0
点赞
收藏
分享

微信扫一扫

80-云原生操作系统-配置CoreDNS实现Pod域名解析及DashBoard安装使用

kubernetes组件CoreDNS

https://github.com/coredns/coredns
https://coredns.io/plugins/

  • Kubernetes的DNS解析流程案例

80-云原生操作系统-配置CoreDNS实现Pod域名解析及DashBoard安装使用_CoreDNS

80-云原生操作系统-配置CoreDNS实现Pod域名解析及DashBoard安装使用_Kubernetes_02

80-云原生操作系统-配置CoreDNS实现Pod域名解析及DashBoard安装使用_Kubernetes_03

部署CoreDNS
  • 下载官方yaml部署脚本(也可以用kubeasz集群部署时内置的coredns插件脚本)

#下载地址
https://github.com/coredns/deployment


  • 更改coredns插件脚本配置

[root@K8s-ansible ~]#ll /usr/local/src/kubernetes/cluster/addons/dns/coredns/
total 44
drwxr-xr-x 2 root root 4096 Mar 15 14:01 ./
drwxr-xr-x 5 root root 4096 Mar 15 14:01 ../
-rw-r--r-- 1 root root 1075 Mar 15 14:01 Makefile
-rw-r--r-- 1 root root 5065 Mar 15 14:01 coredns.yaml.base
-rw-r--r-- 1 root root 5115 Mar 15 14:01 coredns.yaml.in
-rw-r--r-- 1 root root 5117 Mar 15 14:01 coredns.yaml.sed
-rw-r--r-- 1 root root  344 Mar 15 14:01 transforms2salt.sed
-rw-r--r-- 1 root root  287 Mar 15 14:01 transforms2sed.sed

#Kubernetes集群中有默认的DNS解析地址,查看方式是进入pod中查看resolv.conf文件
[root@K8s-ansible ~]#kubectl exec -it net-test1 bash -n myserver
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
[root@net-test1 /]# cat /etc/resolv.conf 
search myserver.svc.mooreyxia.local svc.mooreyxia.local mooreyxia.local mooreyxia.org mooreyxia.com
nameserver 10.100.0.2
options ndots:5
[root@net-test1 /]# exit
exit

#配置说明
--------------------------------------------------------
errors:错误信息标准输出。
health:在CoreDNS的 http://localhost:8080/health 端口提供 CoreDNS 服务的健康报告。
ready:监听8181端口,当coredns的插件都已就绪时,访问该接口会返回 200 OK。
kubernetes:CoreDNS 将基于 kubernetes service name进行 DNS 查询并返回查询记录给客户端.
prometheus:CoreDNS 的度量指标数据以 Prometheus 的key-value的格式在
http://localhost:9153/metrics URI上提供。
forward: 不是Kubernetes 集群内的其它任何域名查询都将转发到 预定义的目的
server,如 (/etc/resolv.conf或IP(如8.8.8.8)).
cache:启用 service解析缓存,单位为秒。
loop:检测域名解析是否有死循环,如coredns转发给内网DNS服务器,而内网
DNS服务器又转发给coredns,如果发现解析是死循环,则强制中止 CoreDNS 进程(kubernetes会重建)。
reload:检测corefile是否更改,在重新编辑configmap 配置后,默认2分钟后会优雅的自动加载。
loadbalance:轮训DNS域名解析, 如果一个域名存在多个记录则轮训解析。
--------------------------------------------------------
[root@K8s-ansible script]#cat coredns.yaml 
...
data:
  Corefile: |
    .:53 {
        errors
        health {
            lameduck 5s
        }
        ready
        #kubernetes __DNS__DOMAIN__ in-addr.arpa ip6.arpa {
        kubernetes mooreyxia.local in-addr.arpa ip6.arpa { #域名
            pods insecure
            fallthrough in-addr.arpa ip6.arpa
            ttl 30
        }
        prometheus :9153
        forward . /etc/resolv.conf {
            max_concurrent 1000
        }
        cache 30
        loop
        reload
        loadbalance
    }
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: coredns
  namespace: kube-system
  labels:
    k8s-app: kube-dns
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
    kubernetes.io/name: "CoreDNS"
spec:
  # replicas: not specified here:
  # 1. In order to make Addon Manager do not reconcile this replicas parameter.
  # 2. Default is 1.
  # 3. Will be tuned in real time if DNS horizontal auto-scaling is turned on.
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
  selector:
    matchLabels:
      k8s-app: kube-dns
  template:
    metadata:
      labels:
        k8s-app: kube-dns
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      priorityClassName: system-cluster-critical
      serviceAccountName: coredns
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                  - key: k8s-app
                    operator: In
                    values: ["kube-dns"]
              topologyKey: kubernetes.io/hostname
      tolerations:
        - key: "CriticalAddonsOnly"
          operator: "Exists"
      nodeSelector:
        kubernetes.io/os: linux
      containers:
      - name: coredns
        # image: registry.k8s.io/coredns/coredns:v1.9.3
        image: K8s-harbor01.mooreyxia.com/coredns/coredns:v1.9.3 #更换到私有harbor
        imagePullPolicy: IfNotPresent
        resources:
          limits:
            # memory: __DNS__MEMORY__LIMIT__
            memory: 256Mi #生产要保证内存足够
            cpu: 200m #生产要保证cpu核数
          requests:
            cpu: 100m
            memory: 70Mi
        args: [ "-conf", "/etc/coredns/Corefile" ]
        volumeMounts:
        - name: config-volume
          mountPath: /etc/coredns
          readOnly: true
        ports:
        - containerPort: 53
          name: dns
          protocol: UDP
        - containerPort: 53
          name: dns-tcp
          protocol: TCP
        - containerPort: 9153
          name: metrics
          protocol: TCP
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
            scheme: HTTP
          initialDelaySeconds: 60
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 5
        readinessProbe:
          httpGet:
            path: /ready
            port: 8181
            scheme: HTTP
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - all
          readOnlyRootFilesystem: true
      dnsPolicy: Default
      volumes:
        - name: config-volume
          configMap:
            name: coredns
            items:
            - key: Corefile
              path: Corefile
---
apiVersion: v1
kind: Service
metadata:
  name: kube-dns
  namespace: kube-system
  annotations:
    prometheus.io/port: "9153"
    prometheus.io/scrape: "true"
  labels:
    k8s-app: kube-dns
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
    kubernetes.io/name: "CoreDNS"
spec:
  selector:
    k8s-app: kube-dns
#  clusterIP: __DNS__SERVER__
  clusterIP: 10.100.0.2 #配置默认的DNS解析地址
  ports:
  - name: dns
    port: 53
    protocol: UDP
  - name: dns-tcp
    port: 53
    protocol: TCP
  - name: metrics
    port: 9153
    protocol: TCP


#生成配置
[root@K8s-ansible script]#kubectl apply -f coredns.yaml 
serviceaccount/coredns created
clusterrole.rbac.authorization.k8s.io/system:coredns created
clusterrolebinding.rbac.authorization.k8s.io/system:coredns created
configmap/coredns created
deployment.apps/coredns created
service/kube-dns created

#配置了kube-dns的service
[root@K8s-ansible ~]#kubectl get svc -A
NAMESPACE     NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)                  AGE
default       kubernetes   ClusterIP   10.100.0.1   <none>        443/TCP                  27m
kube-system   kube-dns     ClusterIP   10.100.0.2   <none>        53/UDP,53/TCP,9153/TCP   11m
#运行coredns的Pod
[root@K8s-ansible ~]#kubectl get pod -A -o wide 
NAMESPACE     NAME                                       READY   STATUS    RESTARTS      AGE   IP               NODE             NOMINATED NODE   READINESS GATES
...
kube-system   coredns-6b6f6898b4-98prz                   1/1     Running   0             50s   10.200.67.1      192.168.11.215   <none>           <none>

#测试Pod的DNS解析
[root@K8s-ansible ~]#kubectl exec -it net-test1 bash -n myserver
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
[root@net-test1 /]# cat /etc/resolv.conf 
search myserver.svc.mooreyxia.local svc.mooreyxia.local mooreyxia.local mooreyxia.org mooreyxia.com
nameserver 10.100.0.2
options ndots:5
[root@net-test1 /]# ping www.baidu.com
PING www.a.shifen.com (14.215.177.38) 56(84) bytes of data.
64 bytes from 14.215.177.38 (14.215.177.38): icmp_seq=1 ttl=53 time=27.7 ms
64 bytes from 14.215.177.38 (14.215.177.38): icmp_seq=2 ttl=53 time=26.4 ms
64 bytes from 14.215.177.38 (14.215.177.38): icmp_seq=3 ttl=53 time=27.1 ms
64 bytes from 14.215.177.38 (14.215.177.38): icmp_seq=4 ttl=53 time=27.1 ms
^C
--- www.a.shifen.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 6998ms
rtt min/avg/max/mdev = 26.414/27.128/27.782/0.512 ms

CoreDNS性能优化

#常用配置说明
--------------------------------------------------------
errors:错误信息标准输出。
health:在CoreDNS的 http://localhost:8080/health 端口提供 CoreDNS 服务的健康报告。
ready:监听8181端口,当coredns的插件都已就绪时,访问该接口会返回 200 OK。
kubernetes:CoreDNS 将基于 kubernetes service name进行 DNS 查询并返回查询记录给客户端.
prometheus:CoreDNS 的度量指标数据以 Prometheus 的key-value的格式在
http://localhost:9153/metrics URI上提供。
forward: 不是Kubernetes 集群内的其它任何域名查询都将转发到 预定义的目的
server,如 (/etc/resolv.conf或IP(如8.8.8.8)).
cache:启用 service解析缓存,单位为秒。
loop:检测域名解析是否有死循环,如coredns转发给内网DNS服务器,而内网
DNS服务器又转发给coredns,如果发现解析是死循环,则强制中止 CoreDNS 进程(kubernetes会重建)。
reload:检测corefile是否更改,在重新编辑configmap 配置后,默认2分钟后会优雅的自动加载。
loadbalance:轮训DNS域名解析, 如果一个域名存在多个记录则轮训解析。
--------------------------------------------------------
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: coredns
  namespace: kube-system
  labels:
      addonmanager.kubernetes.io/mode: EnsureExists
data:
  Corefile: |
    .:53 {
        errors
        health {
            lameduck 5s
        }
        ready
        kubernetes mooreyxia.local in-addr.arpa ip6.arpa {
            pods insecure
            fallthrough in-addr.arpa ip6.arpa
            ttl 30
        }
        prometheus :9153
        forward . /etc/resolv.conf {
            max_concurrent 1000
        }
        cache 30
        loop
        reload
        loadbalance
    }
---

#DNS解析加速优化
limits:
    memory: __DNS__MEMORY__LIMIT__     #资源限制生产环境4G以上

kind: Deployment
...
spec:
 replicas : NUMBER #DNS服务开多副本,负载均衡
 
 cache 30 #DNS缓存开启

kubernetes组件-官方dashboard
部署dashboard

https://github.com/kubernetes/dashboard

80-云原生操作系统-配置CoreDNS实现Pod域名解析及DashBoard安装使用_CoreDNS_04

  • 获取部署文件并安装

[root@K8s-ansible script]#cd dashboard-v2.7.0/
[root@K8s-ansible dashbord-v2.7.0]#wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
[root@K8s-ansible dashboard-v2.7.0]#ls
recommended.yaml

#更配配置文件
#1.更换下载源到私有harbor
[root@K8s-ansible dashboard-v2.7.0]#cat recommended.yaml |grep harbor
          image: K8s-harbor01.mooreyxia.com/kubernetes/kubernetesui/dashboard:v2.7.0
          image: K8s-harbor01.mooreyxia.com/kubernetes/kubernetesui/metrics-scraper:v1.0.8

#2.对外暴露服务端口
[root@K8s-ansible dashboard-v2.7.0]#cat recommended.yaml 
...

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  type: NodePort #添加对外暴露端口
  ports:
    - port: 443
      targetPort: 8443
      nodeport: 30000 #端口要设置在预定的k8s使用范围内
  selector:
    k8s-app: kubernetes-dashboard

#创建服务
[root@K8s-ansible dashboard-v2.7.0]#kubectl apply -f recommended.yaml 
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created

[root@K8s-ansible ~]#kubectl get pod -n kubernetes-dashboard
NAME                                         READY   STATUS    RESTARTS   AGE
dashboard-metrics-scraper-6c6f999b45-kzpvp   1/1     Running   0          2m56s
kubernetes-dashboard-fc76cd84f-b29zs         1/1     Running   0          2m56s

#访问https://192.168.11.214:30000/

80-云原生操作系统-配置CoreDNS实现Pod域名解析及DashBoard安装使用_CoreDNS_05

  • 创建登录用户Token

#创建用户
[root@K8s-ansible dashboard-v2.7.0]#cat admin-user.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

[root@K8s-ansible dashboard-v2.7.0]#kubectl apply -f admin-user.yaml 
serviceaccount/admin-user created
clusterrolebinding.rbac.authorization.k8s.io/admin-user created

#生成用户密码
[root@K8s-ansible dashboard-v2.7.0]#cat admin-secret.yaml 
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: dashboard-admin-user
  namespace: kubernetes-dashboard 
  annotations:
    kubernetes.io/service-account.name: "admin-user"

[root@K8s-ansible dashboard-v2.7.0]#kubectl apply -f admin-secret.yaml 
secret/dashboard-admin-user created

#查看登录Token
[root@K8s-ansible dashboard-v2.7.0]#kubectl get secrets -A |grep dashboard-admin-user
kubernetes-dashboard   dashboard-admin-user              kubernetes.io/service-account-token   3      40s

[root@K8s-ansible dashboard-v2.7.0]#kubectl describe secrets dashboard-admin-user -n kubernetes-dashboard
Name:         dashboard-admin-user
Namespace:    kubernetes-dashboard
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: admin-user
              kubernetes.io/service-account.uid: e03c53f4-d159-4008-804b-970912fe556e

Type:  kubernetes.io/service-account-token

Data
====
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6ImhIMHhCWW1iOFRhbXNjdDAyQUg5YVE3RUVuRjNxTDZReXhnUzJqbnRpTzQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdXNlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbi11c2VyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZTAzYzUzZjQtZDE1OS00MDA4LTgwNGItOTcwOTEyZmU1NTZlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmVybmV0ZXMtZGFzaGJvYXJkOmFkbWluLXVzZXIifQ.lVHgpVsH0G0Rsq-OLST8zTeH48GlLUZDcPTjYSAh1MnOFDhylKofJUjjv68t0nkQ71xZnsqEs89qekakC1UfkTmpRgbHjRVisYdPPqO7Y-D6RqDJUC_FMArPRZaTONta7ZKCs6j99zp8VrFB4BajBdNvpXJ1YsawCFE6ZNssVkL2Wjdy8mkpb8xYQX1XDrEvFaNHX67IRkcQDiF-k8rZeSOVvHlqzHKgeeg4OBblb2yNwVDc8X6FdmZXfTvA768t9rkmq1VJ4U2dRBmHAgMNZN5iD4YjNphNkCMzAZQJm4glkxvAD7nDpGX6CT_4boskv4jHOITbkXUjDPpf_VZyJg
ca.crt:     1310 bytes
namespace:  20 bytes

#复制token进行登录即可

80-云原生操作系统-配置CoreDNS实现Pod域名解析及DashBoard安装使用_DashBoard_06

80-云原生操作系统-配置CoreDNS实现Pod域名解析及DashBoard安装使用_CoreDNS_07

我是moore.大家一起加油!!!

举报

相关推荐

0 条评论