本页面介绍如何为 Google Kubernetes Engine (GKE) Standard 模式集群运行 kube-dns 的自定义 Deployment。本页面不适用于 GKE Autopilot(在其中,由 Google 管理 kube-dns)。
概览
如需配置 kube-dns CPU、内存和其他参数,您必须运行自定义 Deployment 并停用 GKE 提供的 Deployment。您还可以按照本页面中的说明运行 Core DNS 或任何其他符合 Kubernetes DNS 规范的 DNS 提供商的自定义 Deployment。
如需详细了解 GKE 如何实现服务发现,请参阅服务发现和 DNS。
创建自定义 Deployment
创建 kube-dns、Core DNS 或其他 DNS 提供商的Deployment 清单。
以下示例 kube-dns 清单包含
-q标志,以记录查询结果。将清单保存为custom-kube-dns.yaml。apiVersion: apps/v1 kind: Deployment metadata: name: DNS_DEPLOYMENT_NAME namespace: kube-system annotations: deployment.kubernetes.io/revision: "1" k8s-app: kube-dns spec: selector: matchLabels: k8s-app: kube-dns strategy: rollingUpdate: maxSurge: 10% maxUnavailable: 0 type: RollingUpdate template: metadata: creationTimestamp: null labels: k8s-app: kube-dns spec: containers: - name: kubedns image: registry.k8s.io/dns/k8s-dns-kube-dns:1.17.3 resources: limits: memory: '170Mi' requests: cpu: 100m memory: '70Mi' livenessProbe: httpGet: path: /healthcheck/kubedns port: 10054 scheme: HTTP initialDelaySeconds: 60 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 readinessProbe: httpGet: path: /readiness port: 8081 scheme: HTTP initialDelaySeconds: 3 timeoutSeconds: 5 args: - --domain=cluster.local. - --dns-port=10053 - --config-dir=/kube-dns-config - --v=2 env: - name: PROMETHEUS_PORT value: "10055" ports: - containerPort: 10053 name: dns-local protocol: UDP - containerPort: 10053 name: dns-tcp-local protocol: TCP - containerPort: 10055 name: metrics protocol: TCP volumeMounts: - name: kube-dns-config mountPath: /kube-dns-config securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 runAsGroup: 1001 - name: dnsmasq image: registry.k8s.io/dns/k8s-dns-dnsmasq-nanny:1.17.3 livenessProbe: httpGet: path: /healthcheck/dnsmasq port: 10054 scheme: HTTP initialDelaySeconds: 60 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 args: - -v=2 - -logtostderr - -configDir=/etc/k8s/dns/dnsmasq-nanny - -restartDnsmasq=true - -- - -k - --cache-size=1000 - --no-negcache - --dns-forward-max=1500 - --log-facility=- - --server=/cluster.local/127.0.0.1#10053 - --server=/in-addr.arpa/127.0.0.1#10053 - --server=/ip6.arpa/127.0.0.1#10053 ports: - containerPort: 53 name: dns protocol: UDP - containerPort: 53 name: dns-tcp protocol: TCP resources: requests: cpu: 150m memory: 20Mi volumeMounts: - name: kube-dns-config mountPath: /etc/k8s/dns/dnsmasq-nanny securityContext: capabilities: drop: - all add: - NET_BIND_SERVICE - SETGID - name: sidecar image: registry.k8s.io/dns/k8s-dns-sidecar:1.17.3 livenessProbe: httpGet: path: /metrics port: 10054 scheme: HTTP initialDelaySeconds: 60 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 args: - --v=2 - --logtostderr - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.cluster.local,5,SRV - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.cluster.local,5,SRV ports: - containerPort: 10054 name: metrics protocol: TCP resources: requests: memory: 20Mi cpu: 10m securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 runAsGroup: 1001 dnsPolicy: Default restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: kube-dns serviceAccountName: kube-dns terminationGracePeriodSeconds: 30 tolerations: - key: CriticalAddonsOnly operator: Exists volumes: - configMap: defaultMode: 420 name: kube-dns optional: true name: kube-dns-config将
DNS_DEPLOYMENT_NAME替换为自定义 kube-dns Deployment 的名称。将清单应用于集群:
kubectl create -f custom-kube-dns.yaml验证 pod 是否正在运行:
kubectl get pods -n kube-system -l=k8s-app=kube-dns输出类似于以下内容,显示自定义 kube-dns pod:
NAME READY STATUS RESTARTS AGE custom-kube-dns-5685645b44-kzs8w 3/3 Running 0 22h新 Deployment 的选择器与 kube-dns 相同,这意味着 pod 使用相同的 kube-dns 服务 IP 地址与运行自定义 kube-dns Deployment 的 pod 进行通信。
完成此步骤后,您必须按照下一部分中的步骤缩减 kube-dns。
缩减 kube-dns
使用以下命令停用 kube-dns 部署和自动扩缩器,以停用由 GKE 管理的 kube-dns:
kubectl scale deployment --replicas=0 kube-dns-autoscaler --namespace=kube-system
kubectl scale deployment --replicas=0 kube-dns --namespace=kube-system
创建自定义自动扩缩器
如果您的自定义 DNS 需要自动扩缩,则必须配置和部署单独的自动扩缩器。kube-dns-autoscaler 仅扩缩集群上的默认 kube-dns Deployment。您还需要为自动扩缩器配置自定义 ClusterRole,并添加权限以修改自定义 kube-dns 部署。
为自动扩缩器创建 ClusterRole 和 Deployment 清单,并将清单保存为
custom-dns-autoscaler.yaml:apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: system:custom-dns-autoscaler roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:custom-dns-autoscaler subjects: - kind: ServiceAccount name: kube-dns-autoscaler namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: system:custom-dns-autoscaler rules: - apiGroups: - "" resources: - nodes verbs: - list - watch - apiGroups: - apps resourceNames: - DNS_DEPLOYMENT_NAME resources: - deployments/scale verbs: - get - update - apiGroups: - "" resources: - configmaps verbs: - get - create --- apiVersion: apps/v1 kind: Deployment metadata: name: custom-dns-autoscaler namespace: kube-system labels: k8s-app: custom-dns-autoscaler spec: selector: matchLabels: k8s-app: custom-dns-autoscaler template: metadata: labels: k8s-app: custom-dns-autoscaler annotations: seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: priorityClassName: system-cluster-critical securityContext: supplementalGroups: [ 65534 ] fsGroup: 65534 nodeSelector: kubernetes.io/os: linux containers: - name: autoscaler image: registry.k8s.io/cluster-proportional-autoscaler-amd64:1.7.1 resources: requests: cpu: "20m" memory: "10Mi" command: - /cluster-proportional-autoscaler - --namespace=kube-system - --configmap=custom-dns-autoscaler - --target=Deployment/DNS_DEPLOYMENT_NAME - --default-params={"linear":{"coresPerReplica":256,"nodesPerReplica":16,"preventSinglePointFailure":true}} - --logtostderr=true - --v=2 tolerations: - key: "CriticalAddonsOnly" operator: "Exists" serviceAccountName: kube-dns-autoscaler将清单应用于集群:
kubectl create -f custom-dns-autoscaler.yaml
后续步骤
- 简要了解 GKE 如何提供代管式 DNS。
- 阅读服务和 Pod 的 DNS,大致了解如何在 Kubernetes 集群中使用 DNS。