Kubernetes 部署集群内部DNS服务

部署官网：https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/dns/coredns

为服务提供名称域名的访问。

- DNS服务监视Kubernetes API，为每一个Service创建DNS记录用于域名解析。
- ClusterIP A记录格式：<service-name>.<namespace-name>.svc.cluster.local
示例：my-svc.my-namespace.svc.cluster.local

coredns

1、创建dns Yaml配置文件

apiVersion: v1

kind: ServiceAccount

metadata:

  name: coredns

  namespace: kube-system

  labels:

      kubernetes.io/cluster-service: "true"

      addonmanager.kubernetes.io/mode: Reconcile

---

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRole

metadata:

  labels:

    kubernetes.io/bootstrapping: rbac-defaults

    addonmanager.kubernetes.io/mode: Reconcile

  name: system:coredns

rules:

- apiGroups:

  - ""

  resources:

  - endpoints

  - services

  - pods

  - namespaces

  verbs:

  - list

  - watch

- apiGroups:

  - ""

  resources:

  - nodes

  verbs:

  - get

---

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRoleBinding

metadata:

  annotations:

    rbac.authorization.kubernetes.io/autoupdate: "true"

  labels:

    kubernetes.io/bootstrapping: rbac-defaults

    addonmanager.kubernetes.io/mode: EnsureExists

  name: system:coredns

roleRef:

  apiGroup: rbac.authorization.k8s.io

  kind: ClusterRole

  name: system:coredns

subjects:

- kind: ServiceAccount

  name: coredns

  namespace: kube-system

---

apiVersion: v1

kind: ConfigMap

metadata:

  name: coredns

  namespace: kube-system

  labels:

      addonmanager.kubernetes.io/mode: EnsureExists

data:

  Corefile: |

    .:53 {

        errors

        health

        # 更改dns域

        kubernetes cluster.local in-addr.arpa ip6.arpa {

            pods insecure

            upstream

        }

        cache 30

        loop

        reload

        loadbalance

    }

---

apiVersion: apps/v1

kind: Deployment

metadata:

  name: coredns

  namespace: kube-system

  labels:

    k8s-app: kube-dns

    kubernetes.io/cluster-service: "true"

    addonmanager.kubernetes.io/mode: Reconcile

    kubernetes.io/name: "CoreDNS"

spec:

  # replicas: not specified here:

  # 2. Default is 1.

  strategy:

    type: RollingUpdate

    rollingUpdate:

      maxUnavailable: 1

  selector:

    matchLabels:

      k8s-app: kube-dns

  template:

    metadata:

      labels:

        k8s-app: kube-dns

      annotations:

        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'

    spec:

      priorityClassName: system-cluster-critical

      serviceAccountName: coredns

      tolerations:

        - key: "CriticalAddonsOnly"

          operator: "Exists"

      nodeSelector:

        beta.kubernetes.io/os: linux

      containers:

      - name: coredns

        # 更改DNS地址

        image: coredns/coredns:1.2.6

        imagePullPolicy: IfNotPresent

        resources:

          limits:

            # 内存自定义

            memory: 170Mi

          requests:

            cpu: 100m

            memory: 70Mi

        args: [ "-conf", "/etc/coredns/Corefile" ]

        volumeMounts:

        - name: config-volume

          mountPath: /etc/coredns

          readOnly: true

        ports:

        - containerPort: 53

          name: dns

          protocol: UDP

        - containerPort: 53

          name: dns-tcp

          protocol: TCP

        - containerPort: 9153

          name: metrics

          protocol: TCP

        livenessProbe:

          httpGet:

            path: /health

            port: 8080

            scheme: HTTP

          initialDelaySeconds: 60

          timeoutSeconds: 5

          successThreshold: 1

          failureThreshold: 5

        readinessProbe:

          httpGet:

            path: /health

            port: 8080

            scheme: HTTP

        securityContext:

          allowPrivilegeEscalation: false

          capabilities:

            add:

            - NET_BIND_SERVICE

            drop:

            - all

          readOnlyRootFilesystem: true

      dnsPolicy: Default

      volumes:

        - name: config-volume

          configMap:

            name: coredns

            items:

            - key: Corefile

              path: Corefile

---

apiVersion: v1

kind: Service

metadata:

  name: kube-dns

  namespace: kube-system

  annotations:

    prometheus.io/port: ""

    prometheus.io/scrape: "true"

  labels:

    k8s-app: kube-dns

    kubernetes.io/cluster-service: "true"

    addonmanager.kubernetes.io/mode: Reconcile

    kubernetes.io/name: "CoreDNS"

spec:

  selector:

    k8s-app: kube-dns

  # 更改为kube配置的DNS地址

  clusterIP: 10.0.0.2

  ports:

  - name: dns

    port: 53

    protocol: UDP

  - name: dns-tcp

    port: 53

    protocol: TCP

  - name: metrics

    port: 9153

    protocol: TCP

vim coredns.yaml

2、执行命令创建dns

kubectl apply -f coredns.yaml

3、查看pod状态

NAME READY STATUS RESTARTS AGE

coredns-6765c879f8-lwtwt 1/1 Running 0 25s

kubectl get pods -n kube-system

4、测试dns是否正常
4.1 启用一个临时容器

kubectl run -it --image=busybox:1.28.4 --rm --restart=Never sh

4.2 进入容器并进行解析

/ # nslookup kubernetes

/ # nslookup kubernetes

Server: 10.0.0.2

Address 1: 10.0.0.2 kube-dns.kube-system.svc.cluster.local

4.3 创建另一个容器测试

kubectl run -it --image=busybox:1.28.4 --rm --restart=Never sh -n kube-system

/ # nslookup my-service.default

Server: 10.0.0.2

Address 1: 10.0.0.2 kube-dns.kube-system.svc.cluster.local

Name: my-service.default

Address 1: 10.0.0.123 my-service.default.svc.cluster.local

查看已有解析service

kubectl get ep

NAME ENDPOINTS AGE

kubernetes 192.168.1.108:6443,192.168.1.109:6443 3d

my-service <none> 7h54m

nginx-service 172.17.1.2:80,172.17.1.3:80,172.17.1.6:80 2d4h

nginx-service2 <none> 25h

# 注意事项
注：在api的service证书签发内留下dns的ip地址
# 报错：Failed to list *v1.Namespace: Get https://10.0.0.1:443/api/v1/namespaces?limit=500&resourceVersion=0: dial tcp 10.0.0.1:443: i/o timeout
解决方案：重启Node上的kube-proxy、重新创建coredns。