diff --git a/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml b/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml new file mode 100644 index 00000000000..fdf0f421eac --- /dev/null +++ b/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml @@ -0,0 +1,144 @@ +# Copyright 2018 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: node-local-dns + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +--- + +apiVersion: v1 +kind: ConfigMap +metadata: + name: node-local-dns + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: EnsureExists +data: + Corefile: | + __PILLAR__DNS__DOMAIN__:53 { + errors + cache 30 + reload + loop + bind __PILLAR__LOCAL__DNS__ + forward . __PILLAR__DNS__SERVER__ { + force_tcp + } + prometheus :9253 + health __PILLAR__LOCAL__DNS__:8080 + } + in-addr.arpa:53 { + errors + cache 30 + reload + loop + bind __PILLAR__LOCAL__DNS__ + forward . __PILLAR__DNS__SERVER__ { + force_tcp + } + prometheus :9253 + } + ip6.arpa:53 { + errors + cache 30 + reload + loop + bind __PILLAR__LOCAL__DNS__ + forward . __PILLAR__DNS__SERVER__ { + force_tcp + } + prometheus :9253 + } + .:53 { + errors + cache 30 + reload + loop + bind __PILLAR__LOCAL__DNS__ + forward . /etc/resolv.conf { + force_tcp + } + prometheus :9253 + } +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: node-local-dns + namespace: kube-system + labels: + k8s-app: kube-dns + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +spec: + selector: + matchLabels: + k8s-app: node-local-dns + template: + metadata: + labels: + k8s-app: node-local-dns + spec: + priorityClassName: system-node-critical + serviceAccountName: node-local-dns + hostNetwork: true + dnsPolicy: Default # Don't use cluster DNS. + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + containers: + - name: node-cache + image: k8s.gcr.io/k8s-dns-node-cache:1.15.0 + resources: + limits: + memory: 30Mi + requests: + cpu: 25m + memory: 5Mi + args: [ "-localip", "__PILLAR__LOCAL__DNS__", "-conf", "/etc/coredns/Corefile" ] + securityContext: + privileged: true + ports: + - containerPort: 53 + name: dns + protocol: UDP + - containerPort: 53 + name: dns-tcp + protocol: TCP + - containerPort: 9253 + name: metrics + protocol: TCP + livenessProbe: + httpGet: + host: __PILLAR__LOCAL__DNS__ + path: /health + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + volumeMounts: + - name: config-volume + mountPath: /etc/coredns + volumes: + - name: config-volume + configMap: + name: node-local-dns + items: + - key: Corefile + path: Corefile diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index cadaafc0dd0..7a2298c7cb7 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -198,6 +198,9 @@ if [[ ${ENABLE_NETD:-} == "true" ]]; then NON_MASTER_NODE_LABELS="${NON_MASTER_NODE_LABELS:+${NON_MASTER_NODE_LABELS},}cloud.google.com/gke-netd-ready=true" fi +ENABLE_NODELOCAL_DNS="${KUBE_ENABLE_NODELOCAL_DNS:-false}" +LOCAL_DNS_IP="${KUBE_LOCAL_DNS_IP:-169.254.20.10}" + # Enable metadata concealment by firewalling pod traffic to the metadata server # and run a proxy daemonset on nodes. # diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index caf16359e5f..873db8c56d2 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -230,6 +230,8 @@ if [[ ${ENABLE_NETD:-} == "true" ]]; then NON_MASTER_NODE_LABELS="${NON_MASTER_NODE_LABELS:+${NON_MASTER_NODE_LABELS},}cloud.google.com/gke-netd-ready=true" fi +ENABLE_NODELOCAL_DNS="${KUBE_ENABLE_NODELOCAL_DNS:-false}" + # To avoid running Calico on a node that is not configured appropriately, # label each Node so that the DaemonSet can run the Pods only on ready Nodes. if [[ ${NETWORK_POLICY_PROVIDER:-} == "calico" ]]; then @@ -272,6 +274,7 @@ fi CLUSTER_DNS_CORE_DNS="${CLUSTER_DNS_CORE_DNS:-true}" ENABLE_CLUSTER_DNS="${KUBE_ENABLE_CLUSTER_DNS:-true}" DNS_SERVER_IP="10.0.0.10" +LOCAL_DNS_IP="${KUBE_LOCAL_DNS_IP:-169.254.20.10}" DNS_DOMAIN="cluster.local" # Optional: Enable DNS horizontal autoscaler diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index c8cda248a5f..e95f31598cb 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -2354,6 +2354,16 @@ EOF fi } +# Sets up the manifests of local dns cache agent for k8s addons. +function setup-nodelocaldns-manifest { + setup-addon-manifests "addons" "dns/nodelocaldns" + local -r localdns_file="${dst_dir}/dns/nodelocaldns/nodelocaldns.yaml" + # Replace the sed configurations with variable values. + sed -i -e "s/__PILLAR__DNS__DOMAIN__/${DNS_DOMAIN}/g" "${localdns_file}" + sed -i -e "s/__PILLAR__DNS__SERVER__/${DNS_SERVER_IP}/g" "${localdns_file}" + sed -i -e "s/__PILLAR__LOCAL__DNS__/${LOCAL_DNS_IP}/g" "${localdns_file}" +} + # Sets up the manifests of netd for k8s addons. function setup-netd-manifest { local -r netd_file="${dst_dir}/netd/netd.yaml" @@ -2525,6 +2535,9 @@ EOF setup-addon-manifests "addons" "dns/kube-dns" setup-kube-dns-manifest fi + if [[ "${ENABLE_NODELOCAL_DNS:-}" == "true" ]]; then + setup-nodelocaldns-manifest + fi fi if [[ "${ENABLE_NETD:-}" == "true" ]]; then setup-netd-manifest diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh index b7811bcf7d3..79ba5f7db85 100755 --- a/cluster/gce/util.sh +++ b/cluster/gce/util.sh @@ -708,6 +708,9 @@ function build-kubelet-config { declare quoted_dns_server_ip declare quoted_dns_domain quoted_dns_server_ip=$(yaml-quote "${DNS_SERVER_IP}") + if [[ "${ENABLE_NODELOCAL_DNS:-}" == "true" ]]; then + quoted_dns_server_ip=$(yaml-quote "${LOCAL_DNS_IP}") + fi quoted_dns_domain=$(yaml-quote "${DNS_DOMAIN}") cat </dev/null || sudo mkdir -p "/var/lib/kubelet" # Enable dns if [[ "${ENABLE_CLUSTER_DNS}" = true ]]; then - dns_args="--cluster-dns=${DNS_SERVER_IP} --cluster-domain=${DNS_DOMAIN}" + if [[ "${ENABLE_NODELOCAL_DNS:-}" == "true" ]]; then + dns_args="--cluster-dns=${LOCAL_DNS_IP} --cluster-domain=${DNS_DOMAIN}" + else + dns_args="--cluster-dns=${DNS_SERVER_IP} --cluster-domain=${DNS_DOMAIN}" + fi else # To start a private DNS server set ENABLE_CLUSTER_DNS and # DNS_SERVER_IP/DOMAIN. This will at least provide a working @@ -908,6 +914,17 @@ function start_kubedns { fi } +function start_nodelocaldns { + cp "${KUBE_ROOT}/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml" nodelocaldns.yaml + sed -i -e "s/__PILLAR__DNS__DOMAIN__/${DNS_DOMAIN}/g" nodelocaldns.yaml + sed -i -e "s/__PILLAR__DNS__SERVER__/${DNS_SERVER_IP}/g" nodelocaldns.yaml + sed -i -e "s/__PILLAR__LOCAL__DNS__/${LOCAL_DNS_IP}/g" nodelocaldns.yaml + # use kubectl to create nodelocaldns addon + ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" --namespace=kube-system create -f nodelocaldns.yaml + echo "NodeLocalDNS addon successfully deployed." + rm nodelocaldns.yaml +} + function start_kubedashboard { if [[ "${ENABLE_CLUSTER_DASHBOARD}" = true ]]; then echo "Creating kubernetes-dashboard" @@ -1056,6 +1073,9 @@ if [[ "${START_MODE}" != "kubeletonly" ]]; then fi start_kubeproxy start_kubedns + if [[ "${ENABLE_NODELOCAL_DNS:-}" == "true" ]]; then + start_nodelocaldns + fi start_kubedashboard fi