kube-system: Add nodelocaldns

pando85 · pando85 · commit badbd10becf1 · 2025-01-27T20:03:11.000+01:00
diff --git a/metal/roles/k3s/templates/config.yaml.j2 b/metal/roles/k3s/templates/config.yaml.j2
@@ -7,3 +7,5 @@ token-file: {{ k3s_token_file }}
 {% if 'kube_control_plane' in group_names %}
 {{ k3s_server_config | to_nice_yaml }}
 {% endif %}
+kubelet-arg:
+- "cluster-dns=169.254.25.10"
diff --git a/system/kube-system/kustomization.yaml b/system/kube-system/kustomization.yaml
@@ -5,6 +5,8 @@ namespace: kube-system
 resources:
   - resources/cilium/bgp-peering-policy.yaml
   - resources/cilium/load-balancer-ip-pool.yaml
+  - resources/nodelocaldns/configmap.yaml
+  - resources/nodelocaldns/daemonset.yaml
   - resources/priority-class-high.yaml
   - resources/runtime-class.yaml
 
diff --git a/system/kube-system/resources/nodelocaldns/configmap.yaml b/system/kube-system/resources/nodelocaldns/configmap.yaml
@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    k8s-app: kube-dns
+  name: nodelocaldns
+data:
+  Corefile: |
+    cluster.local:53 {
+        errors
+        cache {
+            success 9984 30
+            denial 9984 5
+        }
+        reload
+        loop
+        bind 169.254.25.10
+        forward . 10.43.0.10 {
+            force_tcp
+        }
+        prometheus :9253
+        health 169.254.25.10:9254
+        hosts /etc/coredns/hosts {
+          fallthrough
+        }
+    }
+    in-addr.arpa:53 {
+        errors
+        cache 30
+        reload
+        loop
+        bind 169.254.25.10
+        forward . 10.43.0.10 {
+            force_tcp
+        }
+        prometheus :9253
+    }
+    ip6.arpa:53 {
+        errors
+        cache 30
+        reload
+        loop
+        bind 169.254.25.10
+        forward . 10.43.0.10 {
+            force_tcp
+        }
+        prometheus :9253
+    }
+    .:53 {
+        errors
+        cache 30
+        reload
+        loop
+        bind 169.254.25.10
+        forward . /etc/resolv.conf
+        prometheus :9253
+        hosts /etc/coredns/hosts {
+          fallthrough
+        }
+    }
diff --git a/system/kube-system/resources/nodelocaldns/daemonset.yaml b/system/kube-system/resources/nodelocaldns/daemonset.yaml
@@ -0,0 +1,110 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    k8s-app: kube-dns
+  name: nodelocaldns
+spec:
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      k8s-app: node-local-dns
+  template:
+    metadata:
+      labels:
+        k8s-app: node-local-dns
+    spec:
+      containers:
+        - args:
+            - -localip
+            - 169.254.25.10
+            - -conf
+            - /etc/coredns/Corefile
+            - -upstreamsvc
+            - coredns
+          image: registry.k8s.io/dns/k8s-dns-node-cache:1.22.28
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 10
+            httpGet:
+              host: 169.254.25.10
+              path: /health
+              port: 9254
+              scheme: HTTP
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          name: node-cache
+          ports:
+            - containerPort: 53
+              hostPort: 53
+              name: dns
+              protocol: UDP
+            - containerPort: 53
+              hostPort: 53
+              name: dns-tcp
+              protocol: TCP
+            - containerPort: 9253
+              hostPort: 9253
+              name: metrics
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 10
+            httpGet:
+              host: 169.254.25.10
+              path: /health
+              port: 9254
+              scheme: HTTP
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          resources:
+            limits:
+              memory: 200Mi
+            requests:
+              cpu: 100m
+              memory: 70Mi
+          securityContext:
+            privileged: true
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /etc/coredns
+              name: config-volume
+            - mountPath: /run/xtables.lock
+              name: xtables-lock
+      dnsPolicy: Default
+      hostNetwork: true
+      nodeSelector:
+        kubernetes.io/os: linux
+      priorityClassName: system-node-critical
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      serviceAccount: nodelocaldns
+      serviceAccountName: nodelocaldns
+      terminationGracePeriodSeconds: 0
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+      volumes:
+        - configMap:
+            defaultMode: 420
+            items:
+              - key: Corefile
+                path: Corefile
+              - key: hosts
+                path: hosts
+            name: nodelocaldns
+          name: config-volume
+        - hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
+          name: xtables-lock
+  updateStrategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 20%
+    type: RollingUpdate
