Added seed code for caas-kubedns.

[ta/caas-kubedns.git] / ansible / roles / kubedns / templates / kubedns-deployment.yml

diff --git a/ansible/roles/kubedns/templates/kubedns-deployment.yml b/ansible/roles/kubedns/templates/kubedns-deployment.yml
new file mode 100644 (file)
index 0000000..e95c78f
--- /dev/null
+++ b/ansible/roles/kubedns/templates/kubedns-deployment.yml
@@ -0,0 +1,166 @@
+{#
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+#}
+---
+apiVersion: apps/v1beta2
+kind: DaemonSet
+metadata:
+  name: kube-dns
+  namespace: kube-system
+  labels:
+    {{ caas.kubernetes_component_label }}: kube-dns
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+spec:
+  selector:
+    matchLabels:
+      {{ caas.kubernetes_component_label }}: kube-dns
+  template:
+    metadata:
+      labels:
+        {{ caas.kubernetes_component_label }}: kube-dns
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+        scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
+    spec:
+      hostNetwork: true
+      nodeSelector:
+        nodetype: caas_master
+      tolerations:
+      - key: "CriticalAddonsOnly"
+        operator: "Exists"
+      volumes:
+      - name: secret
+        hostPath:
+          path: /etc/kubernetes/ssl
+      - name: secret-root-ca
+        hostPath:
+          path: /etc/openssl/ca.pem
+      - name: resolv
+        hostPath:
+          path: /etc/resolv.conf
+      - name: kubeconfig
+        hostPath:
+          path: /etc/kubernetes/kubeconfig
+      - name: external-dns-conf
+        configMap:
+          name: external-dns-cm
+      containers:
+      - name: kubedns
+        image: {{ container_image_names | select('search', '/kubedns') | list | last }}
+        securityContext:
+          runAsUser: {{ caas.uid.kubedns }}
+        resources:
+          # TODO: Set memory limits when we've profiled the container for large
+          # clusters, then set request = limit to keep this container in
+          # guaranteed class. Currently, this container falls into the
+          # "burstable" category so the kubelet doesn't backoff from restarting it.
+          limits:
+            memory: 170Mi
+          requests:
+            cpu: 100m
+            memory: 70Mi
+        livenessProbe:
+          tcpSocket:
+            port: 53
+          initialDelaySeconds: 60
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 5
+        readinessProbe:
+          httpGet:
+            path: /readiness
+            port: 8081
+            scheme: HTTP
+          # we poll on pod startup for the Kubernetes master service and
+          # only setup the /readiness HTTP server once that's available.
+          initialDelaySeconds: 3
+          timeoutSeconds: 5
+        command:
+        - /usr/bin/kube-dns
+        args:
+        - --domain=nokia.net.
+        - --dns-port=10053
+        - --config-dir=/etc/dns_config
+        - --v=2
+        ports:
+        - containerPort: 10053
+          name: dns-local
+          protocol: UDP
+        - containerPort: 10053
+          name: dns-tcp-local
+          protocol: TCP
+        - containerPort: 10055
+          name: metrics
+          protocol: TCP
+        volumeMounts:
+        - name: secret
+          mountPath: /etc/kubernetes/ssl
+          readOnly: true
+        - name: secret-root-ca
+          mountPath: /etc/openssl/ca.pem
+          readOnly: true
+        - name: kubeconfig
+          mountPath: /etc/kubernetes/kubeconfig
+          readOnly: true
+        - name: resolv
+          mountPath: /etc/resolv.conf
+        - name: external-dns-conf
+          mountPath: /etc/dns_config
+      - name: dnsmasq
+        image: {{ container_image_names | select('search', '/kubedns') | list | last }}
+        securityContext:
+          capabilities:
+            add: ["NET_BIND_SERVICE"]
+          runAsUser: {{ caas.uid.kubedns }}
+        livenessProbe:
+          tcpSocket:
+            port: 53
+          initialDelaySeconds: 60
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 5
+        command:
+        - /usr/bin/dnsmasq-nanny
+        args:
+        - -v=2
+        - -logtostderr
+        - -configDir=/etc/k8s/dns/dnsmasq-nanny
+        - -restartDnsmasq=true
+        - --
+        - -k
+        - --interface={{ networking.infra_internal.interface }}
+        - --bind-interfaces
+        - --dns-forward-max=1000
+        - --cache-size=10000
+        - --server=/nokia.net/127.0.0.1#10053
+        # see: https://github.com/kubernetes/kubernetes/issues/29055 for details
+        resources:
+          requests:
+            cpu: 150m
+            memory: 20Mi
+        volumeMounts:
+        - name: secret
+          mountPath: /etc/kubernetes/ssl
+          readOnly: true
+        - name: kubeconfig
+          mountPath: /etc/kubernetes/kubeconfig
+          readOnly: true
+        - name: resolv
+          mountPath: /etc/resolv.conf
+        - name: external-dns-conf
+          mountPath: /etc/k8s/dns/dnsmasq-nanny
+      dnsPolicy: Default  # Don't use cluster DNS.
+      serviceAccountName: kube-dns