--- /dev/null
+{#
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+#}
+---
+apiVersion: apps/v1beta2
+kind: DaemonSet
+metadata:
+ name: kube-dns
+ namespace: kube-system
+ labels:
+ {{ caas.kubernetes_component_label }}: kube-dns
+ kubernetes.io/cluster-service: "true"
+ addonmanager.kubernetes.io/mode: Reconcile
+spec:
+ selector:
+ matchLabels:
+ {{ caas.kubernetes_component_label }}: kube-dns
+ template:
+ metadata:
+ labels:
+ {{ caas.kubernetes_component_label }}: kube-dns
+ annotations:
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
+ spec:
+ hostNetwork: true
+ nodeSelector:
+ nodetype: caas_master
+ tolerations:
+ - key: "CriticalAddonsOnly"
+ operator: "Exists"
+ volumes:
+ - name: secret
+ hostPath:
+ path: /etc/kubernetes/ssl
+ - name: secret-root-ca
+ hostPath:
+ path: /etc/openssl/ca.pem
+ - name: resolv
+ hostPath:
+ path: /etc/resolv.conf
+ - name: kubeconfig
+ hostPath:
+ path: /etc/kubernetes/kubeconfig
+ - name: external-dns-conf
+ configMap:
+ name: external-dns-cm
+ containers:
+ - name: kubedns
+ image: {{ container_image_names | select('search', '/kubedns') | list | last }}
+ securityContext:
+ runAsUser: {{ caas.uid.kubedns }}
+ resources:
+ # TODO: Set memory limits when we've profiled the container for large
+ # clusters, then set request = limit to keep this container in
+ # guaranteed class. Currently, this container falls into the
+ # "burstable" category so the kubelet doesn't backoff from restarting it.
+ limits:
+ memory: 170Mi
+ requests:
+ cpu: 100m
+ memory: 70Mi
+ livenessProbe:
+ tcpSocket:
+ port: 53
+ initialDelaySeconds: 60
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 5
+ readinessProbe:
+ httpGet:
+ path: /readiness
+ port: 8081
+ scheme: HTTP
+ # we poll on pod startup for the Kubernetes master service and
+ # only setup the /readiness HTTP server once that's available.
+ initialDelaySeconds: 3
+ timeoutSeconds: 5
+ command:
+ - /usr/bin/kube-dns
+ args:
+ - --domain=nokia.net.
+ - --dns-port=10053
+ - --config-dir=/etc/dns_config
+ - --v=2
+ ports:
+ - containerPort: 10053
+ name: dns-local
+ protocol: UDP
+ - containerPort: 10053
+ name: dns-tcp-local
+ protocol: TCP
+ - containerPort: 10055
+ name: metrics
+ protocol: TCP
+ volumeMounts:
+ - name: secret
+ mountPath: /etc/kubernetes/ssl
+ readOnly: true
+ - name: secret-root-ca
+ mountPath: /etc/openssl/ca.pem
+ readOnly: true
+ - name: kubeconfig
+ mountPath: /etc/kubernetes/kubeconfig
+ readOnly: true
+ - name: resolv
+ mountPath: /etc/resolv.conf
+ - name: external-dns-conf
+ mountPath: /etc/dns_config
+ - name: dnsmasq
+ image: {{ container_image_names | select('search', '/kubedns') | list | last }}
+ securityContext:
+ capabilities:
+ add: ["NET_BIND_SERVICE"]
+ runAsUser: {{ caas.uid.kubedns }}
+ livenessProbe:
+ tcpSocket:
+ port: 53
+ initialDelaySeconds: 60
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 5
+ command:
+ - /usr/bin/dnsmasq-nanny
+ args:
+ - -v=2
+ - -logtostderr
+ - -configDir=/etc/k8s/dns/dnsmasq-nanny
+ - -restartDnsmasq=true
+ - --
+ - -k
+ - --interface={{ networking.infra_internal.interface }}
+ - --bind-interfaces
+ - --dns-forward-max=1000
+ - --cache-size=10000
+ - --server=/nokia.net/127.0.0.1#10053
+ # see: https://github.com/kubernetes/kubernetes/issues/29055 for details
+ resources:
+ requests:
+ cpu: 150m
+ memory: 20Mi
+ volumeMounts:
+ - name: secret
+ mountPath: /etc/kubernetes/ssl
+ readOnly: true
+ - name: kubeconfig
+ mountPath: /etc/kubernetes/kubeconfig
+ readOnly: true
+ - name: resolv
+ mountPath: /etc/resolv.conf
+ - name: external-dns-conf
+ mountPath: /etc/k8s/dns/dnsmasq-nanny
+ dnsPolicy: Default # Don't use cluster DNS.
+ serviceAccountName: kube-dns