15. Coredns
#这原先使用的一个v1.24.3的源码包 里面有提供对应的YAML修改之后即可使用
root@deploy-harbor:~/nginx-tomcat-case# cp ../kubernetes-v1.24.3/kubernetes/cluster/addons/dns/coredns/coredns.yaml.base .
#查看以下coredns的地址 好填写到配置文件中
root@deploy-harbor:~# kubectl get svc -A
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 2d21h
linux60 linux60-tomcat-app1-service NodePort 10.100.31.84 <none> 80:30005/TCP 10m
myserver kube-dns ClusterIP 10.100.0.2 <none> 53/UDP,53/TCP,9153/TCP 6m49s
myserver linux70-nginx-service NodePort 10.100.142.118 <none> 80:30004/TCP,443:30443/TCP 10m
15.1 更改后的calico配置文件
#先打标签上传一下
docker tag easzlab.io.local:5000/coredns/coredns:1.9.3 harbor.nbrhce.com/baseimages/coredns:1.9.3
docker push harbor.nbrhce.com/baseimages/coredns:1.9.3
root@deploy-harbor:~/nginx-tomcat-case# cat coredns-1.9.3.yaml
# __MACHINE_GENERATED_WARNING__
apiVersion: v1
kind: ServiceAccount
metadata:
name: coredns
namespace: myserver
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
kubernetes.io/bootstrapping: rbac-defaults
addonmanager.kubernetes.io/mode: Reconcile
name: system:coredns
rules:
- apiGroups:
- ""
resources:
- endpoints
- services
- pods
- namespaces
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
addonmanager.kubernetes.io/mode: EnsureExists
name: system:coredns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:coredns
subjects:
- kind: ServiceAccount
name: coredns
namespace: myserver
---
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: myserver
labels:
addonmanager.kubernetes.io/mode: EnsureExists
data:
Corefile: |
.:53 {
errors
health {
lameduck 5s
}
ready
#这里的大写换成你ansible里hosts文件的 DO MAIN 所写的 内容 我这里写的是cluster.local
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . /etc/resolv.conf {
max_concurrent 1000
}
cache 30
loop
reload
loadbalance
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
namespace: myserver
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/name: "CoreDNS"
spec:
# replicas: not specified here:
# 1. In order to make Addon Manager do not reconcile this replicas parameter.
# 2. Default is 1.
# 3. Will be tuned in real time if DNS horizontal auto-scaling is turned on.
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
selector:
matchLabels:
k8s-app: kube-dns
template:
metadata:
labels:
k8s-app: kube-dns
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
priorityClassName: system-cluster-critical
serviceAccountName: coredns
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: k8s-app
operator: In
values: ["kube-dns"]
topologyKey: kubernetes.io/hostname
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
nodeSelector:
kubernetes.io/os: linux
containers:
- name: coredns
image: harbor.nbrhce.com/baseimages/coredns:1.9.3
imagePullPolicy: IfNotPresent
resources:
limits:
#真正生产4G
#cpu 2核
memory: 256Mi
cpu: 200m
requests:
cpu: 100m
memory: 70Mi
args: [ "-conf", "/etc/coredns/Corefile" ]
volumeMounts:
- name: config-volume
mountPath: /etc/coredns
readOnly: true
ports:
- containerPort: 53
name: dns
protocol: UDP
- containerPort: 53
name: dns-tcp
protocol: TCP
- containerPort: 9153
name: metrics
protocol: TCP
livenessProbe:
httpGet:
path: /health
port: 8080
scheme: HTTP
initialDelaySeconds: 60
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
readinessProbe:
httpGet:
path: /ready
port: 8181
scheme: HTTP
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- all
readOnlyRootFilesystem: true
dnsPolicy: Default
volumes:
- name: config-volume
configMap:
name: coredns
items:
- key: Corefile
path: Corefile
---
apiVersion: v1
kind: Service
metadata:
name: kube-dns
namespace: myserver
annotations:
prometheus.io/port: "9153"
prometheus.io/scrape: "true"
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/name: "CoreDNS"
spec:
selector:
k8s-app: kube-dns
#这里设置一下kube-coredns的IP地址 他是集群中的第二个svc的地址
clusterIP: 10.100.0.2
ports:
- name: dns
port: 53
protocol: UDP
- name: dns-tcp
port: 53
protocol: TCP
- name: metrics
port: 9153
protocol: TCP
root@deploy-harbor:~# kubectl exec -it -n myserver net-test1 bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
[root@net-test1 /]# cat /etc/resolv.conf
search myserver.svc.cluster.local svc.cluster.local cluster.local mydomain otherdomain
nameserver 10.100.0.2
options ndots:5
[root@net-test1 /]# ping www.baidu.com
PING www.a.shifen.com (110.242.68.3) 56(84) bytes of data.
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=1 ttl=127 time=11.6 ms
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=2 ttl=127 time=11.6 ms
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=3 ttl=127 time=11.7 ms
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=4 ttl=127 time=11.7 ms
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=5 ttl=127 time=11.7 ms
15.2 CoreDNS-Plugin
#在coredns配置文件中一些输出的信息
root@deploy-harbor:~/nginx-tomcat-case# vim coredns-1.9.3.yaml
Corefile: |
.:53 {
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . /etc/resolv.conf {
max_concurrent 1000
}
cache 30
loop
reload
loadbalance
}
errors: 错误信息标准输出
health:在CoreDNS的 http://localhost:8080/health 端口提供CoreDNS服务的健康报告
ready:监听8181端口,当coredns的插件都已就绪时,访问该接口会返回200OK
kubernetes: CoreDNS将基于kubernetes service name进行DNS查询并返回查询记录给客户端
prometheus: CoreDNS的度量指标数据以Prometheus的key-value的格式在http://localhost:9153/metrics URI上提供
forward:不是Kubernetes集群内的其它任何域名查询都将转发到预定义的目的server,如(/etc/resolv.conf或IP(如8.8.8.8))
cache:启用service解析缓存单位为秒
loop:检测域名解析是否有死循环,如coredns转发给内网DNS服务器,而内网DNS服务器又转发给coredns,如果发现解析时死循环,则强制中止CoreDNS进程(Kubernetes会重建)
reload:检测corefile是否更改,在重新编辑configmap配置后,默认2分钟后会优雅的自动加载
loadbalance: 轮询DNS域名解析,如果一个域名存在多个记录则轮询解析
15.3 kube-coredns解析流程
#api-server是集群中第一个svc
#kube-coredns是集群中第二个svc
root@deploy-harbor:~# kubectl get svc -A
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 3d
myserver kube-dns ClusterIP 10.100.0.2 <none> 53/UDP,53/TCP,9153/TCP 3h36m