From 6f6274d0d9172a40af55f39e13bb0ac40258cbff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20Kr=C3=BCger?= Date: Thu, 15 Nov 2018 18:52:12 +0100 Subject: [PATCH] Update CoreDNS, KubeDNS and Autoscaler to newest templates (#3711) * Update DNS Autoscaler to latest * Update CoreDNS to latest * Update KubeDNS to latest * Add KubeDNS config map * Fix filename * Add missing selector to DNS Autoscaler * Add missing tolerations --- roles/download/defaults/main.yml | 2 +- roles/kubernetes-apps/ansible/defaults/main.yml | 2 ++ roles/kubernetes-apps/ansible/tasks/kubedns.yml | 1 + .../ansible/templates/coredns-clusterrole.yml.j2 | 9 ++++++++- .../templates/coredns-clusterrolebinding.yml.j2 | 3 ++- .../ansible/templates/coredns-config.yml.j2 | 2 ++ .../ansible/templates/coredns-deployment.yml.j2 | 8 +++++--- .../ansible/templates/coredns-sa.yml.j2 | 3 +++ .../ansible/templates/coredns-svc.yml.j2 | 1 + .../templates/dns-autoscaler-clusterrole.yml.j2 | 7 ++++--- .../dns-autoscaler-clusterrolebinding.yml.j2 | 11 ++++++----- .../ansible/templates/dns-autoscaler-sa.yml.j2 | 4 +++- .../ansible/templates/dns-autoscaler.yml.j2 | 15 ++++++++++++--- .../ansible/templates/kubedns-config.yml.j2 | 8 ++++++++ .../ansible/templates/kubedns-deploy.yml.j2 | 6 ++++-- .../ansible/templates/kubedns-sa.yml.j2 | 1 + 16 files changed, 63 insertions(+), 20 deletions(-) create mode 100644 roles/kubernetes-apps/ansible/templates/kubedns-config.yml.j2 diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml index 31f577c10..bd89b4f7f 100644 --- a/roles/download/defaults/main.yml +++ b/roles/download/defaults/main.yml @@ -181,7 +181,7 @@ dnsmasq_sidecar_image_tag: "{{ kubedns_version }}" dnsmasqautoscaler_version: 1.1.2 dnsmasqautoscaler_image_repo: "gcr.io/google_containers/cluster-proportional-autoscaler-{{ image_arch }}" dnsmasqautoscaler_image_tag: "{{ dnsmasqautoscaler_version }}" -dnsautoscaler_version: 1.2.0 +dnsautoscaler_version: 1.3.0 dnsautoscaler_image_repo: "gcr.io/google_containers/cluster-proportional-autoscaler-{{ image_arch }}" dnsautoscaler_image_tag: "{{ dnsautoscaler_version }}" test_image_repo: busybox diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml index ff2bbd3f2..8b851e086 100644 --- a/roles/kubernetes-apps/ansible/defaults/main.yml +++ b/roles/kubernetes-apps/ansible/defaults/main.yml @@ -9,6 +9,8 @@ dns_cpu_requests: 100m dns_memory_requests: 70Mi dns_min_replicas: 2 dns_nodes_per_replica: 10 +dns_cores_per_replica: 20 +dns_prevent_single_point_failure: "{{ 'true' if dns_min_replicas > '1' else 'false' }}" # Images image_arch: "{{host_architecture}}" diff --git a/roles/kubernetes-apps/ansible/tasks/kubedns.yml b/roles/kubernetes-apps/ansible/tasks/kubedns.yml index 99a357698..0627a5fca 100644 --- a/roles/kubernetes-apps/ansible/tasks/kubedns.yml +++ b/roles/kubernetes-apps/ansible/tasks/kubedns.yml @@ -6,6 +6,7 @@ dest: "{{ kube_config_dir }}/{{ item.file }}" with_items: - { name: kube-dns, file: kubedns-sa.yml, type: sa } + - { name: kube-dns, file: kubedns-config.yml, type: configmap } - { name: kube-dns, file: kubedns-deploy.yml, type: deployment } - { name: kube-dns, file: kubedns-svc.yml, type: svc } - { name: dns-autoscaler, file: dns-autoscaler-sa.yml, type: sa } diff --git a/roles/kubernetes-apps/ansible/templates/coredns-clusterrole.yml.j2 b/roles/kubernetes-apps/ansible/templates/coredns-clusterrole.yml.j2 index 812d95211..248cd8cb2 100644 --- a/roles/kubernetes-apps/ansible/templates/coredns-clusterrole.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/coredns-clusterrole.yml.j2 @@ -1,9 +1,10 @@ --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: kubernetes.io/bootstrapping: rbac-defaults + addonmanager.kubernetes.io/mode: Reconcile name: system:coredns rules: - apiGroups: @@ -16,3 +17,9 @@ rules: verbs: - list - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get diff --git a/roles/kubernetes-apps/ansible/templates/coredns-clusterrolebinding.yml.j2 b/roles/kubernetes-apps/ansible/templates/coredns-clusterrolebinding.yml.j2 index bbda5ebc4..7c79ccfde 100644 --- a/roles/kubernetes-apps/ansible/templates/coredns-clusterrolebinding.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/coredns-clusterrolebinding.yml.j2 @@ -1,11 +1,12 @@ --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults + addonmanager.kubernetes.io/mode: EnsureExists name: system:coredns roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2 b/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2 index 928f82cdf..1df7b148f 100644 --- a/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2 @@ -4,6 +4,8 @@ kind: ConfigMap metadata: name: coredns namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: EnsureExists data: Corefile: | .:53 { diff --git a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 index 8e98ecaf7..a1da84eb4 100644 --- a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 @@ -2,10 +2,12 @@ apiVersion: extensions/v1beta1 kind: Deployment metadata: - name: coredns{{ coredns_ordinal_suffix | default('') }} + name: "coredns{{ coredns_ordinal_suffix | default('') }}" namespace: kube-system labels: - k8s-app: coredns{{ coredns_ordinal_suffix | default('') }} + k8s-app: "coredns{{ coredns_ordinal_suffix | default('') }}" + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile kubernetes.io/name: "coredns{{ coredns_ordinal_suffix | default('') }}" spec: strategy: @@ -21,7 +23,7 @@ spec: labels: k8s-app: coredns{{ coredns_ordinal_suffix | default('') }} annotations: - scheduler.alpha.kubernetes.io/critical-pod: '' + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: {% if kube_version is version('v1.11.1', '>=') %} priorityClassName: system-cluster-critical diff --git a/roles/kubernetes-apps/ansible/templates/coredns-sa.yml.j2 b/roles/kubernetes-apps/ansible/templates/coredns-sa.yml.j2 index 8d2b47c46..8b661936e 100644 --- a/roles/kubernetes-apps/ansible/templates/coredns-sa.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/coredns-sa.yml.j2 @@ -4,3 +4,6 @@ kind: ServiceAccount metadata: name: coredns namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile diff --git a/roles/kubernetes-apps/ansible/templates/coredns-svc.yml.j2 b/roles/kubernetes-apps/ansible/templates/coredns-svc.yml.j2 index 1eb3947ad..75513f59e 100644 --- a/roles/kubernetes-apps/ansible/templates/coredns-svc.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/coredns-svc.yml.j2 @@ -8,6 +8,7 @@ metadata: k8s-app: coredns{{ coredns_ordinal_suffix | default('') }} kubernetes.io/cluster-service: "true" kubernetes.io/name: "coredns{{ coredns_ordinal_suffix | default('') }}" + addonmanager.kubernetes.io/mode: Reconcile annotations: prometheus.io/path: /metrics prometheus.io/port: "9153" diff --git a/roles/kubernetes-apps/ansible/templates/dns-autoscaler-clusterrole.yml.j2 b/roles/kubernetes-apps/ansible/templates/dns-autoscaler-clusterrole.yml.j2 index dba3ff73d..772ad8626 100644 --- a/roles/kubernetes-apps/ansible/templates/dns-autoscaler-clusterrole.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/dns-autoscaler-clusterrole.yml.j2 @@ -14,10 +14,11 @@ # limitations under the License. kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: cluster-proportional-autoscaler - namespace: kube-system + name: system:dns-autoscaler + labels: + addonmanager.kubernetes.io/mode: Reconcile rules: - apiGroups: [""] resources: ["nodes"] diff --git a/roles/kubernetes-apps/ansible/templates/dns-autoscaler-clusterrolebinding.yml.j2 b/roles/kubernetes-apps/ansible/templates/dns-autoscaler-clusterrolebinding.yml.j2 index 3b11c6b9f..da1a0a917 100644 --- a/roles/kubernetes-apps/ansible/templates/dns-autoscaler-clusterrolebinding.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/dns-autoscaler-clusterrolebinding.yml.j2 @@ -14,15 +14,16 @@ # limitations under the License. kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: cluster-proportional-autoscaler - namespace: kube-system + name: system:dns-autoscaler + labels: + addonmanager.kubernetes.io/mode: Reconcile subjects: - kind: ServiceAccount - name: cluster-proportional-autoscaler + name: dns-autoscaler namespace: kube-system roleRef: kind: ClusterRole - name: cluster-proportional-autoscaler + name: system:dns-autoscaler apiGroup: rbac.authorization.k8s.io diff --git a/roles/kubernetes-apps/ansible/templates/dns-autoscaler-sa.yml.j2 b/roles/kubernetes-apps/ansible/templates/dns-autoscaler-sa.yml.j2 index 4c440f653..3ce9b5137 100644 --- a/roles/kubernetes-apps/ansible/templates/dns-autoscaler-sa.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/dns-autoscaler-sa.yml.j2 @@ -16,5 +16,7 @@ kind: ServiceAccount apiVersion: v1 metadata: - name: cluster-proportional-autoscaler + name: dns-autoscaler namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: Reconcile diff --git a/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2 b/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2 index d894eebf2..df86b1025 100644 --- a/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2 @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: dns-autoscaler @@ -23,10 +23,16 @@ metadata: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile spec: + selector: + matchLabels: + k8s-app: dns-autoscaler template: metadata: labels: k8s-app: dns-autoscaler + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: {% if kube_version is version('v1.11.1', '>=') %} priorityClassName: system-cluster-critical @@ -63,7 +69,7 @@ spec: command: - /cluster-proportional-autoscaler - --namespace=kube-system - - --default-params={"linear":{"nodesPerReplica":{{ dns_nodes_per_replica }},"min":{{ dns_min_replicas }}}} + - --default-params={"linear":{"preventSinglePointFailure":{{ dns_prevent_single_point_failure }},"coresPerReplica":{{ dns_cores_per_replica }},"nodesPerReplica":{{ dns_nodes_per_replica }},"min":{{ dns_min_replicas }}}} - --logtostderr=true - --v=2 - --configmap=dns-autoscaler @@ -73,4 +79,7 @@ spec: {% if dns_mode in ['kubedns', 'dnsmasq_kubedns'] %} - --target=Deployment/kube-dns {% endif %} - serviceAccountName: cluster-proportional-autoscaler + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + serviceAccountName: dns-autoscaler diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-config.yml.j2 b/roles/kubernetes-apps/ansible/templates/kubedns-config.yml.j2 new file mode 100644 index 000000000..b271e37c1 --- /dev/null +++ b/roles/kubernetes-apps/ansible/templates/kubedns-config.yml.j2 @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kube-dns + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: EnsureExists diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 b/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 index 37ed1db4e..ef9fa5dbf 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 @@ -26,6 +26,7 @@ spec: k8s-app: kube-dns annotations: scheduler.alpha.kubernetes.io/critical-pod: '' + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: {% if kube_version is version('v1.11.1', '>=') %} priorityClassName: system-cluster-critical @@ -135,6 +136,7 @@ spec: - -- - -k - --cache-size=1000 + - --no-negcache - --dns-loop-detect - --log-facility=- - --server=/{{ dns_domain }}/127.0.0.1#10053 @@ -169,8 +171,8 @@ spec: args: - --v={{ kube_log_level }} - --logtostderr - - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.{{ dns_domain }},5,A - - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.{{ dns_domain }},5,A + - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.{{ dns_domain }},5,SRV + - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.{{ dns_domain }},5,SRV ports: - containerPort: 10054 name: metrics diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-sa.yml.j2 b/roles/kubernetes-apps/ansible/templates/kubedns-sa.yml.j2 index 296a3a938..fe8173a31 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-sa.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/kubedns-sa.yml.j2 @@ -6,3 +6,4 @@ metadata: namespace: kube-system labels: kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile