ansible/roles/kubedns/templates/kubedns-deployment.yml

   1 {#
   2 Copyright 2019 Nokia
   3
   4 Licensed under the Apache License, Version 2.0 (the "License");
   5 you may not use this file except in compliance with the License.
   6 You may obtain a copy of the License at
   7
   8     http://www.apache.org/licenses/LICENSE-2.0
   9
  10 Unless required by applicable law or agreed to in writing, software
  11 distributed under the License is distributed on an "AS IS" BASIS,
  12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 See the License for the specific language governing permissions and
  14 limitations under the License.
  15 #}
  16 ---
  17 apiVersion: apps/v1beta2
  18 kind: DaemonSet
  19 metadata:
  20   name: kube-dns
  21   namespace: kube-system
  22   labels:
  23     {{ caas.kubernetes_component_label }}: kube-dns
  24     kubernetes.io/cluster-service: "true"
  25     addonmanager.kubernetes.io/mode: Reconcile
  26 spec:
  27   selector:
  28     matchLabels:
  29       {{ caas.kubernetes_component_label }}: kube-dns
  30   template:
  31     metadata:
  32       labels:
  33         {{ caas.kubernetes_component_label }}: kube-dns
  34       annotations:
  35         scheduler.alpha.kubernetes.io/critical-pod: ''
  36         scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
  37     spec:
  38       hostNetwork: true
  39       nodeSelector:
  40         nodetype: caas_master
  41       tolerations:
  42       - key: "CriticalAddonsOnly"
  43         operator: "Exists"
  44       volumes:
  45       - name: secret
  46         hostPath:
  47           path: /etc/kubernetes/ssl
  48       - name: secret-root-ca
  49         hostPath:
  50           path: /etc/openssl/ca.pem
  51       - name: resolv
  52         hostPath:
  53           path: /etc/resolv.conf
  54       - name: kubeconfig
  55         hostPath:
  56           path: /etc/kubernetes/kubeconfig
  57       - name: external-dns-conf
  58         configMap:
  59           name: external-dns-cm
  60       containers:
  61       - name: kubedns
  62         image: {{ container_image_names | select('search', '/kubedns') | list | last }}
  63         securityContext:
  64           runAsUser: {{ caas.uid.kubedns }}
  65         resources:
  66           # TODO: Set memory limits when we've profiled the container for large
  67           # clusters, then set request = limit to keep this container in
  68           # guaranteed class. Currently, this container falls into the
  69           # "burstable" category so the kubelet doesn't backoff from restarting it.
  70           limits:
  71             memory: 170Mi
  72           requests:
  73             cpu: 100m
  74             memory: 70Mi
  75         livenessProbe:
  76           tcpSocket:
  77             port: 53
  78           initialDelaySeconds: 60
  79           timeoutSeconds: 5
  80           successThreshold: 1
  81           failureThreshold: 5
  82         readinessProbe:
  83           httpGet:
  84             path: /readiness
  85             port: 8081
  86             scheme: HTTP
  87           # we poll on pod startup for the Kubernetes master service and
  88           # only setup the /readiness HTTP server once that's available.
  89           initialDelaySeconds: 3
  90           timeoutSeconds: 5
  91         command:
  92         - /usr/bin/kube-dns
  93         args:
  94         - --domain=nokia.net.
  95         - --dns-port=10053
  96         - --config-dir=/etc/dns_config
  97         - --v=2
  98         ports:
  99         - containerPort: 10053
 100           name: dns-local
 101           protocol: UDP
 102         - containerPort: 10053
 103           name: dns-tcp-local
 104           protocol: TCP
 105         - containerPort: 10055
 106           name: metrics
 107           protocol: TCP
 108         volumeMounts:
 109         - name: secret
 110           mountPath: /etc/kubernetes/ssl
 111           readOnly: true
 112         - name: secret-root-ca
 113           mountPath: /etc/openssl/ca.pem
 114           readOnly: true
 115         - name: kubeconfig
 116           mountPath: /etc/kubernetes/kubeconfig
 117           readOnly: true
 118         - name: resolv
 119           mountPath: /etc/resolv.conf
 120         - name: external-dns-conf
 121           mountPath: /etc/dns_config
 122       - name: dnsmasq
 123         image: {{ container_image_names | select('search', '/kubedns') | list | last }}
 124         securityContext:
 125           capabilities:
 126             add: ["NET_BIND_SERVICE"]
 127           runAsUser: {{ caas.uid.kubedns }}
 128         livenessProbe:
 129           tcpSocket:
 130             port: 53
 131           initialDelaySeconds: 60
 132           timeoutSeconds: 5
 133           successThreshold: 1
 134           failureThreshold: 5
 135         command:
 136         - /usr/bin/dnsmasq-nanny
 137         args:
 138         - -v=2
 139         - -logtostderr
 140         - -configDir=/etc/k8s/dns/dnsmasq-nanny
 141         - -restartDnsmasq=true
 142         - --
 143         - -k
 144         - --interface={{ networking.infra_internal.interface }}
 145         - --bind-interfaces
 146         - --dns-forward-max=1000
 147         - --cache-size=10000
 148         - --server=/nokia.net/127.0.0.1#10053
 149         # see: https://github.com/kubernetes/kubernetes/issues/29055 for details
 150         resources:
 151           requests:
 152             cpu: 150m
 153             memory: 20Mi
 154         volumeMounts:
 155         - name: secret
 156           mountPath: /etc/kubernetes/ssl
 157           readOnly: true
 158         - name: kubeconfig
 159           mountPath: /etc/kubernetes/kubeconfig
 160           readOnly: true
 161         - name: resolv
 162           mountPath: /etc/resolv.conf
 163         - name: external-dns-conf
 164           mountPath: /etc/k8s/dns/dnsmasq-nanny
 165       dnsPolicy: Default  # Don't use cluster DNS.
 166       serviceAccountName: kube-dns