| /* |
| Copyright 2017 The Kubernetes Authors. |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| */ |
| |
| package dns |
| |
| const ( |
| // KubeDNSDeployment is the kube-dns Deployment manifest for the kube-dns manifest for v1.7+ |
| KubeDNSDeployment = ` |
| apiVersion: apps/v1 |
| kind: Deployment |
| metadata: |
| name: {{ .DeploymentName }} |
| namespace: kube-system |
| labels: |
| k8s-app: kube-dns |
| spec: |
| # replicas: not specified here: |
| # 1. In order to make Addon Manager do not reconcile this replicas parameter. |
| # 2. Default is 1. |
| # 3. Will be tuned in real time if DNS horizontal auto-scaling is turned on. |
| strategy: |
| rollingUpdate: |
| maxSurge: 10% |
| maxUnavailable: 0 |
| selector: |
| matchLabels: |
| k8s-app: kube-dns |
| template: |
| metadata: |
| labels: |
| k8s-app: kube-dns |
| spec: |
| volumes: |
| - name: kube-dns-config |
| configMap: |
| name: kube-dns |
| optional: true |
| containers: |
| - name: kubedns |
| image: {{ .KubeDNSImage }} |
| imagePullPolicy: IfNotPresent |
| resources: |
| # TODO: Set memory limits when we've profiled the container for large |
| # clusters, then set request = limit to keep this container in |
| # guaranteed class. Currently, this container falls into the |
| # "burstable" category so the kubelet doesn't backoff from restarting it. |
| limits: |
| memory: 170Mi |
| requests: |
| cpu: 100m |
| memory: 70Mi |
| livenessProbe: |
| httpGet: |
| path: /healthcheck/kubedns |
| port: 10054 |
| scheme: HTTP |
| initialDelaySeconds: 60 |
| timeoutSeconds: 5 |
| successThreshold: 1 |
| failureThreshold: 5 |
| readinessProbe: |
| httpGet: |
| path: /readiness |
| port: 8081 |
| scheme: HTTP |
| # we poll on pod startup for the Kubernetes master service and |
| # only setup the /readiness HTTP server once that's available. |
| initialDelaySeconds: 3 |
| timeoutSeconds: 5 |
| args: |
| - --domain={{ .DNSDomain }}. |
| - --dns-port=10053 |
| - --config-dir=/kube-dns-config |
| - --v=2 |
| env: |
| - name: PROMETHEUS_PORT |
| value: "10055" |
| ports: |
| - containerPort: 10053 |
| name: dns-local |
| protocol: UDP |
| - containerPort: 10053 |
| name: dns-tcp-local |
| protocol: TCP |
| - containerPort: 10055 |
| name: metrics |
| protocol: TCP |
| volumeMounts: |
| - name: kube-dns-config |
| mountPath: /kube-dns-config |
| - name: dnsmasq |
| image: {{ .DNSMasqImage }} |
| imagePullPolicy: IfNotPresent |
| livenessProbe: |
| httpGet: |
| path: /healthcheck/dnsmasq |
| port: 10054 |
| scheme: HTTP |
| initialDelaySeconds: 60 |
| timeoutSeconds: 5 |
| successThreshold: 1 |
| failureThreshold: 5 |
| args: |
| - -v=2 |
| - -logtostderr |
| - -configDir=/etc/k8s/dns/dnsmasq-nanny |
| - -restartDnsmasq=true |
| - -- |
| - -k |
| - --cache-size=1000 |
| - --no-negcache |
| - --dns-loop-detect |
| - --log-facility=- |
| - --server=/{{ .DNSDomain }}/{{ .DNSBindAddr }}#10053 |
| - --server=/in-addr.arpa/{{ .DNSBindAddr }}#10053 |
| - --server=/ip6.arpa/{{ .DNSBindAddr }}#10053 |
| ports: |
| - containerPort: 53 |
| name: dns |
| protocol: UDP |
| - containerPort: 53 |
| name: dns-tcp |
| protocol: TCP |
| # see: https://github.com/kubernetes/kubernetes/issues/29055 for details |
| resources: |
| requests: |
| cpu: 150m |
| memory: 20Mi |
| volumeMounts: |
| - name: kube-dns-config |
| mountPath: /etc/k8s/dns/dnsmasq-nanny |
| - name: sidecar |
| image: {{ .SidecarImage }} |
| imagePullPolicy: IfNotPresent |
| livenessProbe: |
| httpGet: |
| path: /metrics |
| port: 10054 |
| scheme: HTTP |
| initialDelaySeconds: 60 |
| timeoutSeconds: 5 |
| successThreshold: 1 |
| failureThreshold: 5 |
| args: |
| - --v=2 |
| - --logtostderr |
| - --probe=kubedns,{{ .DNSProbeAddr }}:10053,kubernetes.default.svc.{{ .DNSDomain }},5,SRV |
| - --probe=dnsmasq,{{ .DNSProbeAddr }}:53,kubernetes.default.svc.{{ .DNSDomain }},5,SRV |
| ports: |
| - containerPort: 10054 |
| name: metrics |
| protocol: TCP |
| resources: |
| requests: |
| memory: 20Mi |
| cpu: 10m |
| dnsPolicy: Default # Don't use cluster DNS. |
| serviceAccountName: kube-dns |
| tolerations: |
| - key: CriticalAddonsOnly |
| operator: Exists |
| - key: {{ .MasterTaintKey }} |
| effect: NoSchedule |
| ` |
| |
| // KubeDNSService is the kube-dns Service manifest |
| KubeDNSService = ` |
| apiVersion: v1 |
| kind: Service |
| metadata: |
| labels: |
| k8s-app: kube-dns |
| kubernetes.io/cluster-service: "true" |
| kubernetes.io/name: "KubeDNS" |
| name: kube-dns |
| namespace: kube-system |
| annotations: |
| prometheus.io/port: "9153" |
| prometheus.io/scrape: "true" |
| # Without this resourceVersion value, an update of the Service between versions will yield: |
| # Service "kube-dns" is invalid: metadata.resourceVersion: Invalid value: "": must be specified for an update |
| resourceVersion: "0" |
| spec: |
| clusterIP: {{ .DNSIP }} |
| ports: |
| - name: dns |
| port: 53 |
| protocol: UDP |
| targetPort: 53 |
| - name: dns-tcp |
| port: 53 |
| protocol: TCP |
| targetPort: 53 |
| selector: |
| k8s-app: kube-dns |
| ` |
| |
| // CoreDNSDeployment is the CoreDNS Deployment manifest |
| CoreDNSDeployment = ` |
| apiVersion: apps/v1 |
| kind: Deployment |
| metadata: |
| name: {{ .DeploymentName }} |
| namespace: kube-system |
| labels: |
| k8s-app: kube-dns |
| spec: |
| replicas: 2 |
| strategy: |
| type: RollingUpdate |
| rollingUpdate: |
| maxUnavailable: 1 |
| selector: |
| matchLabels: |
| k8s-app: kube-dns |
| template: |
| metadata: |
| labels: |
| k8s-app: kube-dns |
| spec: |
| serviceAccountName: coredns |
| tolerations: |
| - key: CriticalAddonsOnly |
| operator: Exists |
| - key: {{ .MasterTaintKey }} |
| effect: NoSchedule |
| containers: |
| - name: coredns |
| image: {{ .Image }} |
| imagePullPolicy: IfNotPresent |
| resources: |
| limits: |
| memory: 170Mi |
| requests: |
| cpu: 100m |
| memory: 70Mi |
| args: [ "-conf", "/etc/coredns/Corefile" ] |
| volumeMounts: |
| - name: config-volume |
| mountPath: /etc/coredns |
| readOnly: true |
| ports: |
| - containerPort: 53 |
| name: dns |
| protocol: UDP |
| - containerPort: 53 |
| name: dns-tcp |
| protocol: TCP |
| - containerPort: 9153 |
| name: metrics |
| protocol: TCP |
| livenessProbe: |
| httpGet: |
| path: /health |
| port: 8080 |
| scheme: HTTP |
| initialDelaySeconds: 60 |
| timeoutSeconds: 5 |
| successThreshold: 1 |
| failureThreshold: 5 |
| securityContext: |
| allowPrivilegeEscalation: false |
| capabilities: |
| add: |
| - NET_BIND_SERVICE |
| drop: |
| - all |
| readOnlyRootFilesystem: true |
| dnsPolicy: Default |
| volumes: |
| - name: config-volume |
| configMap: |
| name: coredns |
| items: |
| - key: Corefile |
| path: Corefile |
| ` |
| |
| // CoreDNSConfigMap is the CoreDNS ConfigMap manifest |
| CoreDNSConfigMap = ` |
| apiVersion: v1 |
| kind: ConfigMap |
| metadata: |
| name: coredns |
| namespace: kube-system |
| data: |
| Corefile: | |
| .:53 { |
| errors |
| health |
| kubernetes {{ .DNSDomain }} in-addr.arpa ip6.arpa { |
| pods insecure |
| upstream |
| fallthrough in-addr.arpa ip6.arpa |
| }{{ .Federation }} |
| prometheus :9153 |
| proxy . {{ .UpstreamNameserver }} |
| cache 30 |
| loop |
| reload |
| loadbalance |
| }{{ .StubDomain }} |
| ` |
| // CoreDNSClusterRole is the CoreDNS ClusterRole manifest |
| CoreDNSClusterRole = ` |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRole |
| metadata: |
| name: system:coredns |
| rules: |
| - apiGroups: |
| - "" |
| resources: |
| - endpoints |
| - services |
| - pods |
| - namespaces |
| verbs: |
| - list |
| - watch |
| - apiGroups: |
| - "" |
| resources: |
| - nodes |
| verbs: |
| - get |
| ` |
| // CoreDNSClusterRoleBinding is the CoreDNS Clusterrolebinding manifest |
| CoreDNSClusterRoleBinding = ` |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRoleBinding |
| metadata: |
| name: system:coredns |
| roleRef: |
| apiGroup: rbac.authorization.k8s.io |
| kind: ClusterRole |
| name: system:coredns |
| subjects: |
| - kind: ServiceAccount |
| name: coredns |
| namespace: kube-system |
| ` |
| // CoreDNSServiceAccount is the CoreDNS ServiceAccount manifest |
| CoreDNSServiceAccount = ` |
| apiVersion: v1 |
| kind: ServiceAccount |
| metadata: |
| name: coredns |
| namespace: kube-system |
| ` |
| ) |