概要
External-DNS 提供了编程方式管理 Kubernetes Ingress 资源的 DNS 的功能,方便用户从 Ingress 管理 DNS 解析记录。而在 kubernetes federation v2 环境中,使用 External-DNS 可以快速的管理多个联邦集群的 Ingress DNS 解析,降低用户的操作成本。下面将简单介绍在阿里云容器服务环境中,如何使用 External-DNS 管理联邦集群的 Ingress DNS 解析。
联邦集群准备
参考阿里云 Kubernetes 容器服务上体验 Federation v2 搭建两个集群组成的联邦集群(配置好 kubeconfig,并完成两个集群的 join)。
配置 RAM 信息
选择 Kubernetes 集群节点列表内任意一个 Worker 节点,打开对应的节点列表信息页面。
找到对应的 RAM 角色,打开 RAM 控制台,找到对应的角色名称,添加【AliyunDNSFullAccess】权限。
注意: 每个集群都需要配置 RAM 信息 。
部署 External-DNS
配置 RBAC
执行下面 yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-dns
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: external-dns
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get","watch","list"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get","watch","list"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get","watch","list"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["list"]
- apiGroups: ["multiclusterdns.federation.k8s.io"]
resources: ["dnsendpoints"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: external-dns-viewer
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: external-dns
subjects:
- kind: ServiceAccount
name: external-dns
namespace: default
部署 External-DNS 服务
执行下面 yaml:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: external-dns
spec:
strategy:
type: Recreate
template:
metadata:
labels:
app: external-dns
spec:
serviceAccountName: external-dns
containers:
- name: external-dns
image: registry.cn-beijing.aliyuncs.com/acs/external-dns:v0.5.8-27
args:
- --source=crd
- --crd-source-apiversion=multiclusterdns.federation.k8s.io/v1alpha1
- --crd-source-kind=DNSEndpoint
- --provider=alibabacloud
- --policy=sync # enable full synchronization
- --registry=txt
- --txt-prefix=cname
- --txt-owner-id=my-identifier
- --alibaba-cloud-config-file= # enable sts token
volumeMounts:
- mountPath: /usr/share/zoneinfo
name: hostpath
volumes:
- name: hostpath
hostPath:
path: /usr/share/zoneinfo
type: Directory
部署验证资源
创建 FederatedDeployment 和 FederatedService:
apiVersion: v1
kind: Namespace
metadata:
name: test-namespace
---
apiVersion: types.federation.k8s.io/v1alpha1
kind: FederatedNamespace
metadata:
name: test-namespace
namespace: test-namespace
spec:
placement:
clusterNames:
- cluster1
- cluster2
---
apiVersion: types.federation.k8s.io/v1alpha1
kind: FederatedDeployment
metadata:
name: test-deployment
namespace: test-namespace
spec:
template:
metadata:
labels:
app: nginx
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 500m
requests:
cpu: 200m
placement:
clusterNames:
- cluster1
- cluster2
---
apiVersion: types.federation.k8s.io/v1alpha1
kind: FederatedService
metadata:
name: test-service
namespace: test-namespace
spec:
template:
spec:
selector:
app: nginx
type: ClusterIP
ports:
- name: http
port: 80
placement:
clusterNames:
- cluster2
- cluster1
各个集群 ingress 创建信息如下:
kubectl get ingress -n test-namespace --context cluster1
NAME HOSTS ADDRESS PORTS AGE
test-ingress * 47.93.69.121 80 54m
kubectl get ingress -n test-namespace --context cluster2
NAME HOSTS ADDRESS PORTS AGE
test-ingress * 39.106.232.23 80 54m
创建 FederatedIngress 和 IngressDNSRecord
apiVersion: types.federation.k8s.io/v1alpha1
kind: FederatedIngress
metadata:
name: test-ingress
namespace: test-namespace
spec:
template:
spec:
backend:
serviceName: test-service
servicePort: 80
placement:
clusterNames:
- cluster2
- cluster1
---
apiVersion: multiclusterdns.federation.k8s.io/v1alpha1
kind: IngressDNSRecord
metadata:
name: test-ingress
namespace: test-namespace
spec:
hosts:
- ingress-example.example-domain.club
recordTTL: 600
其中【ingress-example.example-domain.club】为测试阿里云托管的域名,请提前在阿里云上购买域名,并注意替换。
DNS 解析验证
dig +short @dns7.hichina.com ingress-example.example-domain.club
47.93.69.121
39.106.232.23
可以看到我们绑定的域名已经解析到了 cluster1 和 cluster2 的 ingress IP 上了。
访问域名相应的服务:
curl ingress-example.sigma-host.club
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
总结
通过上面介绍,可以看到使用 External-DNS 可以非常方便的管理 federation-v2 环境下的 Ingress DNS 解析。
本文作者:钧博
阅读原文
本文为云栖社区原创内容,未经允许不得转载。