Blame - cluster/kube/lib/coredns.libsonnet - hscloud

blob: 073c8ec53cb1ebf53f64861ef5d4c9f22632d5d7 [file] [log] [blame]

Sergiusz Bazanski	49b9a13	2019-01-14 00:02:59 +0100	[diff] [blame]	1	# Deploy a per-cluster CoreDNS
				2
				3	local kube = import "../../../kube/kube.libsonnet";
				4
				5	{
				6	Environment: {
				7	local env = self,
				8	local cfg = env.cfg,
				9	cfg:: {
				10	image: "coredns/coredns:1.3.0",
				11	namespace: "kube-system",
				12	upstream_server: "185.236.240.1",
				13	cluster_domain: "cluster.local",
				14	reverse_cidrs: ["in-addr.arpa", "ip6.arpa"],
				15	clusterIP: "10.10.12.254",
				16	},
				17
				18	sa: kube.ServiceAccount("coredns") {
				19	metadata+: {
				20	namespace: cfg.namespace,
				21	},
				22	},
				23
				24	cr: kube.ClusterRole("system:coredns") {
				25	metadata+: {
				26	labels: {
				27	"kubernetes.io/bootstrapping": "rbac-defaults",
				28	},
				29	},
				30	rules: [
				31	{
				32	apiGroups: [""],
				33	resources: ["endpoints", "services", "pods", "namespaces"],
				34	verbs: ["list", "watch"],
				35	},
				36	{
				37	apiGroups: [""],
				38	resources: ["nodes"],
				39	verbs: ["get"],
				40	},
				41	],
				42	},
				43
				44	crb: kube.ClusterRoleBinding("system:coredns") {
				45	metadata+: {
				46	labels: {
				47	"kubernetes.io/bootstrapping": "rbac-defaults",
				48	},
				49	annotations+: {
				50	"rbac.authorization.kubernetes.io/autoupdate": "true",
				51	},
				52	},
				53	roleRef: {
				54	apiGroup: "rbac.authorization.k8s.io",
				55	kind: "ClusterRole",
				56	name: env.cr.metadata.name,
				57	},
				58	subjects: [
				59	{
				60	kind: "ServiceAccount",
				61	name: env.sa.metadata.name,
				62	namespace: env.sa.metadata.namespace,
				63	},
				64	],
				65	},
				66
				67	cm: kube.ConfigMap("coredns") {
				68	local map = self,
				69
				70	upstream_server:: cfg.upstream_server,
				71	cluster_domain:: cfg.cluster_domain,
				72	reverse_cidrs:: std.join(" ", cfg.reverse_cidrs),
				73
				74	metadata+: {
				75	namespace: cfg.namespace,
				76	},
				77	data: {
				78	Corefile: \|\|\|
				79	.:53 {
				80	log
				81	errors
				82	health
				83	kubernetes %s %s {
				84	pods insecure
				85	upstream
				86	fallthrough in-addr.arpa ip6.arpa
				87	}
				88	prometheus :9153
				89	proxy . %s
				90	cache 30
				91	loop
				92	reload
				93	loadbalance
				94	}
				95	\|\|\| % [map.cluster_domain, map.reverse_cidrs, map.upstream_server]
				96	},
				97	},
				98
				99	deployment: kube.Deployment("coredns") {
				100	metadata+: {
				101	namespace: cfg.namespace,
				102	labels+: {
				103	"k8s-app": "coredns",
				104	},
				105	},
				106	spec+: {
				107	replicas: 2,
				108	strategy: {
				109	type: "RollingUpdate",
				110	rollingUpdate: { maxUnavailable: 1 },
				111	},
				112	template+: {
				113	spec+: {
				114	serviceAccountName: env.sa.metadata.name,
				115	tolerations: [
				116	{ key: "CriticalAddonsOnly", operator: "Exists" },
				117	],
				118	dnsPolicy: "Default",
				119	volumes_: {
				120	config: {
				121	configMap: {
				122	name: env.cm.metadata.name,
				123	items: [ { key: "Corefile", path: "Corefile" } ],
				124	},
				125	},
				126	},
				127	containers_: {
				128	coredns: kube.Container("coredns") {
				129	local container = self,
				130
				131	image: cfg.image,
				132	args: [
				133	"-conf", "%s/Corefile" % container.volumeMounts[0].mountPath,
				134	],
				135	imagePullPolicy: "IfNotPresent",
				136	resources: {
				137	limits: { memory: "170Mi" },
				138	requests: { memory: "70Mi", cpu: "100m" },
				139	},
				140	volumeMounts_: {
				141	config: {
				142	mountPath: "/etc/coredns",
				143	},
				144	},
				145	ports_: {
				146	dns: {
				147	containerPort: 53,
				148	protocol: "UDP",
				149	},
				150	"dns-tcp": {
				151	containerPort: 53,
				152	protocol: "TCP",
				153	},
				154	metrics: {
				155	containerPort: 9153,
				156	protocol: "TCP",
				157	},
				158	},
				159	securityContext: {
				160	allowPrivilegeEscalation: false,
				161	capabilities: {
				162	add: ["NET_BIND_SERVICE"],
				163	drop: ["all"],
				164	},
				165	readOnlyRootFilesystem: true,
				166	},
				167	livenessProbe: {
				168	httpGet: {
				169	path: "/health",
				170	port: 8080,
				171	scheme: "HTTP",
				172	},
				173	initialDelaySeconds: 60,
				174	timeoutSeconds: 5,
				175	successThreshold: 1,
				176	failureThreshold: 5,
				177	},
				178	},
				179	},
				180	},
				181	},
				182	},
				183	},
				184	svc: kube.Service("coredns") {
				185	local svc = self,
				186	metadata+: {
				187	namespace: cfg.namespace,
				188	},
				189	target_pod: env.deployment.spec.template,
				190	spec+: {
				191	ports: [ { name: p.name, port: p.containerPort, protocol: p.protocol } for p in svc.target_pod.spec.containers[0].ports ],
				192	clusterIP: cfg.clusterIP,
				193	},
				194	},
				195	},
				196	}