Code Review / ta / caas-kubedns.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Add maintenance toleration for kubedns
[ta/caas-kubedns.git] / ansible / roles / kubedns / templates / kubedns-deployment.yml
1 {#
2 Copyright 2019 Nokia
3
4 Licensed under the Apache License, Version 2.0 (the "License");
5 you may not use this file except in compliance with the License.
6 You may obtain a copy of the License at
7
8     http://www.apache.org/licenses/LICENSE-2.0
9
10 Unless required by applicable law or agreed to in writing, software
11 distributed under the License is distributed on an "AS IS" BASIS,
12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 See the License for the specific language governing permissions and
14 limitations under the License.
15 #}
16 ---
17 apiVersion: apps/v1
18 kind: DaemonSet
19 metadata:
20   name: kube-dns
21   namespace: kube-system
22   labels:
23     {{ caas.kubernetes_component_label }}: kube-dns
24     kubernetes.io/cluster-service: "true"
25     addonmanager.kubernetes.io/mode: Reconcile
26 spec:
27   selector:
28     matchLabels:
29       {{ caas.kubernetes_component_label }}: kube-dns
30   template:
31     metadata:
32       labels:
33         {{ caas.kubernetes_component_label }}: kube-dns
34       annotations:
35         scheduler.alpha.kubernetes.io/critical-pod: ''
36         scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
37     spec:
38       priorityClassName: "system-cluster-critical"
39       hostNetwork: true
40       nodeSelector:
41         nodetype: caas_master
42       tolerations:
43       - key: "CriticalAddonsOnly"
44         operator: "Exists"
45       - key: "node-maintenancemode"
46         value: "enabled"
47         operator: "Equal"
48         effect: "NoExecute"
49       volumes:
50       - name: time-mount
51         hostPath:
52           path: /etc/localtime
53       - name: secret
54         hostPath:
55           path: /etc/kubernetes/ssl
56       - name: secret-root-ca
57         hostPath:
58           path: /etc/openssl/ca.pem
59       - name: resolv
60         hostPath:
61           path: /etc/resolv.conf
62       - name: kubeconfig
63         hostPath:
64           path: /etc/kubernetes/kubeconfig
65       - name: external-dns-conf
66         configMap:
67           name: external-dns-cm
68       containers:
69       - name: kubedns
70         image: {{ container_image_names | select('search', '/kubedns') | list | last }}
71         securityContext:
72           runAsUser: {{ caas.uid.kubedns }}
73         resources:
74           # TODO: Set memory limits when we've profiled the container for large
75           # clusters, then set request = limit to keep this container in
76           # guaranteed class. Currently, this container falls into the
77           # "burstable" category so the kubelet doesn't backoff from restarting it.
78           limits:
79             memory: 170Mi
80           requests:
81             cpu: 10m
82             memory: 70Mi
83         livenessProbe:
84           tcpSocket:
85             port: 10053
86           initialDelaySeconds: 60
87           timeoutSeconds: 5
88           successThreshold: 1
89           failureThreshold: 5
90         readinessProbe:
91           httpGet:
92             path: /readiness
93             port: 8081
94             scheme: HTTP
95           # we poll on pod startup for the Kubernetes master service and
96           # only setup the /readiness HTTP server once that's available.
97           initialDelaySeconds: 3
98           timeoutSeconds: 5
99         command:
100         - /usr/bin/kube-dns
101         args:
102         - --domain={{ caas.dns_domain }}.
103         - --dns-port=10053
104         - --config-dir=/etc/dns_config
105         - --v=2
106         ports:
107         - containerPort: 10053
108           name: dns-local
109           protocol: UDP
110         - containerPort: 10053
111           name: dns-tcp-local
112           protocol: TCP
113         - containerPort: 10055
114           name: metrics
115           protocol: TCP
116         resources:
117           requests:
118             cpu: 10m
119             memory: 70Mi
120         volumeMounts:
121         - name: time-mount
122           mountPath: /etc/localtime
123           readOnly: true
124         - name: secret
125           mountPath: /etc/kubernetes/ssl
126           readOnly: true
127         - name: secret-root-ca
128           mountPath: /etc/openssl/ca.pem
129           readOnly: true
130         - name: kubeconfig
131           mountPath: /etc/kubernetes/kubeconfig
132           readOnly: true
133         - name: resolv
134           mountPath: /etc/resolv.conf
135         - name: external-dns-conf
136           mountPath: /etc/dns_config
137       - name: dnsmasq
138         image: {{ container_image_names | select('search', '/kubedns') | list | last }}
139         securityContext:
140           capabilities:
141             add: ["NET_BIND_SERVICE"]
142           runAsUser: {{ caas.uid.kubedns }}
143         livenessProbe:
144           tcpSocket:
145             port: 53
146           initialDelaySeconds: 60
147           timeoutSeconds: 5
148           successThreshold: 1
149           failureThreshold: 5
150         command:
151         - /usr/bin/dnsmasq-nanny
152         args:
153         - -v=2
154         - -logtostderr
155         - -configDir=/etc/k8s/dns/dnsmasq-nanny
156         - -restartDnsmasq=true
157         - --
158         - -k
159         - --interface={{ networking.infra_internal.interface }}
160         - --bind-interfaces
161         - --dns-forward-max=1000
162         - --cache-size=10000
163         - --server=/{{ caas.dns_domain }}/127.0.0.1#10053
164         # see: https://github.com/kubernetes/kubernetes/issues/29055 for details
165         resources:
166           requests:
167             cpu: 150m
168             memory: 20Mi
169         volumeMounts:
170         - name: time-mount
171           mountPath: /etc/localtime
172           readOnly: true
173         - name: secret
174           mountPath: /etc/kubernetes/ssl
175           readOnly: true
176         - name: kubeconfig
177           mountPath: /etc/kubernetes/kubeconfig
178           readOnly: true
179         - name: resolv
180           mountPath: /etc/resolv.conf
181         - name: external-dns-conf
182           mountPath: /etc/k8s/dns/dnsmasq-nanny
183       dnsPolicy: Default  # Don't use cluster DNS.
184       serviceAccountName: kube-dns
packages, configures, and integrates the components of the upstream Kubernetes DNS project (https://github.com/kubernetes/dns ). Kube-DNS backs-up the CaaS in-built service discovery feature.