Update CoreDNS addon
Change-Id: Id1f3e2821f449958a800758aa3e87c867449216c
Implements: PROD-21863
diff --git a/kubernetes/files/kube-addons/coredns/coredns-cm.yml b/kubernetes/files/kube-addons/coredns/coredns-cm.yml
index 54de711..4fed36c 100644
--- a/kubernetes/files/kube-addons/coredns/coredns-cm.yml
+++ b/kubernetes/files/kube-addons/coredns/coredns-cm.yml
@@ -30,4 +30,11 @@
health
proxy . /etc/resolv.conf
cache 30
+ reload
+ loadbalance
+ kubernetes {{ common.addons.coredns.domain|replace('_', '-') }}. in-addr.arpa ip6.arpa {
+ pods insecure
+ upstream
+ fallthrough in-addr.arpa ip6.arpa
+ }
}
diff --git a/kubernetes/files/kube-addons/coredns/coredns-deploy.yml b/kubernetes/files/kube-addons/coredns/coredns-deploy.yml
index 065b48c..6696f08 100644
--- a/kubernetes/files/kube-addons/coredns/coredns-deploy.yml
+++ b/kubernetes/files/kube-addons/coredns/coredns-deploy.yml
@@ -11,32 +11,40 @@
kubernetes.io/name: "CoreDNS"
addonmanager.kubernetes.io/mode: Reconcile
spec:
- replicas: 1
+ replicas: 2
selector:
matchLabels:
k8s-app: coredns
+ strategy:
+ type: RollingUpdate
+ rollingUpdate:
+ maxUnavailable: 1
template:
metadata:
labels:
k8s-app: coredns
- annotations:
- scheduler.alpha.kubernetes.io/critical-pod: ''
- scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
-{%- if common.addons.coredns.cni is defined %}
- cni: {{ common.addons.coredns.cni }}
-{%- endif %}
spec:
+ serviceAccountName: coredns
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
+ - key: "CriticalAddonsOnly"
+ operator: "Exists"
containers:
- name: coredns
image: {{ common.addons.coredns.image }}
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
+ resources:
+ limits:
+ memory: 170Mi
+ requests:
+ cpu: 100m
+ memory: 70Mi
args: [ "-conf", "/etc/coredns/Corefile" ]
volumeMounts:
- name: config-volume
mountPath: /etc/coredns
+ readOnly: true
ports:
- containerPort: 53
name: dns
@@ -44,6 +52,17 @@
- containerPort: 53
name: dns-tcp
protocol: TCP
+ - containerPort: 9153
+ name: metrics
+ protocol: TCP
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ add:
+ - NET_BIND_SERVICE
+ drop:
+ - all
+ readOnlyRootFilesystem: true
livenessProbe:
httpGet:
path: /health
@@ -53,7 +72,7 @@
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
- dnsPolicy: ClusterFirst
+ dnsPolicy: Default
volumes:
- name: config-volume
configMap:
diff --git a/kubernetes/files/kube-addons/coredns/coredns-rbac.yml b/kubernetes/files/kube-addons/coredns/coredns-rbac.yml
new file mode 100644
index 0000000..19262c3
--- /dev/null
+++ b/kubernetes/files/kube-addons/coredns/coredns-rbac.yml
@@ -0,0 +1,46 @@
+{%- from "kubernetes/map.jinja" import common with context -%}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: coredns
+ namespace: {{ common.addons.coredns.namespace }}
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ labels:
+ kubernetes.io/bootstrapping: rbac-defaults
+ addonmanager.kubernetes.io/mode: Reconcile
+ name: system:coredns
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - endpoints
+ - services
+ - pods
+ - namespaces
+ verbs:
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ annotations:
+ rbac.authorization.kubernetes.io/autoupdate: "true"
+ labels:
+ kubernetes.io/bootstrapping: rbac-defaults
+ addonmanager.kubernetes.io/mode: Reconcile
+ name: system:coredns
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:coredns
+subjects:
+- kind: ServiceAccount
+ name: coredns
+ namespace: kube-system
diff --git a/kubernetes/files/kube-addons/coredns/coredns-svc.yml b/kubernetes/files/kube-addons/coredns/coredns-svc.yml
index be49e94..0ea083c 100644
--- a/kubernetes/files/kube-addons/coredns/coredns-svc.yml
+++ b/kubernetes/files/kube-addons/coredns/coredns-svc.yml
@@ -8,11 +8,12 @@
labels:
k8s-app: coredns
kubernetes.io/cluster-service: "true"
- kubernetes.io/name: "coredns"
+ kubernetes.io/name: "CoreDNS"
addonmanager.kubernetes.io/mode: Reconcile
spec:
selector:
k8s-app: coredns
+ clusterIP: {{ common.addons.coredns.server }}
ports:
- name: dns
port: 53
diff --git a/kubernetes/master/kube-addons.sls b/kubernetes/master/kube-addons.sls
index 049e6c4..5bc5acc 100644
--- a/kubernetes/master/kube-addons.sls
+++ b/kubernetes/master/kube-addons.sls
@@ -246,7 +246,11 @@
{% endif %}
-{%- if common.addons.coredns.enabled or master.federation.enabled %}
+{% endif %}
+
+{%- if common.addons.get('coredns', {}).get('enabled') %}
+
+{%- if master.get('federation', {}).get('enabled') or (common.addons.get('externaldns', {}).get('enabled') and common.addons.get('externaldns', {}).get('provider') == "coredns") %}
/etc/kubernetes/addons/coredns/coredns-etcd-operator-deployment.yaml:
file.managed:
- source: salt://kubernetes/files/kube-addons/coredns/coredns-etcd-operator-deployment.yaml
@@ -262,6 +266,7 @@
- group: root
- dir_mode: 755
- makedirs: True
+{% endif %}
/etc/kubernetes/addons/coredns/coredns-cm.yml:
file.managed:
@@ -286,8 +291,14 @@
- group: root
- dir_mode: 755
- makedirs: True
-{% endif %}
+/etc/kubernetes/addons/coredns/coredns-rbac.yml:
+ file.managed:
+ - source: salt://kubernetes/files/kube-addons/coredns/coredns-rbac.yml
+ - template: jinja
+ - group: root
+ - dir_mode: 755
+ - makedirs: True
{% endif %}
{%- if common.addons.get('externaldns', {}).get('enabled') %}
diff --git a/metadata/service/common.yml b/metadata/service/common.yml
index 4d692b4..5cdb2a0 100644
--- a/metadata/service/common.yml
+++ b/metadata/service/common.yml
@@ -41,6 +41,8 @@
enabled: False
namespace: kube-system
image: coredns/coredns:latest
+ domain: cluster.local
+ server: 10.254.0.10
etcd:
operator_image: quay.io/coreos/etcd-operator:v0.5.2
version: 3.1.8