189 lines
6.0 KiB
Markdown
189 lines
6.0 KiB
Markdown
|
# 安装和配置 kubedns 插件
|
|||
|
|
|||
|
官方的yaml文件目录:`kubernetes/cluster/addons/dns`。
|
|||
|
|
|||
|
该插件直接使用kubernetes部署,官方的配置文件中包含以下镜像:
|
|||
|
|
|||
|
gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.1
|
|||
|
gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.1
|
|||
|
gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.1
|
|||
|
我clone了上述镜像,上传到我的私有镜像仓库:
|
|||
|
|
|||
|
```
|
|||
|
sz-pg-oam-docker-hub-001.tendcloud.com/library/k8s-dns-dnsmasq-nanny-amd64:1.14.1
|
|||
|
sz-pg-oam-docker-hub-001.tendcloud.com/library/k8s-dns-kube-dns-amd64:1.14.1
|
|||
|
sz-pg-oam-docker-hub-001.tendcloud.com/library/k8s-dns-sidecar-amd64:1.14.1
|
|||
|
```
|
|||
|
|
|||
|
同时上传了一份到时速云备份:
|
|||
|
|
|||
|
```
|
|||
|
index.tenxcloud.com/jimmy/k8s-dns-dnsmasq-nanny-amd64:1.14.1
|
|||
|
index.tenxcloud.com/jimmy/k8s-dns-kube-dns-amd64:1.14.1
|
|||
|
index.tenxcloud.com/jimmy/k8s-dns-sidecar-amd64:1.14.1
|
|||
|
```
|
|||
|
|
|||
|
以下yaml配置文件中使用的是私有镜像仓库中的镜像。
|
|||
|
|
|||
|
``` bash
|
|||
|
kubedns-cm.yaml
|
|||
|
kubedns-sa.yaml
|
|||
|
kubedns-controller.yaml
|
|||
|
kubedns-svc.yaml
|
|||
|
```
|
|||
|
|
|||
|
已经修改好的 yaml 文件见:[dns](./manifests/kubedns)
|
|||
|
|
|||
|
## 系统预定义的 RoleBinding
|
|||
|
|
|||
|
预定义的 RoleBinding `system:kube-dns` 将 kube-system 命名空间的 `kube-dns` ServiceAccount 与 `system:kube-dns` Role 绑定, 该 Role 具有访问 kube-apiserver DNS 相关 API 的权限;
|
|||
|
|
|||
|
```Bash
|
|||
|
$ kubectl get clusterrolebindings system:kube-dns -o yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|||
|
kind: ClusterRoleBinding
|
|||
|
metadata:
|
|||
|
annotations:
|
|||
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|||
|
creationTimestamp: 2017-04-11T11:20:42Z
|
|||
|
labels:
|
|||
|
kubernetes.io/bootstrapping: rbac-defaults
|
|||
|
name: system:kube-dns
|
|||
|
resourceVersion: "58"
|
|||
|
selfLink: /apis/rbac.authorization.k8s.io/v1beta1/clusterrolebindingssystem%3Akube-dns
|
|||
|
uid: e61f4d92-1ea8-11e7-8cd7-f4e9d49f8ed0
|
|||
|
roleRef:
|
|||
|
apiGroup: rbac.authorization.k8s.io
|
|||
|
kind: ClusterRole
|
|||
|
name: system:kube-dns
|
|||
|
subjects:
|
|||
|
- kind: ServiceAccount
|
|||
|
name: kube-dns
|
|||
|
namespace: kube-system
|
|||
|
```
|
|||
|
|
|||
|
`kubedns-controller.yaml` 中定义的 Pods 时使用了 `kubedns-sa.yaml` 文件定义的 `kube-dns` ServiceAccount,所以具有访问 kube-apiserver DNS 相关 API 的权限。
|
|||
|
|
|||
|
## 配置 kube-dns ServiceAccount
|
|||
|
|
|||
|
无需修改。
|
|||
|
|
|||
|
## 配置 `kube-dns` 服务
|
|||
|
|
|||
|
``` bash
|
|||
|
$ diff kubedns-svc.yaml.base kubedns-svc.yaml
|
|||
|
30c30
|
|||
|
< clusterIP: __PILLAR__DNS__SERVER__
|
|||
|
---
|
|||
|
> clusterIP: 10.254.0.2
|
|||
|
```
|
|||
|
|
|||
|
+ spec.clusterIP = 10.254.0.2,即明确指定了 kube-dns Service IP,这个 IP 需要和 kubelet 的 `--cluster-dns` 参数值一致;
|
|||
|
|
|||
|
## 配置 `kube-dns` Deployment
|
|||
|
|
|||
|
``` bash
|
|||
|
$ diff kubedns-controller.yaml.base kubedns-controller.yaml
|
|||
|
58c58
|
|||
|
< image: gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.1
|
|||
|
---
|
|||
|
> image: sz-pg-oam-docker-hub-001.tendcloud.com/library/k8s-dns-kube-dns-amd64:v1.14.1
|
|||
|
88c88
|
|||
|
< - --domain=__PILLAR__DNS__DOMAIN__.
|
|||
|
---
|
|||
|
> - --domain=cluster.local.
|
|||
|
92c92
|
|||
|
< __PILLAR__FEDERATIONS__DOMAIN__MAP__
|
|||
|
---
|
|||
|
> #__PILLAR__FEDERATIONS__DOMAIN__MAP__
|
|||
|
110c110
|
|||
|
< image: gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.1
|
|||
|
---
|
|||
|
> image: sz-pg-oam-docker-hub-001.tendcloud.com/library/k8s-dns-dnsmasq-nanny-amd64:v1.14.1
|
|||
|
129c129
|
|||
|
< - --server=/__PILLAR__DNS__DOMAIN__/127.0.0.1#10053
|
|||
|
---
|
|||
|
> - --server=/cluster.local./127.0.0.1#10053
|
|||
|
148c148
|
|||
|
< image: gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.1
|
|||
|
---
|
|||
|
> image: sz-pg-oam-docker-hub-001.tendcloud.com/library/k8s-dns-sidecar-amd64:v1.14.1
|
|||
|
161,162c161,162
|
|||
|
< - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.__PILLAR__DNS__DOMAIN__,5,A
|
|||
|
< - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.__PILLAR__DNS__DOMAIN__,5,A
|
|||
|
---
|
|||
|
> - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.cluster.local.,5,A
|
|||
|
> - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.cluster.local.,5,A
|
|||
|
```
|
|||
|
|
|||
|
+ 使用系统已经做了 RoleBinding 的 `kube-dns` ServiceAccount,该账户具有访问 kube-apiserver DNS 相关 API 的权限;
|
|||
|
|
|||
|
## 执行所有定义文件
|
|||
|
|
|||
|
``` bash
|
|||
|
$ pwd
|
|||
|
/root/kubedns
|
|||
|
$ ls *.yaml
|
|||
|
kubedns-cm.yaml kubedns-controller.yaml kubedns-sa.yaml kubedns-svc.yaml
|
|||
|
$ kubectl create -f .
|
|||
|
```
|
|||
|
|
|||
|
## 检查 kubedns 功能
|
|||
|
|
|||
|
新建一个 Deployment
|
|||
|
|
|||
|
``` bash
|
|||
|
$ cat my-nginx.yaml
|
|||
|
apiVersion: extensions/v1beta1
|
|||
|
kind: Deployment
|
|||
|
metadata:
|
|||
|
name: my-nginx
|
|||
|
spec:
|
|||
|
replicas: 2
|
|||
|
template:
|
|||
|
metadata:
|
|||
|
labels:
|
|||
|
run: my-nginx
|
|||
|
spec:
|
|||
|
containers:
|
|||
|
- name: my-nginx
|
|||
|
image: sz-pg-oam-docker-hub-001.tendcloud.com/library/nginx:1.9
|
|||
|
ports:
|
|||
|
- containerPort: 80
|
|||
|
$ kubectl create -f my-nginx.yaml
|
|||
|
```
|
|||
|
|
|||
|
Export 该 Deployment, 生成 `my-nginx` 服务
|
|||
|
|
|||
|
``` bash
|
|||
|
$ kubectl expose deploy my-nginx
|
|||
|
$ kubectl get services --all-namespaces |grep my-nginx
|
|||
|
default my-nginx 10.254.179.239 <none> 80/TCP 42m
|
|||
|
```
|
|||
|
|
|||
|
创建另一个 Pod,查看 `/etc/resolv.conf` 是否包含 `kubelet` 配置的 `--cluster-dns` 和 `--cluster-domain`,是否能够将服务 `my-nginx` 解析到 Cluster IP `10.254.179.239`。
|
|||
|
|
|||
|
``` bash
|
|||
|
$ kubectl create -f nginx-pod.yaml
|
|||
|
$ kubectl exec nginx -i -t -- /bin/bash
|
|||
|
root@nginx:/# cat /etc/resolv.conf
|
|||
|
nameserver 10.254.0.2
|
|||
|
search default.svc.cluster.local. svc.cluster.local. cluster.local. tendcloud.com
|
|||
|
options ndots:5
|
|||
|
|
|||
|
root@nginx:/# ping my-nginx
|
|||
|
PING my-nginx.default.svc.cluster.local (10.254.179.239): 56 data bytes
|
|||
|
76 bytes from 119.147.223.109: Destination Net Unreachable
|
|||
|
^C--- my-nginx.default.svc.cluster.local ping statistics ---
|
|||
|
|
|||
|
root@nginx:/# ping kubernetes
|
|||
|
PING kubernetes.default.svc.cluster.local (10.254.0.1): 56 data bytes
|
|||
|
^C--- kubernetes.default.svc.cluster.local ping statistics ---
|
|||
|
11 packets transmitted, 0 packets received, 100% packet loss
|
|||
|
|
|||
|
root@nginx:/# ping kube-dns.kube-system.svc.cluster.local
|
|||
|
PING kube-dns.kube-system.svc.cluster.local (10.254.0.2): 56 data bytes
|
|||
|
^C--- kube-dns.kube-system.svc.cluster.local ping statistics ---
|
|||
|
6 packets transmitted, 0 packets received, 100% packet loss
|
|||
|
```
|
|||
|
从结果来看,service名称可以正常解析。
|