From 0a687a22ffd8e38ca7983f04e277cb20f43ca0e9 Mon Sep 17 00:00:00 2001 From: Sergii Golovatiuk Date: Thu, 20 Apr 2017 11:07:34 +0200 Subject: [PATCH 1/2] Change DNS policy for kubernetes components According to code apiserver, scheduler, controller-manager, proxy don't use resolution of objects they created. It's not harmful to change policy to have external resolver. Signed-off-by: Sergii Golovatiuk --- .../master/templates/manifests/kube-apiserver.manifest.j2 | 2 +- .../templates/manifests/kube-controller-manager.manifest.j2 | 2 +- .../master/templates/manifests/kube-scheduler.manifest.j2 | 2 +- .../kubernetes/node/templates/manifests/kube-proxy.manifest.j2 | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 index ae014f8d3..b0f1a2f53 100644 --- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 @@ -9,7 +9,7 @@ metadata: spec: hostNetwork: true {% if kube_version | version_compare('v1.6', '>=') %} - dnsPolicy: ClusterFirstWithHostNet + dnsPolicy: ClusterFirst {% endif %} containers: - name: kube-apiserver diff --git a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 index b483047db..d3f8a23a5 100644 --- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 @@ -8,7 +8,7 @@ metadata: spec: hostNetwork: true {% if kube_version | version_compare('v1.6', '>=') %} - dnsPolicy: ClusterFirstWithHostNet + dnsPolicy: ClusterFirst {% endif %} containers: - name: kube-controller-manager diff --git a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 index 694450ce7..441f991eb 100644 --- a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 @@ -8,7 +8,7 @@ metadata: spec: hostNetwork: true {% if kube_version | version_compare('v1.6', '>=') %} - dnsPolicy: ClusterFirstWithHostNet + dnsPolicy: ClusterFirst {% endif %} containers: - name: kube-scheduler diff --git a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 index 745c671d8..9b7d53857 100644 --- a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 +++ b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 @@ -8,7 +8,7 @@ metadata: spec: hostNetwork: true {% if kube_version | version_compare('v1.6', '>=') %} - dnsPolicy: ClusterFirstWithHostNet + dnsPolicy: ClusterFirst {% endif %} containers: - name: kube-proxy From f061ce63b3c33ebb97dc36aca1e2540300778be0 Mon Sep 17 00:00:00 2001 From: Sergii Golovatiuk Date: Thu, 20 Apr 2017 11:24:43 +0200 Subject: [PATCH 2/2] Add aws to default_resolver When VPC is used, external DNS might not be available. This patch change behavior to use metadata service instead of external DNS when upstream_dns_servers is not specified. Signed-off-by: Sergii Golovatiuk --- roles/kubernetes/preinstall/tasks/set_resolv_facts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/kubernetes/preinstall/tasks/set_resolv_facts.yml b/roles/kubernetes/preinstall/tasks/set_resolv_facts.yml index ffea74b40..1f2b82cc1 100644 --- a/roles/kubernetes/preinstall/tasks/set_resolv_facts.yml +++ b/roles/kubernetes/preinstall/tasks/set_resolv_facts.yml @@ -16,7 +16,7 @@ {{dns_domain}}.{{d}}./{{d}}.{{d}}./com.{{d}}./ {%- endfor %} default_resolver: >- - {%- if cloud_provider is defined and cloud_provider == 'gce' -%}169.254.169.254{%- else -%}8.8.8.8{%- endif -%} + {%- if cloud_provider is defined and cloud_provider in [ 'gce', 'aws' ] -%}169.254.169.254{%- else -%}8.8.8.8{%- endif -%} - name: check if kubelet is configured stat: