirname $0`;pwd)
REVERSE_CIDRS="10.254.0.0/16" ## 配置 kubernetes svc 网段
CLUSTER_DNS_IP="10.254.0.2" ## 配置 kubernetes DNS IP
CLUSTER_DOMAIN="cluster.local" ## 配置 kubernetes 的域名
YAML_TEMPLATE=$basedir/coredns.yaml.sed ## coredns 的模板yaml文件
# function
function create_coredns_yaml(){
local TEMPLATE=$basedir/coredns.yaml.simple
local YAML=$basedir/coredns.yaml
cat $YAML_TEMPLATE > $TEMPLATE
sed -e s/CLUSTER_DNS_IP/$CLUSTER_DNS_IP/g -e s/CLUSTER_DOMAIN/$CLUSTER_DOMAIN/g -e "s?REVERSE_CIDRS?$REVERSE_CIDRS?g" $TEMPLATE > $YAML
}
create_coredns_yaml
- 配置内网转发
配置coredns的”forward”功能,”forward”功能数据coredns的插件功能。
其中配置方式为:
编辑官方配置文件当中”ConfigMap”字段,将coredns需要默认读取的”Corefile”修改为如下形式:
...
---
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
data:
Corefile: |
.:53 {
errors
health
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
upstream
fallthrough in-addr.arpa ip6.arpa
}
prometheus :9153
forward . 10.212.132.65 114.114.114.114
cache 30
loop
reload
loadbalance
log
}
---
...
- 在集群内部配置一个dns的db文件,该文件与BIND的DNS服务标准一样,配置示例如下:
$ORIGIN example01.org.
@ 3600 IN SOA sns.dns.icann.org. noc.dns.icann.org. (
2017042745 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
3600 IN NS a.iana-servers.net.
3600 IN NS b.iana-servers.net.
www IN A 2.2.2.188
IN AAAA ::1
为了让coredns使用该文件,需要将配置文件创建为集群的configmap
kubectl create configmap sub-domain -n kube-system --from-file=/root/kubedeploy/coredns/subdomain/
编辑coredns.yaml文件
# Warning: This is a file generated from the base underscore template file: __SOURCE_FILENAME__
apiVersion: v1
kind: ServiceAccount
metadata:
name: coredns
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
kubernetes.io/bootstrapping: rbac-defaults
addonmanager.kubernetes.io/mode: Reconcile
name: system:coredns
rules:
- apiGroups:
- ""
resources:
- endpoints
- services
- pods
- namespaces
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
addonmanager.kubernetes.io/mode: EnsureExists
name: system:coredns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:coredns
subjects:
- kind: ServiceAccount
name: coredns
namespace: kube-system
---
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
data:
Corefile: |
.:53 {
errors
health
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
upstream
fallthrough in-addr.arpa ip6.arpa
}
prometheus :9153
forward . 10.212.132.65 8.8.8.8
cache 30
loop
reload
loadbalance
log
}
# 此处添加有关需要进行解析的域名的前缀
example01.org {
file /sub_dom/db.example01.org
log
}
example02.org {
file /sub_dom/db.example02.org
log
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
namespace: kube-system
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/name: "CoreDNS"
spec:
# replicas: not specified here:
# 1. In order to make Addon Manager do not reconcile this replicas parameter.
# 2. Default is 1.
# 3. Will be tuned in real time if DNS horizontal auto-scaling is turned on.
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
selector:
matchLabels:
k8s-app: kube-dns
template:
metadata:
labels:
k8s-app: kube-dns
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec:
priorityClassName: system-cluster-critical
serviceAccountName: coredns
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
nodeSelector:
beta.kubernetes.io/os: linux
containers:
- name: coredns
image: k8s.gcr.io/coredns:1.3.1
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 2000m
memory: 512Mi
requests:
cpu: 1000m
memory: 500Mi
args: [ "-conf", "/etc/coredns/Corefile" ]
volumeMounts:
- name: config-volume
mountPath: /etc/coredns
readOnly: true
# 此处添加名为"sub-domian"的configmap,并且将该configmap挂载至/sub_dom上。
- name: sub-domain
mountPath: /sub_dom
readOnly: true
ports:
- containerPort: 53
name: dns
protocol: UDP
- containerPort: 53
name: dns-tcp
protocol: TCP
- containerPort: 9153
name: metrics
protocol: TCP
livenessProbe:
httpGet:
path: /health
port: 8080
scheme: HTTP
initialDelaySeconds: 60
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
readinessProbe:
httpGet:
path: /health
port: 8080
scheme: HTTP
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- all
readOnlyRootFilesystem: true
dnsPolicy: Default
volumes:
- name: config-volume
configMap:
name: coredns
items:
- key: Corefile
path: Corefile
#该位置的key为挂载的文件名,而path则为改configmap当中的文件名。(建议名称写成一样即可)
- name: sub-domain
configMap:
name: sub-domain
items:
- key: db.example01.org
path: db.example01.org
- key: db.example02.org
path: db.example02.org
---
apiVersion: v1
kind: Service
metadata:
name: kube-dns
namespace: kube-system
annotations:
prometheus.io/port: "9153"
prometheus.io/scrape: "true"
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/name: "CoreDNS"
spec:
selector:
k8s-app: kube-dns
clusterIP: 10.254.0.2
ports:
- name: dns
port: 53
protocol: UDP
- name: dns-tcp
port: 53
protocol: TCP
- name: metrics
port: 9153
protocol: TCP
