feat: coredns-nodecache

2025-09-17 18:24:14 +02:00 · 2021-08-08 20:49:45 +02:00
parent 6aed39b41a
commit bc8aa60472
8 changed files with 308 additions and 0 deletions
--- a/cluster/core/kube-system/coredns-nodecache/configmap.yaml
+++ b/cluster/core/kube-system/coredns-nodecache/configmap.yaml
@@ -0,0 +1,121 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns-nodecache-primary
+  namespace: kube-system
+data:
+  Corefile: |
+    cluster.local:53 {
+        errors
+        cache {
+          success 9984 30
+          denial 9984 5
+          prefetch 3 60s 15%
+        }
+        reload
+        loop
+        bind 169.254.20.10 # Set your cluster dns to this
+        nodecache skipteardown
+        template IN AAAA {
+          rcode NOERROR
+        }
+        forward . 10.96.0.10 { # Kube-DNS IP
+          force_tcp
+        }
+        prometheus :9253
+        health 169.254.20.10:8080
+        }
+    in-addr.arpa:53 {
+        errors
+        cache 120
+        reload
+        loop
+        bind 169.254.20.10
+        nodecache skipteardown
+        template IN AAAA {
+          rcode NOERROR
+        }
+        forward . /etc/resolv.conf {
+          force_tcp
+        }
+        prometheus :9253
+        }
+    .:53 {
+        errors
+        cache {
+          success 9984 86400
+          denial 9984 300
+          prefetch 3 60s 15%
+        }
+        reload
+        loop
+        bind 169.254.20.10
+        nodecache skipteardown
+        template IN AAAA {
+          rcode NOERROR
+        }
+        forward . /etc/resolv.conf {
+          force_tcp
+        }
+        prometheus :9253
+        }
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns-nodecache-secondary
+  namespace: kube-system
+data:
+  Corefile: |
+    cluster.local:53 {
+        errors
+        cache {
+          success 9984 30
+          denial 9984 5
+          prefetch 3 60s 15%
+        }
+        reload
+        loop
+        bind 169.254.20.10 # Set your cluster dns to this
+        template IN AAAA {
+          rcode NOERROR
+        }
+        forward . 10.96.0.10 { # Kube-DNS IP
+          force_tcp
+        }
+        prometheus :9254
+        health 169.254.20.10:8082
+        }
+    in-addr.arpa:53 {
+        errors
+        cache 120
+        reload
+        loop
+        bind 169.254.20.10
+        template IN AAAA {
+          rcode NOERROR
+        }
+        forward . /etc/resolv.conf {
+          force_tcp
+        }
+        prometheus :9254
+        }
+    .:53 {
+        errors
+        cache {
+          success 9984 86400
+          denial 9984 300
+          prefetch 3 60s 15%
+        }
+        reload
+        loop
+        bind 169.254.20.10
+        template IN AAAA {
+          rcode NOERROR
+        }
+        forward . /etc/resolv.conf {
+          force_tcp
+        }
+        prometheus :9254
+        }
--- a/cluster/core/kube-system/coredns-nodecache/daemonset.yaml
+++ b/cluster/core/kube-system/coredns-nodecache/daemonset.yaml
@@ -0,0 +1,147 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: coredns-nodecache-primary
+  namespace: kube-system
+  labels:
+    k8s-app: coredns-nodecache
+    kubernetes.io/cluster-service: "true"
+spec:
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 10%
+  selector:
+    matchLabels:
+      k8s-app: coredns-nodecache
+  template:
+    metadata:
+      labels:
+        k8s-app: coredns-nodecache
+    spec:
+      priorityClassName: system-node-critical
+      serviceAccountName: coredns-nodecache
+      hostNetwork: true
+      dnsPolicy: Default
+      tolerations:
+        - key: node-role.kubernetes.io/control-plane
+          effect: NoSchedule
+          operator: Exists
+      containers:
+        - name: coredns-nodecache
+          image: contentful/coredns-nodecache:latest
+          resources:
+            limits:
+              memory: 50Mi
+            requests:
+              cpu: 25m
+              memory: 5Mi
+          args:
+            - -conf
+            - /etc/coredns/Corefile
+          securityContext:
+            privileged: true
+          ports:
+            - containerPort: 53
+              name: dns
+              protocol: UDP
+            - containerPort: 53
+              name: dns-tcp
+              protocol: TCP
+            - containerPort: 9253
+              name: metrics
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              host: 169.254.20.10
+              path: /health
+              port: 8080
+            initialDelaySeconds: 60
+            timeoutSeconds: 5
+          volumeMounts:
+            - mountPath: /run/xtables.lock
+              name: xtables-lock
+              readOnly: false
+            - name: config-volume
+              mountPath: /etc/coredns
+      volumes:
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
+        - name: config-volume
+          configMap:
+            name: coredns-nodecache-primary
+            items:
+              - key: Corefile
+                path: Corefile
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: coredns-nodecache-secondary
+  namespace: kube-system
+  labels:
+    k8s-app: coredns-nodecache
+    kubernetes.io/cluster-service: "true"
+spec:
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 10%
+  selector:
+    matchLabels:
+      k8s-app: coredns-nodecache
+  template:
+    metadata:
+      labels:
+        k8s-app: coredns-nodecache
+    spec:
+      priorityClassName: system-node-critical
+      serviceAccountName: coredns-nodecache
+      hostNetwork: true
+      dnsPolicy: Default
+      tolerations:
+        - key: node-role.kubernetes.io/control-plane
+          effect: NoSchedule
+      containers:
+        - name: coredns-nodecache
+          image: contentful/coredns-nodecache:latest
+          resources:
+            limits:
+              memory: 50Mi
+            requests:
+              cpu: 25m
+              memory: 5Mi
+          args:
+            - -conf
+            - /etc/coredns/Corefile
+          securityContext:
+            privileged: true
+          ports:
+            - containerPort: 9254
+              name: metrics
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              host: 169.254.20.10
+              path: /health
+              port: 8082
+            initialDelaySeconds: 60
+            timeoutSeconds: 5
+          volumeMounts:
+            - mountPath: /run/xtables.lock
+              name: xtables-lock
+              readOnly: false
+            - name: config-volume
+              mountPath: /etc/coredns
+      volumes:
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
+        - name: config-volume
+          configMap:
+            name: coredns-nodecache-secondary
+            items:
+              - key: Corefile
+                path: Corefile
--- a/cluster/core/kube-system/coredns-nodecache/kustomization.yaml
+++ b/cluster/core/kube-system/coredns-nodecache/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - service-account.yaml
+  - configmap.yaml
+  - daemonset.yaml
--- a/cluster/core/kube-system/coredns-nodecache/service-account.yaml
+++ b/cluster/core/kube-system/coredns-nodecache/service-account.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: coredns-nodecache
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
--- a/cluster/core/kube-system/kustomization.yaml
+++ b/cluster/core/kube-system/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
+  - coredns-nodecache
  - descheduler
  - intel-gpu-plugin
  - kubernetes-replicator
--- a/server/ansible/inventory/group_vars/all/ubuntu-settings.yml
+++ b/server/ansible/inventory/group_vars/all/ubuntu-settings.yml
@@ -1,4 +1,5 @@
 ---
+dns_server: 192.168.8.1
 # Enable to skip apt upgrade
 skip_upgrade_packages: false
 # Enable to skip removing crufty packages
--- a/server/ansible/roles/ubuntu/tasks/network.yml
+++ b/server/ansible/roles/ubuntu/tasks/network.yml
@@ -21,3 +21,25 @@
  when:
    - sysctl_network.changed
    - bridge_nf_call_iptables_result.stat.exists
+
+- name: network | systemd-resolved | disable
+  ansible.builtin.systemd:
+    name: systemd-resolved
+    state: stopped
+    enabled: no
+
+- name: network | resolv.conf | check symlink
+  ansible.builtin.stat:
+    path: "/etc/resolv.conf"
+  register: resolv
+
+- name: network | resolv.conf | remove symlink
+  ansible.builtin.file:
+    path: "/etc/resolv.conf"
+    state: absent
+  when: resolv.stat.islnk is defined and resolv.stat.islnk
+
+- name: network | resolv.conf | static files
+  ansible.builtin.template:
+    src: resolv.conf
+    dest: /etc/resolv.conf
--- a/server/ansible/roles/ubuntu/templates/resolv.conf
+++ b/server/ansible/roles/ubuntu/templates/resolv.conf
@@ -0,0 +1 @@
+nameserver {{ dns_server }}