c12s-kubespray/roles/dnsmasq/defaults/main.yml

---
# Existing search/nameserver resolvconf entries will be purged and
# ensured by this additional data:

# Max of 4 names is allowed and no more than 256 - 17 chars total
# (a 2 is reserved for the 'default.svc.' and'svc.')
#searchdomains:
#  - foo.bar.lc

# Max of 2 is allowed here (a 1 is reserved for the dns_server)
#nameservers:
#  - 127.0.0.1

dns_forward_max: 150
cache_size: 1000

# Versions
dnsmasq_version: 2.72

# Images
dnsmasq_image_repo: "andyshinn/dnsmasq"
dnsmasq_image_tag: "{{ dnsmasq_version }}"

# Limits for dnsmasq/kubedns apps
dns_cpu_limit: 100m
dns_memory_limit: 170Mi
dns_cpu_requests: 70m
dns_memory_requests: 70Mi

# Linux capabilities to be dropped for dnsmasq k8s app ran container engines
dnsmasq_drop_cap:
  - chown
  - dac_override
  - fowner
  - fsetid
  - kill
  - setpcap
  - sys_chroot
  - mknod
  - audit_write
  - setfcap
Fix resolv.conf search/nameserver * Ensure additional nameserver/search, if defined as vars. * Don't backup changed dhclient hooks as they are going to be executed by dhclient as well, which is not what we want. * For debian OS family only: - Rename nodnsupdate hook the resolvconf hook to be sourced always before it. - Ensure dhclient restarted via network restart to apply the nodnsupdate hook. * For rhel OS family, the fix TBD, it doesn't work the same way. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com> 2016-08-18 15:14:52 +00:00			`---`
			`# Existing search/nameserver resolvconf entries will be purged and`
			`# ensured by this additional data:`

			`# Max of 4 names is allowed and no more than 256 - 17 chars total`
			`# (a 2 is reserved for the 'default.svc.' and'svc.')`
			`#searchdomains:`
			`# - foo.bar.lc`

			`# Max of 2 is allowed here (a 1 is reserved for the dns_server)`
			`#nameservers:`
			`# - 127.0.0.1`
Parameterize several dependency endpoints so that they can be overridden with internal mirrors. Signed-off-by: Chad Swenson <chadswen@gmail.com> 2016-10-14 21:46:44 +00:00
Allow to specify number of concurrent DNS queries ndots creates overhead as every pod creates 5 concurrent connections that are forwarded to sky dns. Under some circumstances dnsmasq may prevent forwarding traffic with "Maximum number of concurrent DNS queries reached" in the logs. This patch allows to configure the number of concurrent forwarded DNS queries "dns-forward-max" as well as "cache-size" leaving the default values as they were before. Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com> 2017-01-19 09:07:37 +00:00			`dns_forward_max: 150`
			`cache_size: 1000`

Parameterize several dependency endpoints so that they can be overridden with internal mirrors. Signed-off-by: Chad Swenson <chadswen@gmail.com> 2016-10-14 21:46:44 +00:00			`# Versions`
			`dnsmasq_version: 2.72`

			`# Images`
			`dnsmasq_image_repo: "andyshinn/dnsmasq"`
Add new var skip_dnsmasq_k8s If skip_dnsmasq is set, it will still not set up dnsmasq k8s pod. This enables independent setup of resolvconf section before kubelet is up. 2016-10-26 14:56:15 +00:00			`dnsmasq_image_tag: "{{ dnsmasq_version }}"`

Tune dnsmasq/kubedns limits, replicas, logging * Add dns_replicas, dns_memory/cpu_limit/requests vars for dns related apps. * When kube_log_level=4, log dnsmasq queries as well. * Add log level control for skydns (part of kubedns app). * Add limits/requests vars for dnsmasq (part of kubedns app) and dnsmasq daemon set. * Drop string defaults for kube_log_level as it is int and is defined in the global vars as well. * Add docs Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com> 2016-11-25 10:33:39 +00:00			`# Limits for dnsmasq/kubedns apps`
			`dns_cpu_limit: 100m`
			`dns_memory_limit: 170Mi`
			`dns_cpu_requests: 70m`
			`dns_memory_requests: 70Mi`
Drop linux capabilities and rework users/groups * Drop linux capabilities for unprivileged containerized worlkoads Kargo configures for deployments. * Configure required securityContext/user/group/groups for kube components' static manifests, etcd, calico-rr and k8s apps, like dnsmasq daemonset. * Rework cloud-init (etcd) users creation for CoreOS. * Fix nologin paths, adjust defaults for addusers role and ensure supplementary groups membership added for users. * Add netplug user for network plugins (yet unused by privileged networking containers though). * Grant the kube and netplug users read access for etcd certs via the etcd certs group. * Grant group read access to kube certs via the kube cert group. * Remove priveleged mode for calico-rr and run it under its uid/gid and supplementary etcd_cert group. * Adjust docs. * Align cpu/memory limits and dropped caps with added rkt support for control plane. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> 2016-12-28 13:58:37 +00:00
			`# Linux capabilities to be dropped for dnsmasq k8s app ran container engines`
			`dnsmasq_drop_cap:`
			`- chown`
			`- dac_override`
			`- fowner`
			`- fsetid`
			`- kill`
			`- setpcap`
			`- sys_chroot`
			`- mknod`
			`- audit_write`
			`- setfcap`