kubernetes實踐之九:kube-dns
一:前言
kube-dns是Kubernetes中的一個內建外掛,目前作為一個獨立的開源專案維護,見https://github.com/kubernetes/dns。通過將 Service 註冊到 DNS 中,Kuberentes 可以為我們提供一種簡單的服務註冊發現與負載均衡方式。至此,別的服務就可以通過名稱來訪問相關的服務。
Kubernetes DNS pod 中包括 3 個容器:
二: 部署kube-dns
1.配置檔案
官方網址下載需要的yaml部署檔案:https://github.com/kubernetes/kubernetes/tree/release-1.8/cluster/addons/dns
kubedns-cm.yaml
kubedns-sa.yaml
kubedns-controller.yaml
kubedns-svc.yaml
kubedns-cm.yaml不需要修改
kubedns-sa.yaml不需要修改
kubedns-controller.yaml 主要是$DNS_DOMAIN和image路徑的修改
kubedns-svc.yaml 主要是 clusterIP的修改
2.系統預定義的 RoleBinding
預定義的 RoleBinding system:kube-dns 將 kube-system 名稱空間的kube-dns ServiceAccount 與 system:kube-dns Role 繫結, 該 Role 具有訪問 kube-apiserver DNS 相關 API 的許可權;
3.執行相關檔案
kubectl create -f .
三:驗證
1.建立一個Deployment
my-nginx.yaml
kubectl create -f my-nginx.yaml
2.Export 該 Deployment, 生成 my-nginx 服務
kubectl expose deploy my-nginx
3.往其中一個pod中植入ping 工具
kubectl cp /usr/bin/ping my-nginx-58778897c8-c9x2q:/usr/bin/
kubectl cp /usr/lib64/libidn.so.11 my-nginx-58778897c8-c9x2q:/usr/lib/
kubectl cp /usr/lib64/libcrypto.so.10 my-nginx-58778897c8-c9x2q:/usr/lib/
kubectl cp /usr/lib64/libcap.so.2 my-nginx-58778897c8-c9x2q:/usr/lib/
4.進入pod,執行ping命令進行驗證
kubectl exec my-nginx-58778897c8-c9x2q -i -t -- /bin/bash
對應的service名稱,自動對映到IP。
或者建立一個簡單的busybox pod
busybox.yaml
建立POD
kubectl create -f busybox.yaml
驗證
kubectl exec -ti busybox -- nslookup kubernetes.default
驗證成功。
如果出現nslookup: can't resolve 'kubernetes.default' 則說明DNS有問題,通過日誌排查錯誤。
kube-dns是Kubernetes中的一個內建外掛,目前作為一個獨立的開源專案維護,見https://github.com/kubernetes/dns。通過將 Service 註冊到 DNS 中,Kuberentes 可以為我們提供一種簡單的服務註冊發現與負載均衡方式。至此,別的服務就可以通過名稱來訪問相關的服務。
Kubernetes DNS pod 中包括 3 個容器:
- kubedns:kubedns 程式監視 Kubernetes master 中的 Service 和 Endpoint 的變化,並維護記憶體查詢結構來服務DNS請求。
- dnsmasq:dnsmasq 容器新增 DNS 快取以提高效能。
- sidecar:sidecar 容器在執行雙重健康檢查(針對 dnsmasq 和 kubedns)時提供單個健康檢查端點(監聽在10054埠)
二: 部署kube-dns
1.配置檔案
官方網址下載需要的yaml部署檔案:https://github.com/kubernetes/kubernetes/tree/release-1.8/cluster/addons/dns
kubedns-cm.yaml
kubedns-sa.yaml
kubedns-controller.yaml
kubedns-svc.yaml
kubedns-cm.yaml不需要修改
點選(此處)摺疊或開啟
-
# Copyright 2016 The Kubernetes Authors.
-
#
-
# Licensed under the Apache License, Version 2.0 (the "License");
-
# you may not use this file except in compliance with the License.
-
# You may obtain a copy of the License at
-
#
-
# http://www.apache.org/licenses/LICENSE-2.0
-
#
-
# Unless required by applicable law or agreed to in writing, software
-
# distributed under the License is distributed on an "AS IS" BASIS,
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-
# See the License for the specific language governing permissions and
-
# limitations under the License.
-
-
apiVersion: v1
-
kind: ConfigMap
-
metadata:
-
name: kube-dns
-
namespace: kube-system
-
labels:
- addonmanager.kubernetes.io/mode: EnsureExists
點選(此處)摺疊或開啟
-
apiVersion: v1
-
kind: ServiceAccount
-
metadata:
-
name: kube-dns
-
namespace: kube-system
-
labels:
-
kubernetes.io/cluster-service: "true"
- addonmanager.kubernetes.io/mode: Reconcile
點選(此處)摺疊或開啟
-
# Copyright 2016 The Kubernetes Authors.
-
#
-
# Licensed under the Apache License, Version 2.0 (the "License");
-
# you may not use this file except in compliance with the License.
-
# You may obtain a copy of the License at
-
#
-
# http://www.apache.org/licenses/LICENSE-2.0
-
#
-
# Unless required by applicable law or agreed to in writing, software
-
# distributed under the License is distributed on an "AS IS" BASIS,
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-
# See the License for the specific language governing permissions and
-
# limitations under the License.
-
-
# Should keep target in cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler.yaml
-
# in sync with this file.
-
-
# __MACHINE_GENERATED_WARNING__
-
-
apiVersion: extensions/v1beta1
-
kind: Deployment
-
metadata:
-
name: kube-dns
-
namespace: kube-system
-
labels:
-
k8s-app: kube-dns
-
kubernetes.io/cluster-service: "true"
-
addonmanager.kubernetes.io/mode: Reconcile
-
spec:
-
# replicas: not specified here:
-
# 1. In order to make Addon Manager do not reconcile this replicas parameter.
-
# 2. Default is 1.
-
# 3. Will be tuned in real time if DNS horizontal auto-scaling is turned on.
-
strategy:
-
rollingUpdate:
-
maxSurge: 10%
-
maxUnavailable: 0
-
selector:
-
matchLabels:
-
k8s-app: kube-dns
-
template:
-
metadata:
-
labels:
-
k8s-app: kube-dns
-
annotations:
-
scheduler.alpha.kubernetes.io/critical-pod: ''
-
spec:
-
tolerations:
-
- key: "CriticalAddonsOnly"
-
operator: "Exists"
-
volumes:
-
- name: kube-dns-config
-
configMap:
-
name: kube-dns
-
optional: true
-
containers:
-
- name: kubedns
-
image: index.tenxcloud.com/jimmy/k8s-dns-kube-dns-amd64:1.14.1
-
resources:
-
# TODO: Set memory limits when we've profiled the container for large
-
# clusters, then set request = limit to keep this container in
-
# guaranteed class. Currently, this container falls into the
-
# "burstable" category so the kubelet doesn't backoff from restarting it.
-
limits:
-
memory: 170Mi
-
requests:
-
cpu: 100m
-
memory: 70Mi
-
livenessProbe:
-
httpGet:
-
path: /healthcheck/kubedns
-
port: 10054
-
scheme: HTTP
-
initialDelaySeconds: 60
-
timeoutSeconds: 5
-
successThreshold: 1
-
failureThreshold: 5
-
readinessProbe:
-
httpGet:
-
path: /readiness
-
port: 8081
-
scheme: HTTP
-
# we poll on pod startup for the Kubernetes master service and
-
# only setup the /readiness HTTP server once that's available.
-
initialDelaySeconds: 3
-
timeoutSeconds: 5
-
args:
-
- --domain=cluster.local.
-
- --dns-port=10053
-
- --config-dir=/kube-dns-config
-
- --v=2
-
#__PILLAR__FEDERATIONS__DOMAIN__MAP__
-
env:
-
- name: PROMETHEUS_PORT
-
value: "10055"
-
ports:
-
- containerPort: 10053
-
name: dns-local
-
protocol: UDP
-
- containerPort: 10053
-
name: dns-tcp-local
-
protocol: TCP
-
- containerPort: 10055
-
name: metrics
-
protocol: TCP
-
volumeMounts:
-
- name: kube-dns-config
-
mountPath: /kube-dns-config
-
- name: dnsmasq
-
image: index.tenxcloud.com/jimmy/k8s-dns-dnsmasq-nanny-amd64:1.14.1
-
livenessProbe:
-
httpGet:
-
path: /healthcheck/dnsmasq
-
port: 10054
-
scheme: HTTP
-
initialDelaySeconds: 60
-
timeoutSeconds: 5
-
successThreshold: 1
-
failureThreshold: 5
-
args:
-
- -v=2
-
- -logtostderr
-
- -configDir=/etc/k8s/dns/dnsmasq-nanny
-
- -restartDnsmasq=true
-
- --
-
- -k
-
- --cache-size=1000
-
- --log-facility=-
-
- --server=/cluster.local./127.0.0.1#10053
-
- --server=/in-addr.arpa/127.0.0.1#10053
-
- --server=/ip6.arpa/127.0.0.1#10053
-
ports:
-
- containerPort: 53
-
name: dns
-
protocol: UDP
-
- containerPort: 53
-
name: dns-tcp
-
protocol: TCP
-
# see: https://github.com/kubernetes/kubernetes/issues/29055 for details
-
resources:
-
requests:
-
cpu: 150m
-
memory: 20Mi
-
volumeMounts:
-
- name: kube-dns-config
-
mountPath: /etc/k8s/dns/dnsmasq-nanny
-
- name: sidecar
-
image: index.tenxcloud.com/jimmy/k8s-dns-sidecar-amd64:1.14.1
-
livenessProbe:
-
httpGet:
-
path: /metrics
-
port: 10054
-
scheme: HTTP
-
initialDelaySeconds: 60
-
timeoutSeconds: 5
-
successThreshold: 1
-
failureThreshold: 5
-
args:
-
- --v=2
-
- --logtostderr
-
- --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.cluster.local.,5,A
-
- --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.cluster.local.,5,A
-
ports:
-
- containerPort: 10054
-
name: metrics
-
protocol: TCP
-
resources:
-
requests:
-
memory: 20Mi
-
cpu: 10m
-
dnsPolicy: Default # Don't use cluster DNS.
- serviceAccountName: kube-dns
點選(此處)摺疊或開啟
-
# Copyright 2016 The Kubernetes Authors.
-
#
-
# Licensed under the Apache License, Version 2.0 (the "License");
-
# you may not use this file except in compliance with the License.
-
# You may obtain a copy of the License at
-
#
-
# http://www.apache.org/licenses/LICENSE-2.0
-
#
-
# Unless required by applicable law or agreed to in writing, software
-
# distributed under the License is distributed on an "AS IS" BASIS,
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-
# See the License for the specific language governing permissions and
-
# limitations under the License.
-
-
# __MACHINE_GENERATED_WARNING__
-
-
apiVersion: v1
-
kind: Service
-
metadata:
-
name: kube-dns
-
namespace: kube-system
-
labels:
-
k8s-app: kube-dns
-
kubernetes.io/cluster-service: "true"
-
addonmanager.kubernetes.io/mode: Reconcile
-
kubernetes.io/name: "KubeDNS"
-
spec:
-
selector:
-
k8s-app: kube-dns
-
clusterIP: 10.254.0.2
-
ports:
-
- name: dns
-
port: 53
-
protocol: UDP
-
- name: dns-tcp
-
port: 53
- protocol: TCP
預定義的 RoleBinding system:kube-dns 將 kube-system 名稱空間的kube-dns ServiceAccount 與 system:kube-dns Role 繫結, 該 Role 具有訪問 kube-apiserver DNS 相關 API 的許可權;
3.執行相關檔案
kubectl create -f .
三:驗證
1.建立一個Deployment
my-nginx.yaml
點選(此處)摺疊或開啟
-
apiVersion: extensions/v1beta1
-
kind: Deployment
-
metadata:
-
name: my-nginx
-
spec:
-
replicas: 2
-
template:
-
metadata:
-
labels:
-
run: my-nginx
-
spec:
-
containers:
-
- name: my-nginx
-
image: docker.io/nginx
-
ports:
- - containerPort: 80
2.Export 該 Deployment, 生成 my-nginx 服務
kubectl expose deploy my-nginx
3.往其中一個pod中植入ping 工具
kubectl cp /usr/bin/ping my-nginx-58778897c8-c9x2q:/usr/bin/
kubectl cp /usr/lib64/libidn.so.11 my-nginx-58778897c8-c9x2q:/usr/lib/
kubectl cp /usr/lib64/libcrypto.so.10 my-nginx-58778897c8-c9x2q:/usr/lib/
kubectl cp /usr/lib64/libcap.so.2 my-nginx-58778897c8-c9x2q:/usr/lib/
4.進入pod,執行ping命令進行驗證
kubectl exec my-nginx-58778897c8-c9x2q -i -t -- /bin/bash
對應的service名稱,自動對映到IP。
或者建立一個簡單的busybox pod
busybox.yaml
點選(此處)摺疊或開啟
-
apiVersion: v1
-
kind: Pod
-
metadata:
-
name: busybox
-
namespace: default
-
spec:
-
containers:
-
- image: busybox
-
command:
-
- sleep
-
- "3600"
-
imagePullPolicy: IfNotPresent
-
name: busybox
- restartPolicy: Always
kubectl create -f busybox.yaml
驗證
kubectl exec -ti busybox -- nslookup kubernetes.default
點選(此處)摺疊或開啟
-
Server: 10.0.0.10
-
Address 1: 10.0.0.10
-
-
Name: kubernetes.default
- Address 1: 10.0.0.1
如果出現nslookup: can't resolve 'kubernetes.default' 則說明DNS有問題,通過日誌排查錯誤。
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/28624388/viewspace-2152243/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- kubernetes實踐之十一:EFK
- kubernetes實踐之六十:Cabin-Manage Kubernetes
- kubernetes實踐之五十七:PodPreset
- kubernetes實踐之五十八:CronJob
- kubernetes實踐之五十二:Helm
- kubernetes實踐之五十九:NetworkPolicy
- kubernetes實踐之十九:API概述API
- kubernetes實踐之十七:架構架構
- kubernetes實踐之八:TLS bootstrappingTLSbootAPP
- kubernetes實踐之十:Kubernetes-dashboard+Heapster+InfluxDB+GrafanaUXGrafana
- kubernetes實踐之四十二:StatefulSet
- kubernetes實踐之六十四:CoreDNSDNS
- kubernetes實踐之五十六:雲原生
- kubernetes實踐之五:網路模型模型
- kubernetes實踐之十二:部署Traefik Ingress
- GitOps實踐之kubernetes安裝argocdGitGo
- kubernetes實踐之五十五:kubectl之配置kubeconfig
- kubernetes實踐之十四:Service Account與Secret
- kubernetes實踐之四十七:ResourceQuota ControllerController
- kubernetes實踐之六十五:Service Mesh
- kubernetes實踐之六十二:Secret 使用
- kubernetes實踐之六十三:使用技巧
- kubernetes生產實踐之redis-clusterRedis
- Kubernetes(k8s)如何使用kube-dns實現服務發現K8SDNS
- kubernetes實踐之七十二:Istio之策略與遙測
- kubernetes實踐之七十三:Istio之配置請求路由路由
- kubernetes實踐之七十:Istio之流量管理(上)
- kubernetes實踐之十六:RBAC 角色訪問控制
- kubernetes實踐之四十九:Scheduler原理分析
- kubernetes實踐之四十四:Ingress詳解
- kubernetes實踐之四十三: Service詳解
- kubernetes實踐之五:Node節點安裝
- kubernetes實踐之五十四:垃圾回收機制
- kubernetes實踐之六十七:Istio介紹
- kubernetes實踐之六:CFSSL構建本地CA
- kubernetes實踐之十五:Kubernetes叢集主要啟動引數說明
- Kubernetes安裝之九:配置node節點之kubelet
- kubernetes實踐之七十一:Istio之流量管理(下)