AArch64 support
[ta/caas-kubedns.git] / ansible / roles / kubedns / templates / kubedns-deployment.yml
1 {#
2 Copyright 2019 Nokia
3
4 Licensed under the Apache License, Version 2.0 (the "License");
5 you may not use this file except in compliance with the License.
6 You may obtain a copy of the License at
7
8     http://www.apache.org/licenses/LICENSE-2.0
9
10 Unless required by applicable law or agreed to in writing, software
11 distributed under the License is distributed on an "AS IS" BASIS,
12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 See the License for the specific language governing permissions and
14 limitations under the License.
15 #}
16 ---
17 apiVersion: apps/v1beta2
18 kind: DaemonSet
19 metadata:
20   name: kube-dns
21   namespace: kube-system
22   labels:
23     {{ caas.kubernetes_component_label }}: kube-dns
24     kubernetes.io/cluster-service: "true"
25     addonmanager.kubernetes.io/mode: Reconcile
26 spec:
27   selector:
28     matchLabels:
29       {{ caas.kubernetes_component_label }}: kube-dns
30   template:
31     metadata:
32       labels:
33         {{ caas.kubernetes_component_label }}: kube-dns
34       annotations:
35         scheduler.alpha.kubernetes.io/critical-pod: ''
36         scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
37     spec:
38       priorityClassName: "system-cluster-critical"
39       hostNetwork: true
40       nodeSelector:
41         nodetype: caas_master
42       tolerations:
43       - key: "CriticalAddonsOnly"
44         operator: "Exists"
45       volumes:
46       - name: time-mount
47         hostPath:
48           path: /etc/localtime
49       - name: secret
50         hostPath:
51           path: /etc/kubernetes/ssl
52       - name: secret-root-ca
53         hostPath:
54           path: /etc/openssl/ca.pem
55       - name: resolv
56         hostPath:
57           path: /etc/resolv.conf
58       - name: kubeconfig
59         hostPath:
60           path: /etc/kubernetes/kubeconfig
61       - name: external-dns-conf
62         configMap:
63           name: external-dns-cm
64       containers:
65       - name: kubedns
66         image: {{ container_image_names | select('search', '/kubedns') | list | last }}
67         securityContext:
68           runAsUser: {{ caas.uid.kubedns }}
69         resources:
70           # TODO: Set memory limits when we've profiled the container for large
71           # clusters, then set request = limit to keep this container in
72           # guaranteed class. Currently, this container falls into the
73           # "burstable" category so the kubelet doesn't backoff from restarting it.
74           limits:
75             memory: 170Mi
76           requests:
77             cpu: 10m
78             memory: 70Mi
79         livenessProbe:
80           tcpSocket:
81             port: 10053
82           initialDelaySeconds: 60
83           timeoutSeconds: 5
84           successThreshold: 1
85           failureThreshold: 5
86         readinessProbe:
87           httpGet:
88             path: /readiness
89             port: 8081
90             scheme: HTTP
91           # we poll on pod startup for the Kubernetes master service and
92           # only setup the /readiness HTTP server once that's available.
93           initialDelaySeconds: 3
94           timeoutSeconds: 5
95         command:
96         - /usr/bin/kube-dns
97         args:
98         - --domain={{ caas.dns_domain }}.
99         - --dns-port=10053
100         - --config-dir=/etc/dns_config
101         - --v=2
102         ports:
103         - containerPort: 10053
104           name: dns-local
105           protocol: UDP
106         - containerPort: 10053
107           name: dns-tcp-local
108           protocol: TCP
109         - containerPort: 10055
110           name: metrics
111           protocol: TCP
112         resources:
113           requests:
114             cpu: 10m
115             memory: 70Mi
116         volumeMounts:
117         - name: time-mount
118           mountPath: /etc/localtime
119           readOnly: true
120         - name: secret
121           mountPath: /etc/kubernetes/ssl
122           readOnly: true
123         - name: secret-root-ca
124           mountPath: /etc/openssl/ca.pem
125           readOnly: true
126         - name: kubeconfig
127           mountPath: /etc/kubernetes/kubeconfig
128           readOnly: true
129         - name: resolv
130           mountPath: /etc/resolv.conf
131         - name: external-dns-conf
132           mountPath: /etc/dns_config
133       - name: dnsmasq
134         image: {{ container_image_names | select('search', '/kubedns') | list | last }}
135         securityContext:
136           capabilities:
137             add: ["NET_BIND_SERVICE"]
138           runAsUser: {{ caas.uid.kubedns }}
139         livenessProbe:
140           tcpSocket:
141             port: 53
142           initialDelaySeconds: 60
143           timeoutSeconds: 5
144           successThreshold: 1
145           failureThreshold: 5
146         command:
147         - /usr/bin/dnsmasq-nanny
148         args:
149         - -v=2
150         - -logtostderr
151         - -configDir=/etc/k8s/dns/dnsmasq-nanny
152         - -restartDnsmasq=true
153         - --
154         - -k
155         - --interface={{ networking.infra_internal.interface }}
156         - --bind-interfaces
157         - --dns-forward-max=1000
158         - --cache-size=10000
159         - --server=/{{ caas.dns_domain }}/127.0.0.1#10053
160         # see: https://github.com/kubernetes/kubernetes/issues/29055 for details
161         resources:
162           requests:
163             cpu: 150m
164             memory: 20Mi
165         volumeMounts:
166         - name: time-mount
167           mountPath: /etc/localtime
168           readOnly: true
169         - name: secret
170           mountPath: /etc/kubernetes/ssl
171           readOnly: true
172         - name: kubeconfig
173           mountPath: /etc/kubernetes/kubeconfig
174           readOnly: true
175         - name: resolv
176           mountPath: /etc/resolv.conf
177         - name: external-dns-conf
178           mountPath: /etc/k8s/dns/dnsmasq-nanny
179       dnsPolicy: Default  # Don't use cluster DNS.
180       serviceAccountName: kube-dns