kubernetes實踐之九:kube-dns

百聯達發表於2018-03-26
一:前言
kube-dns是Kubernetes中的一個內建外掛,目前作為一個獨立的開源專案維護,見https://github.com/kubernetes/dns。通過將 Service 註冊到 DNS 中,Kuberentes 可以為我們提供一種簡單的服務註冊發現與負載均衡方式。至此,別的服務就可以通過名稱來訪問相關的服務。


Kubernetes DNS pod 中包括 3 個容器:
  • kubednskubedns 程式監視 Kubernetes master 中的 Service 和 Endpoint 的變化,並維護記憶體查詢結構來服務DNS請求。
  • dnsmasqdnsmasq 容器新增 DNS 快取以提高效能。
  • sidecarsidecar 容器在執行雙重健康檢查(針對 dnsmasq 和 kubedns)時提供單個健康檢查端點(監聽在10054埠)

二: 部署kube-dns
1.配置檔案
官方網址下載需要的yaml部署檔案:https://github.com/kubernetes/kubernetes/tree/release-1.8/cluster/addons/dns
kubedns-cm.yaml
kubedns-sa.yaml
kubedns-controller.yaml
kubedns-svc.yaml

kubedns-cm.yaml不需要修改

點選(此處)摺疊或開啟

  1. # Copyright 2016 The Kubernetes Authors.
  2. #
  3. # Licensed under the Apache License, Version 2.0 (the "License");
  4. # you may not use this file except in compliance with the License.
  5. # You may obtain a copy of the License at
  6. #
  7. # http://www.apache.org/licenses/LICENSE-2.0
  8. #
  9. # Unless required by applicable law or agreed to in writing, software
  10. # distributed under the License is distributed on an "AS IS" BASIS,
  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. # See the License for the specific language governing permissions and
  13. # limitations under the License.

  14. apiVersion: v1
  15. kind: ConfigMap
  16. metadata:
  17.   name: kube-dns
  18.   namespace: kube-system
  19.   labels:
  20.     addonmanager.kubernetes.io/mode: EnsureExists
kubedns-sa.yaml不需要修改

點選(此處)摺疊或開啟

  1. apiVersion: v1
  2. kind: ServiceAccount
  3. metadata:
  4.   name: kube-dns
  5.   namespace: kube-system
  6.   labels:
  7.     kubernetes.io/cluster-service: "true"
  8.     addonmanager.kubernetes.io/mode: Reconcile
kubedns-controller.yaml  主要是$DNS_DOMAIN和image路徑的修改

點選(此處)摺疊或開啟

  1. # Copyright 2016 The Kubernetes Authors.
  2. #
  3. # Licensed under the Apache License, Version 2.0 (the "License");
  4. # you may not use this file except in compliance with the License.
  5. # You may obtain a copy of the License at
  6. #
  7. # http://www.apache.org/licenses/LICENSE-2.0
  8. #
  9. # Unless required by applicable law or agreed to in writing, software
  10. # distributed under the License is distributed on an "AS IS" BASIS,
  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. # See the License for the specific language governing permissions and
  13. # limitations under the License.

  14. # Should keep target in cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler.yaml
  15. # in sync with this file.

  16. # __MACHINE_GENERATED_WARNING__

  17. apiVersion: extensions/v1beta1
  18. kind: Deployment
  19. metadata:
  20.   name: kube-dns
  21.   namespace: kube-system
  22.   labels:
  23.     k8s-app: kube-dns
  24.     kubernetes.io/cluster-service: "true"
  25.     addonmanager.kubernetes.io/mode: Reconcile
  26. spec:
  27.   # replicas: not specified here:
  28.   # 1. In order to make Addon Manager do not reconcile this replicas parameter.
  29.   # 2. Default is 1.
  30.   # 3. Will be tuned in real time if DNS horizontal auto-scaling is turned on.
  31.   strategy:
  32.     rollingUpdate:
  33.       maxSurge: 10%
  34.       maxUnavailable: 0
  35.   selector:
  36.     matchLabels:
  37.       k8s-app: kube-dns
  38.   template:
  39.     metadata:
  40.       labels:
  41.         k8s-app: kube-dns
  42.       annotations:
  43.         scheduler.alpha.kubernetes.io/critical-pod: ''
  44.     spec:
  45.       tolerations:
  46.       - key: "CriticalAddonsOnly"
  47.         operator: "Exists"
  48.       volumes:
  49.       - name: kube-dns-config
  50.         configMap:
  51.           name: kube-dns
  52.           optional: true
  53.       containers:
  54.       - name: kubedns
  55.         image: index.tenxcloud.com/jimmy/k8s-dns-kube-dns-amd64:1.14.1
  56.         resources:
  57.           # TODO: Set memory limits when we've profiled the container for large
  58.           # clusters, then set request = limit to keep this container in
  59.           # guaranteed class. Currently, this container falls into the
  60.           # "burstable" category so the kubelet doesn't backoff from restarting it.
  61.           limits:
  62.             memory: 170Mi
  63.           requests:
  64.             cpu: 100m
  65.             memory: 70Mi
  66.         livenessProbe:
  67.           httpGet:
  68.             path: /healthcheck/kubedns
  69.             port: 10054
  70.             scheme: HTTP
  71.           initialDelaySeconds: 60
  72.           timeoutSeconds: 5
  73.           successThreshold: 1
  74.           failureThreshold: 5
  75.         readinessProbe:
  76.           httpGet:
  77.             path: /readiness
  78.             port: 8081
  79.             scheme: HTTP
  80.           # we poll on pod startup for the Kubernetes master service and
  81.           # only setup the /readiness HTTP server once that's available.
  82.           initialDelaySeconds: 3
  83.           timeoutSeconds: 5
  84.         args:
  85.         - --domain=cluster.local.
  86.         - --dns-port=10053
  87.         - --config-dir=/kube-dns-config
  88.         - --v=2
  89.         #__PILLAR__FEDERATIONS__DOMAIN__MAP__
  90.         env:
  91.         - name: PROMETHEUS_PORT
  92.           value: "10055"
  93.         ports:
  94.         - containerPort: 10053
  95.           name: dns-local
  96.           protocol: UDP
  97.         - containerPort: 10053
  98.           name: dns-tcp-local
  99.           protocol: TCP
  100.         - containerPort: 10055
  101.           name: metrics
  102.           protocol: TCP
  103.         volumeMounts:
  104.         - name: kube-dns-config
  105.           mountPath: /kube-dns-config
  106.       - name: dnsmasq
  107.         image: index.tenxcloud.com/jimmy/k8s-dns-dnsmasq-nanny-amd64:1.14.1
  108.         livenessProbe:
  109.           httpGet:
  110.             path: /healthcheck/dnsmasq
  111.             port: 10054
  112.             scheme: HTTP
  113.           initialDelaySeconds: 60
  114.           timeoutSeconds: 5
  115.           successThreshold: 1
  116.           failureThreshold: 5
  117.         args:
  118.         - -v=2
  119.         - -logtostderr
  120.         - -configDir=/etc/k8s/dns/dnsmasq-nanny
  121.         - -restartDnsmasq=true
  122.         - --
  123.         - -k
  124.         - --cache-size=1000
  125.         - --log-facility=-
  126.         - --server=/cluster.local./127.0.0.1#10053
  127.         - --server=/in-addr.arpa/127.0.0.1#10053
  128.         - --server=/ip6.arpa/127.0.0.1#10053
  129.         ports:
  130.         - containerPort: 53
  131.           name: dns
  132.           protocol: UDP
  133.         - containerPort: 53
  134.           name: dns-tcp
  135.           protocol: TCP
  136.         # see: https://github.com/kubernetes/kubernetes/issues/29055 for details
  137.         resources:
  138.           requests:
  139.             cpu: 150m
  140.             memory: 20Mi
  141.         volumeMounts:
  142.         - name: kube-dns-config
  143.           mountPath: /etc/k8s/dns/dnsmasq-nanny
  144.       - name: sidecar
  145.         image: index.tenxcloud.com/jimmy/k8s-dns-sidecar-amd64:1.14.1
  146.         livenessProbe:
  147.           httpGet:
  148.             path: /metrics
  149.             port: 10054
  150.             scheme: HTTP
  151.           initialDelaySeconds: 60
  152.           timeoutSeconds: 5
  153.           successThreshold: 1
  154.           failureThreshold: 5
  155.         args:
  156.         - --v=2
  157.         - --logtostderr
  158.         - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.cluster.local.,5,A
  159.         - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.cluster.local.,5,A
  160.         ports:
  161.         - containerPort: 10054
  162.           name: metrics
  163.           protocol: TCP
  164.         resources:
  165.           requests:
  166.             memory: 20Mi
  167.             cpu: 10m
  168.       dnsPolicy: Default # Don't use cluster DNS.
  169.       serviceAccountName: kube-dns
kubedns-svc.yaml 主要是 clusterIP的修改

點選(此處)摺疊或開啟

  1. # Copyright 2016 The Kubernetes Authors.
  2. #
  3. # Licensed under the Apache License, Version 2.0 (the "License");
  4. # you may not use this file except in compliance with the License.
  5. # You may obtain a copy of the License at
  6. #
  7. # http://www.apache.org/licenses/LICENSE-2.0
  8. #
  9. # Unless required by applicable law or agreed to in writing, software
  10. # distributed under the License is distributed on an "AS IS" BASIS,
  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. # See the License for the specific language governing permissions and
  13. # limitations under the License.

  14. # __MACHINE_GENERATED_WARNING__

  15. apiVersion: v1
  16. kind: Service
  17. metadata:
  18.   name: kube-dns
  19.   namespace: kube-system
  20.   labels:
  21.     k8s-app: kube-dns
  22.     kubernetes.io/cluster-service: "true"
  23.     addonmanager.kubernetes.io/mode: Reconcile
  24.     kubernetes.io/name: "KubeDNS"
  25. spec:
  26.   selector:
  27.     k8s-app: kube-dns
  28.   clusterIP: 10.254.0.2
  29.   ports:
  30.   - name: dns
  31.     port: 53
  32.     protocol: UDP
  33.   - name: dns-tcp
  34.     port: 53
  35.     protocol: TCP
2.系統預定義的 RoleBinding
預定義的 RoleBinding system:kube-dns 將 kube-system 名稱空間的kube-dns ServiceAccount 與 system:kube-dns Role 繫結, 該 Role 具有訪問 kube-apiserver DNS 相關 API 的許可權;


3.執行相關檔案
kubectl create -f .

三:驗證

1.建立一個Deployment
my-nginx.yaml

點選(此處)摺疊或開啟

  1. apiVersion: extensions/v1beta1
  2. kind: Deployment
  3. metadata:
  4.   name: my-nginx
  5. spec:
  6.   replicas: 2
  7.   template:
  8.     metadata:
  9.       labels:
  10.         run: my-nginx
  11.     spec:
  12.       containers:
  13.       - name: my-nginx
  14.         image: docker.io/nginx
  15.         ports:
  16.         - containerPort: 80
kubectl create -f my-nginx.yaml
2.Export 該 Deployment, 生成 my-nginx 服務
kubectl expose deploy my-nginx




3.往其中一個pod中植入ping 工具
kubectl cp /usr/bin/ping my-nginx-58778897c8-c9x2q:/usr/bin/
kubectl cp /usr/lib64/libidn.so.11 my-nginx-58778897c8-c9x2q:/usr/lib/
kubectl cp /usr/lib64/libcrypto.so.10  my-nginx-58778897c8-c9x2q:/usr/lib/
kubectl cp /usr/lib64/libcap.so.2  my-nginx-58778897c8-c9x2q:/usr/lib/

4.進入pod,執行ping命令進行驗證

kubectl exec my-nginx-58778897c8-c9x2q -i -t -- /bin/bash
對應的service名稱,自動對映到IP。


或者建立一個簡單的busybox pod

busybox.yaml

點選(此處)摺疊或開啟

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4.   name: busybox
  5.   namespace: default
  6. spec:
  7.   containers:
  8.   - image: busybox
  9.     command:
  10.       - sleep
  11.       - "3600"
  12.     imagePullPolicy: IfNotPresent
  13.     name: busybox
  14.   restartPolicy: Always
建立POD
kubectl create -f busybox.yaml
驗證
kubectl exec -ti busybox -- nslookup kubernetes.default


點選(此處)摺疊或開啟

  1. Server: 10.0.0.10
  2. Address 1: 10.0.0.10

  3. Name: kubernetes.default
  4. Address 1: 10.0.0.1
驗證成功。

如果出現nslookup: can't resolve 'kubernetes.default'  則說明DNS有問題,通過日誌排查錯誤。



來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/28624388/viewspace-2152243/,如需轉載,請註明出處,否則將追究法律責任。

相關文章