• 安装kubedns插件
    • 系统预定义的 RoleBinding
    • 配置 kube-dns ServiceAccount
    • 配置 kube-dns 服务
    • 配置 kube-dns Deployment
    • 执行所有定义文件
    • 检查 kubedns 功能

    安装kubedns插件

    官方的yaml文件目录:kubernetes/cluster/addons/dns

    该插件直接使用kubernetes部署,官方的配置文件中包含以下镜像:

    1. gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.1
    2. gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.1
    3. gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.1

    我clone了上述镜像,上传到我的私有镜像仓库:

    1. sz-pg-oam-docker-hub-001.tendcloud.com/library/k8s-dns-dnsmasq-nanny-amd64:1.14.1
    2. sz-pg-oam-docker-hub-001.tendcloud.com/library/k8s-dns-kube-dns-amd64:1.14.1
    3. sz-pg-oam-docker-hub-001.tendcloud.com/library/k8s-dns-sidecar-amd64:1.14.1

    同时上传了一份到时速云备份:

    1. index.tenxcloud.com/jimmy/k8s-dns-dnsmasq-nanny-amd64:1.14.1
    2. index.tenxcloud.com/jimmy/k8s-dns-kube-dns-amd64:1.14.1
    3. index.tenxcloud.com/jimmy/k8s-dns-sidecar-amd64:1.14.1

    以下yaml配置文件中使用的是私有镜像仓库中的镜像。

    1. kubedns-cm.yaml
    2. kubedns-sa.yaml
    3. kubedns-controller.yaml
    4. kubedns-svc.yaml

    已经修改好的 yaml 文件见:../manifests/kubedns

    系统预定义的 RoleBinding

    预定义的 RoleBinding system:kube-dns 将 kube-system 命名空间的 kube-dns ServiceAccount 与 system:kube-dns Role 绑定, 该 Role 具有访问 kube-apiserver DNS 相关 API 的权限;

    1. $ kubectl get clusterrolebindings system:kube-dns -o yaml
    2. apiVersion: rbac.authorization.k8s.io/v1beta1
    3. kind: ClusterRoleBinding
    4. metadata:
    5. annotations:
    6. rbac.authorization.kubernetes.io/autoupdate: "true"
    7. creationTimestamp: 2017-04-11T11:20:42Z
    8. labels:
    9. kubernetes.io/bootstrapping: rbac-defaults
    10. name: system:kube-dns
    11. resourceVersion: "58"
    12. selfLink: /apis/rbac.authorization.k8s.io/v1beta1/clusterrolebindingssystem%3Akube-dns
    13. uid: e61f4d92-1ea8-11e7-8cd7-f4e9d49f8ed0
    14. roleRef:
    15. apiGroup: rbac.authorization.k8s.io
    16. kind: ClusterRole
    17. name: system:kube-dns
    18. subjects:
    19. - kind: ServiceAccount
    20. name: kube-dns
    21. namespace: kube-system

    kubedns-controller.yaml 中定义的 Pods 时使用了 kubedns-sa.yaml 文件定义的 kube-dns ServiceAccount,所以具有访问 kube-apiserver DNS 相关 API 的权限。

    配置 kube-dns ServiceAccount

    无需修改。

    配置 kube-dns 服务

    1. $ diff kubedns-svc.yaml.base kubedns-svc.yaml
    2. 30c30
    3. < clusterIP: __PILLAR__DNS__SERVER__
    4. ---
    5. > clusterIP: 10.254.0.2
    • spec.clusterIP = 10.254.0.2,即明确指定了 kube-dns Service IP,这个 IP 需要和 kubelet 的 --cluster-dns 参数值一致;

    配置 kube-dns Deployment

    1. $ diff kubedns-controller.yaml.base kubedns-controller.yaml
    2. 58c58
    3. < image: gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.1
    4. ---
    5. > image: sz-pg-oam-docker-hub-001.tendcloud.com/library/k8s-dns-kube-dns-amd64:v1.14.1
    6. 88c88
    7. < - --domain=__PILLAR__DNS__DOMAIN__.
    8. ---
    9. > - --domain=cluster.local.
    10. 92c92
    11. < __PILLAR__FEDERATIONS__DOMAIN__MAP__
    12. ---
    13. > #__PILLAR__FEDERATIONS__DOMAIN__MAP__
    14. 110c110
    15. < image: gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.1
    16. ---
    17. > image: sz-pg-oam-docker-hub-001.tendcloud.com/library/k8s-dns-dnsmasq-nanny-amd64:v1.14.1
    18. 129c129
    19. < - --server=/__PILLAR__DNS__DOMAIN__/127.0.0.1#10053
    20. ---
    21. > - --server=/cluster.local./127.0.0.1#10053
    22. 148c148
    23. < image: gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.1
    24. ---
    25. > image: sz-pg-oam-docker-hub-001.tendcloud.com/library/k8s-dns-sidecar-amd64:v1.14.1
    26. 161,162c161,162
    27. < - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.__PILLAR__DNS__DOMAIN__,5,A
    28. < - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.__PILLAR__DNS__DOMAIN__,5,A
    29. ---
    30. > - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.cluster.local.,5,A
    31. > - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.cluster.local.,5,A
    • 使用系统已经做了 RoleBinding 的 kube-dns ServiceAccount,该账户具有访问 kube-apiserver DNS 相关 API 的权限;

    执行所有定义文件

    1. $ pwd
    2. /root/kubedns
    3. $ ls *.yaml
    4. kubedns-cm.yaml kubedns-controller.yaml kubedns-sa.yaml kubedns-svc.yaml
    5. $ kubectl create -f .

    检查 kubedns 功能

    新建一个 Deployment

    1. $ cat my-nginx.yaml
    2. apiVersion: extensions/v1beta1
    3. kind: Deployment
    4. metadata:
    5. name: my-nginx
    6. spec:
    7. replicas: 2
    8. template:
    9. metadata:
    10. labels:
    11. run: my-nginx
    12. spec:
    13. containers:
    14. - name: my-nginx
    15. image: sz-pg-oam-docker-hub-001.tendcloud.com/library/nginx:1.9
    16. ports:
    17. - containerPort: 80
    18. $ kubectl create -f my-nginx.yaml

    Export 该 Deployment, 生成 my-nginx 服务

    1. $ kubectl expose deploy my-nginx
    2. $ kubectl get services --all-namespaces |grep my-nginx
    3. default my-nginx 10.254.179.239 <none> 80/TCP 42m

    创建另一个 Pod,查看 /etc/resolv.conf 是否包含 kubelet 配置的 --cluster-dns--cluster-domain,是否能够将服务 my-nginx 解析到 Cluster IP 10.254.179.239

    1. $ kubectl create -f nginx-pod.yaml
    2. $ kubectl exec nginx -i -t -- /bin/bash
    3. root@nginx:/# cat /etc/resolv.conf
    4. nameserver 10.254.0.2
    5. search default.svc.cluster.local. svc.cluster.local. cluster.local. tendcloud.com
    6. options ndots:5
    7. root@nginx:/# ping my-nginx
    8. PING my-nginx.default.svc.cluster.local (10.254.179.239): 56 data bytes
    9. 76 bytes from 119.147.223.109: Destination Net Unreachable
    10. ^C--- my-nginx.default.svc.cluster.local ping statistics ---
    11. root@nginx:/# ping kubernetes
    12. PING kubernetes.default.svc.cluster.local (10.254.0.1): 56 data bytes
    13. ^C--- kubernetes.default.svc.cluster.local ping statistics ---
    14. 11 packets transmitted, 0 packets received, 100% packet loss
    15. root@nginx:/# ping kube-dns.kube-system.svc.cluster.local
    16. PING kube-dns.kube-system.svc.cluster.local (10.254.0.2): 56 data bytes
    17. ^C--- kube-dns.kube-system.svc.cluster.local ping statistics ---
    18. 6 packets transmitted, 0 packets received, 100% packet loss

    从结果来看,service名称可以正常解析。

    注意:直接ping ClusterIP是ping不通的,ClusterIP是根据IPtables路由到服务的endpoint上,只有结合ClusterIP加端口才能访问到对应的服务。