From 1e3a88d4941bcf3e8bbec78715021e6eafab300e Mon Sep 17 00:00:00 2001 From: gjmzj Date: Thu, 29 Mar 2018 16:27:26 +0800 Subject: [PATCH] =?UTF-8?q?=E6=9B=B4=E6=96=B0=E5=AE=89=E8=A3=85coredns?= =?UTF-8?q?=E7=9A=84yaml=E9=85=8D=E7=BD=AE=E5=92=8C=E8=AF=B4=E6=98=8E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/guide/kubedns.md | 27 ++--- manifests/coredns/coredns.yaml | 160 +++++++++++++++++++++++++ roles/deploy/tasks/main.yml | 3 + roles/deploy/templates/coredns.yaml.j2 | 160 +++++++++++++++++++++++++ roles/prepare/tasks/main.yml | 10 +- 5 files changed, 341 insertions(+), 19 deletions(-) create mode 100644 manifests/coredns/coredns.yaml create mode 100644 roles/deploy/templates/coredns.yaml.j2 diff --git a/docs/guide/kubedns.md b/docs/guide/kubedns.md index 180f94c..2508089 100644 --- a/docs/guide/kubedns.md +++ b/docs/guide/kubedns.md @@ -1,25 +1,24 @@ -## 部署 kubedns +## 部署集群 DNS -kubedns 是 k8s 集群首先需要部署的,集群中的其他 pods 使用它提供域名解析服务;主要可以解析 `集群服务名` 和 `Pod hostname`; +DNS 是 k8s 集群首先需要部署的,集群中的其他 pods 使用它提供域名解析服务;主要可以解析 `集群服务名 SVC` 和 `Pod hostname`;目前 k8s v1.9+ 版本可以有两个选择:`kube-dns` 和 `coredns`,可以选择其中一个部署安装。 -配置文件参考 `https://github.com/kubernetes/kubernetes` 项目目录 `kubernetes/cluster/addons/dns` +### 部署 dns -更新 `kube-dns to 1.14.8`,如果集群中已经运行kubedns插件,请使用`RollingUpdate`如下: +配置文件参考 `https://github.com/kubernetes/kubernetes` 项目目录 `kubernetes/cluster/addons/dns` -``` -kubectl set image -n kube-system deploy/kube-dns kubedns=mirrorgooglecontainers/k8s-dns-kube-dns-amd64:1.14.8 -kubectl set image -n kube-system deploy/kube-dns dnsmasq=mirrorgooglecontainers/k8s-dns-dnsmasq-nanny-amd64:1.14.8 -kubectl set image -n kube-system deploy/kube-dns sidecar=mirrorgooglecontainers/k8s-dns-sidecar-amd64:1.14.8 ++ 安装 + +``` bash +# 安装 kube-dns +$ kubectl create -f /etc/ansible/manifests/kubedns + +# 或者选择安装 coredns +$ kubectl create -f /etc/ansible/manifests/coredns ``` -### 安装 - -**kubectl create -f /etc/ansible/manifests/kubedns/[kubedns.yaml](../../manifests/kubedns/kubedns.yaml)** - -+ 注意deploy中使用的 serviceAccount `kube-dns`,该预定义的 ClusterRoleBinding system:kube-dns 将 kube-system 命名空间的 kube-dns ServiceAccount 与 system:kube-dns ClusterRole 绑定, 因此POD 具有访问 kube-apiserver DNS 相关 API 的权限; + 集群 pod默认继承 node的dns 解析,修改 kubelet服务启动参数 --resolv-conf="",可以更改这个特性,详见 kubelet 启动参数 -### 验证 kubedns +### 验证 dns服务 新建一个测试nginx服务 diff --git a/manifests/coredns/coredns.yaml b/manifests/coredns/coredns.yaml new file mode 100644 index 0000000..78dec76 --- /dev/null +++ b/manifests/coredns/coredns.yaml @@ -0,0 +1,160 @@ +# __MACHINE_GENERATED_WARNING__ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: coredns + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + kubernetes.io/bootstrapping: rbac-defaults + addonmanager.kubernetes.io/mode: Reconcile + name: system:coredns +rules: +- apiGroups: + - "" + resources: + - endpoints + - services + - pods + - namespaces + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + labels: + kubernetes.io/bootstrapping: rbac-defaults + addonmanager.kubernetes.io/mode: EnsureExists + name: system:coredns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:coredns +subjects: +- kind: ServiceAccount + name: coredns + namespace: kube-system +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: EnsureExists +data: + Corefile: | + .:53 { + errors + health + kubernetes cluster.local. in-addr.arpa ip6.arpa { + pods insecure + upstream + fallthrough in-addr.arpa ip6.arpa + } + prometheus :9153 + proxy . /etc/resolv.conf + cache 30 + } +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: coredns + namespace: kube-system + labels: + k8s-app: coredns + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile + kubernetes.io/name: "CoreDNS" +spec: + replicas: 2 + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + selector: + matchLabels: + k8s-app: coredns + template: + metadata: + labels: + k8s-app: coredns + spec: + serviceAccountName: coredns + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: "CriticalAddonsOnly" + operator: "Exists" + containers: + - name: coredns + image: coredns/coredns:1.0.6 + imagePullPolicy: IfNotPresent + resources: + limits: + memory: 170Mi + requests: + cpu: 100m + memory: 70Mi + args: [ "-conf", "/etc/coredns/Corefile" ] + volumeMounts: + - name: config-volume + mountPath: /etc/coredns + ports: + - containerPort: 53 + name: dns + protocol: UDP + - containerPort: 53 + name: dns-tcp + protocol: TCP + livenessProbe: + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 60 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + dnsPolicy: Default + volumes: + - name: config-volume + configMap: + name: coredns + items: + - key: Corefile + path: Corefile +--- +apiVersion: v1 +kind: Service +metadata: + name: coredns + namespace: kube-system + labels: + k8s-app: coredns + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile + kubernetes.io/name: "CoreDNS" +spec: + selector: + k8s-app: coredns + clusterIP: 10.68.0.2 + ports: + - name: dns + port: 53 + protocol: UDP + - name: dns-tcp + port: 53 + protocol: TCP diff --git a/roles/deploy/tasks/main.yml b/roles/deploy/tasks/main.yml index 854f719..d102d26 100644 --- a/roles/deploy/tasks/main.yml +++ b/roles/deploy/tasks/main.yml @@ -121,3 +121,6 @@ - name: 准备 kubedns的部署文件 kubedns.yaml template: src=kubedns.yaml.j2 dest={{ base_dir }}/manifests/kubedns/kubedns.yaml +# coredns.yaml文件中部分参数根据hosts文件设置而定,因此需要用template模块替换参数 +- name: 准备 coredns的部署文件 coredns.yaml + template: src=coredns.yaml.j2 dest={{ base_dir }}/manifests/coredns/coredns.yaml diff --git a/roles/deploy/templates/coredns.yaml.j2 b/roles/deploy/templates/coredns.yaml.j2 new file mode 100644 index 0000000..96238b3 --- /dev/null +++ b/roles/deploy/templates/coredns.yaml.j2 @@ -0,0 +1,160 @@ +# __MACHINE_GENERATED_WARNING__ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: coredns + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + kubernetes.io/bootstrapping: rbac-defaults + addonmanager.kubernetes.io/mode: Reconcile + name: system:coredns +rules: +- apiGroups: + - "" + resources: + - endpoints + - services + - pods + - namespaces + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + labels: + kubernetes.io/bootstrapping: rbac-defaults + addonmanager.kubernetes.io/mode: EnsureExists + name: system:coredns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:coredns +subjects: +- kind: ServiceAccount + name: coredns + namespace: kube-system +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: EnsureExists +data: + Corefile: | + .:53 { + errors + health + kubernetes {{ CLUSTER_DNS_DOMAIN }} in-addr.arpa ip6.arpa { + pods insecure + upstream + fallthrough in-addr.arpa ip6.arpa + } + prometheus :9153 + proxy . /etc/resolv.conf + cache 30 + } +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: coredns + namespace: kube-system + labels: + k8s-app: coredns + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile + kubernetes.io/name: "CoreDNS" +spec: + replicas: 2 + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + selector: + matchLabels: + k8s-app: coredns + template: + metadata: + labels: + k8s-app: coredns + spec: + serviceAccountName: coredns + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: "CriticalAddonsOnly" + operator: "Exists" + containers: + - name: coredns + image: coredns/coredns:1.0.6 + imagePullPolicy: IfNotPresent + resources: + limits: + memory: 170Mi + requests: + cpu: 100m + memory: 70Mi + args: [ "-conf", "/etc/coredns/Corefile" ] + volumeMounts: + - name: config-volume + mountPath: /etc/coredns + ports: + - containerPort: 53 + name: dns + protocol: UDP + - containerPort: 53 + name: dns-tcp + protocol: TCP + livenessProbe: + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 60 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + dnsPolicy: Default + volumes: + - name: config-volume + configMap: + name: coredns + items: + - key: Corefile + path: Corefile +--- +apiVersion: v1 +kind: Service +metadata: + name: coredns + namespace: kube-system + labels: + k8s-app: coredns + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile + kubernetes.io/name: "CoreDNS" +spec: + selector: + k8s-app: coredns + clusterIP: {{ CLUSTER_DNS_SVC_IP }} + ports: + - name: dns + port: 53 + protocol: UDP + - name: dns-tcp + port: 53 + protocol: TCP diff --git a/roles/prepare/tasks/main.yml b/roles/prepare/tasks/main.yml index 94f55a7..26cad3d 100644 --- a/roles/prepare/tasks/main.yml +++ b/roles/prepare/tasks/main.yml @@ -49,8 +49,8 @@ when: ansible_distribution == "Ubuntu" apt: name={{ item }} state=latest with_items: - - jq # 轻量JSON处理程序,安装docker查询镜像需要 - - nfs-common # 挂载nfs 共享文件需要 (创建基于 nfs的PV 需要) + - jq # 轻量JSON处理程序,安装docker查询镜像需要 + - nfs-common # 挂载nfs 共享文件需要 (创建基于 nfs的PV 需要) - block: - name: 删除centos默认安装 @@ -62,9 +62,9 @@ - name: 安装基础软件包 yum: name={{ item }} state=latest with_items: - - jq # 轻量JSON处理程序,安装docker查询镜像需要 - - psmisc # 安装psmisc 才能使用命令killall,它在keepalive的监测脚本中使用到 - - nfs-utils # 挂载nfs 共享文件需要 (创建基于 nfs的PV 需要) + - jq # 轻量JSON处理程序,安装docker查询镜像需要 + - psmisc # 安装psmisc 才能使用命令killall,它在keepalive的监测脚本中使用到 + - nfs-utils # 挂载nfs 共享文件需要 (创建基于 nfs的PV 需要) - net-tools - bash-completion - name: 临时关闭 selinux