为Kubernetes集群里的容器提供DNS服务，用于解析service名称

部署DNS服务
下载镜像到本地仓库

部署服务

让kubelet修改每个pod的默认DNS
修改kubelet参数

重启node

DNS查询测试

部署DNS服务

kubedns负责从KUBERNETES_SERVICE_HOST收集service+namespace与clusterIP的映射关系；

dnsmasq根据kubedns收集的信息，提供名称解析服务。

下载镜像到本地仓库

kubedns-amd64:1.8

kube-dnsmasq-amd64:1.4

exechealthz-amd64:1.2

这三个镜像无法从gcr.io下载的话，可从阿里云提供的镜像仓库下载。

本地镜像仓库的搭建方法详见之前的博文。

docker pull registry.cn-hangzhou.aliyuncs.com/google-containers/exechealthz-amd64:1.2
docker tag registry.cn-hangzhou.aliyuncs.com/google-containers/exechealthz-amd64:1.2 centos-master:5000/exechealthz-amd64:1.2
docker rmi registry.cn-hangzhou.aliyuncs.com/google-containers/exechealthz-amd64:1.2
docker push centos-master:5000/exechealthz-amd64:1.2

部署服务

kube-dns服务的clusterIP明确指定为clusterIP可用值的第二个值10.254.0.2，第一个clusterIP值10.254.0.1留给了k8s自动创建的kubernetes.default服务。

执行如下命令，生成kube-dns的deployment和service。

dnsmasq的启动参数里增加了--address配置，让dnsmasq顺便提供一下自用的本地泛域名解析服务。

cat <<EOF | kubectl apply -f -
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kube-dns
namespace: kube-system
labels:
k8s-app: kube-dns
version: v20
kubernetes.io/cluster-service: "true"
spec:
replicas: 1
template:
metadata:
labels:
k8s-app: kube-dns
version: v20
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
spec:
containers:
- name: kubedns
image: centos-master:5000/kubedns-amd64:1.8
resources:
limits:
memory: 170Mi
requests:
cpu: 100m
memory: 70Mi
livenessProbe:
httpGet:
path: /healthz-kubedns
port: 8080
scheme: HTTP
initialDelaySeconds: 60
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
readinessProbe:
httpGet:
path: /readiness
port: 8081
scheme: HTTP
initialDelaySeconds: 3
timeoutSeconds: 5
args:
- --domain=cluster.local.
- --dns-port=10053
ports:
- containerPort: 10053
name: dns-local
protocol: UDP
- containerPort: 10053
name: dns-tcp-local
protocol: TCP
- name: dnsmasq
image: centos-master:5000/kube-dnsmasq-amd64:1.4
livenessProbe:
httpGet:
path: /healthz-dnsmasq
port: 8080
scheme: HTTP
initialDelaySeconds: 60
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
args:
- --cache-size=1000
- --no-resolv
- --server=127.0.0.1#10053
- --address=/wzp.local/192.168.137.75
- --log-facility=-
ports:
- containerPort: 53
name: dns
protocol: UDP
- containerPort: 53
name: dns-tcp
protocol: TCP
- name: healthz
image: centos-master:5000/exechealthz-amd64:1.2
resources:
limits:
memory: 50Mi
requests:
cpu: 10m
memory: 50Mi
args:
- --cmd=nslookup kubernetes.default.svc.cluster.local 127.0.0.1 >/dev/null
- --url=/healthz-dnsmasq
- --cmd=nslookup kubernetes.default.svc.cluster.local 127.0.0.1:10053 >/dev/null
- --url=/healthz-kubedns
- --port=8080
- --quiet
ports:
- containerPort: 8080
protocol: TCP
dnsPolicy: Default
---
apiVersion: v1
kind: Service
metadata:
name: kube-dns
namespace: kube-system
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
kubernetes.io/name: "KubeDNS"
spec:
selector:
k8s-app: kube-dns
clusterIP: 10.254.0.2
ports:
- name: dns
port: 53
protocol: UDP
- name: dns-tcp
port: 53
protocol: TCP
EOF

确认kubedns容器能正常从apiServer获取service信息

kubectl logs $(kubectl get pods --namespace=kube-system -l k8s-app=kube-dns -o name) -c kubedns -n kube-system

让kubelet修改每个pod的默认DNS

修改kubelet参数

修改参数文件/etc/kubernetes/kubelet

KUBELET_ARGS="--cluster_dns=10.254.0.2 --cluster_domain=cluster.local --kubeconfig=/etc/kubernetes/kube-admin-context.yaml --pod-infra-container-image=centos-master:5000/pause-amd64:3.0"

重启node

停止node上的组件，清理node已有的iptables设置

重启node上的组件，让每个pod都用10.254.0.2作为默认DNS

for SERVICES in kube-proxy kubelet flanneld docker; do
systemctl stop $SERVICES
done

iptables --flush
iptables -tnat --flush

for SERVICES in kube-proxy kubelet flanneld docker; do
systemctl restart $SERVICES
systemctl enable $SERVICES
systemctl status $SERVICES
done

DNS查询测试

登入一个容器，查看默认的dns

kubectl exec -ti busybox -- cat /etc/resolv.conf

登入一个容器，进行dns查询

kubectl exec -ti busybox -- nslookup kubernetes.default