如何使用 Amazon EKS 设置 ExternalDNS?
我想使用我的 Amazon Elastic Kubernetes Service(Amazon EKS)设置 ExternalDNS。
简短描述
要安装 ExternalDNS,请使用 AWS Identity and Access Management(AWS IAM)权限授予 Amazon EKS 与 Amazon Route 53 交互所需的访问权限。
**注意:**在开始采取以下解决方法之前,请确保您拥有域名和 Route 53 托管区。
解决方法
设置 IAM 权限并部署 ExternalDNS
完成以下步骤:
-
创建以下策略,以设置 IAM 权限,授予 ExternalDNS 容器组在您的 AWS 账户中创建、更新和删除 Route 53 记录的权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/" ] }, { "Effect": "Allow", "Action": [ "route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:ListTagsForResource" ], "Resource": [ "*" ] } ] }
**注意:**您可以修改上述策略以允许更新特定的托管区编号。
-
使用此策略为服务账户创建 IAM 角色:
eksctl create iamserviceaccount --name SERVICE_ACCOUNT_NAME --namespace NAMESPACE --cluster CLUSTER_NAME --attach-policy-arn IAM_POLICY_ARN --approve
**注意:**请将 SERVICE_ACCOUNT_NAME 替换为您服务账户的名称,将 NAMESPACE 替换为您的命名空间,将 CLUSTER_NAME 替换为您集群的名称,将 IAM_POLICY_ARN 替换为您的 IAM 策略的 ARN。
要查看服务账户的名称,请运行以下命令:kubectl get sa
在以下输出示例中,external-dns 是创建服务账户时为其指定的名称:
NAME SECRETS AGE default 1 23h external-dns 1 23h
-
运行以下命令,以确定您的 Amazon EKS 集群中是否已启用 RBAC:
kubectl api-versions | grep rbac.authorization.k8s.io
**注意:**对于上述命令,请验证 GitHub 项目上使用的最新版本的 ExternalDNS。
-
运行以下命令来部署 ExternalDNS:
kubectl apply DEPLOYMENT_MANIFEST_FILE_NAME.yaml
**注意:**请将 DEPLOYMENT_MANIFEST_FILE_NAME 替换为部署清单的文件名。
如果 RBAC 已启用,请使用以下清单部署 ExternalDNS:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: external-dns labels: app.kubernetes.io/name: external-dns rules: - apiGroups: [""] resources: ["services","endpoints","pods","nodes"] verbs: ["get","watch","list"] - apiGroups: ["extensions","networking.k8s.io"] resources: ["ingresses"] verbs: ["get","watch","list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: external-dns-viewer labels: app.kubernetes.io/name: external-dns roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: external-dns subjects: - kind: ServiceAccount name: external-dns namespace: default # change to desired namespace: externaldns, kube-addons --- apiVersion: apps/v1 kind: Deployment metadata: name: external-dns labels: app.kubernetes.io/name: external-dns spec: strategy: type: Recreate selector: matchLabels: app.kubernetes.io/name: external-dns template: metadata: labels: app.kubernetes.io/name: external-dns spec: serviceAccountName: external-dns containers: - name: external-dns image: registry.k8s.io/external-dns/external-dns:v0.14.0 args: - --source=service - --source=ingress - --domain-filter=example.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones - --provider=aws - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both) - --registry=txt - --txt-owner-id=external-dns env: - name: AWS_DEFAULT_REGION value: eu-west-1 # change to region where EKS is installed
如果 RBAC 未启用,请使用以下清单部署 ExternalDNS:
apiVersion: apps/v1 kind: Deployment metadata: name: external-dns labels: app.kubernetes.io/name: external-dns spec: strategy: type: Recreate selector: matchLabels: app.kubernetes.io/name: external-dns template: metadata: labels: app.kubernetes.io/name: external-dns spec: containers: - name: external-dns image: registry.k8s.io/external-dns/external-dns:v0.14.0 args: - --source=service - --source=ingress - --domain-filter=example.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones - --provider=aws - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both) - --registry=txt - --txt-owner-id=my-hostedzone-identifier env: - name: AWS_DEFAULT_REGION value: eu-west-1 # change to region where EKS is installed
-
运行以下命令以验证部署是否成功:
kubectl get deployments
输出示例:
NAME READY UP-TO-DATE AVAILABLE AGE external-dns 1/1 1 1 85m
或者,查看日志以验证记录是否已更新:
kubectl logs external-dns-9f85d8d5b-sx5f
输出示例:
.... time="2023-12-14T17:16:16Z" level=info msg="Instantiating new Kubernetes client" time="2023-12-14T17:16:16Z" level=info msg="Using inCluster-config based on serviceaccount-token" time="2023-12-14T17:16:16Z" level=info msg="Created Kubernetes client https://10.100.0.1:443" time="2023-12-14T17:16:18Z" level=info msg="Applying provider record filter for domains: [xxxxx.people.aws.dev. .xxxxx.people.aws.dev. xxxxx.people.aws.dev. .xxxxx.people.aws.dev.]" time="2023-12-14T17:16:18Z" level=info msg="All records are already up to date" ....
验证 ExternalDNS
要确认 ExternalDNS 设置正确,请完成以下步骤:
-
创建一个以 LoadBalancer 暴露的服务。该服务必须通过托管在 Route 53 上的域名向外路由:
kubectl apply SERVICE_MANIFEST_FILE_NAME.yaml Note: Replace SERVICE_MANIFEST_FILE_NAME with your service manifest's file name. Manifest: apiVersion: v1 kind: Service metadata: name: nginx annotations: external-dns.alpha.kubernetes.io/hostname: nginx.xxxxx.people.aws.dev spec: ports: - port: 80 targetPort: 80 protocol: TCP type: LoadBalancer selector: app: nginx --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx spec: selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx name: nginx ports: - containerPort: 80 name: http
**注意:**ExternalDNS 对服务使用 external-dns.alpha.kubernetes.io/hostname 注解。它还使用关联的值。要为服务分配多个名称,请使用逗号分隔符配置 external-dns.alpha.kubernetes.io/hostname 注解。
-
检查 NGINX 服务是否是使用 LoadBalancer 类型创建的:
kubectl get svc
输出示例:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 05h nginx LoadBalancer 10.100.254.68 xxxxyyyyzzzz-123456789.eu-west-1.elb.amazonaws.com 80:30792/TCP 74m
**注意:**该服务会自动为托管区创建 Route 53 记录。
-
运行以下命令,以查看日志,并确认已成功创建 Route 53 记录:
kubectl logs external-dns-9f85d8d5b-sx5fg
输出示例:
... time="2023-12-14T17:19:19Z" level=info msg="Desired change: CREATE cname-nginx.xxxxx.people.aws.dev TXT [Id: /hostedzone/Z0786329GDVAZMXYZ]" time="2023-12-14T17:19:19Z" level=info msg="Desired change: CREATE nginx.xxxxx.people.aws.dev A [Id: /hostedzone/Z0786329GDVAZMXYZ]" time="2023-12-14T17:19:19Z" level=info msg="Desired change: CREATE nginx.xxxxx.people.aws.dev TXT [Id: /hostedzone/Z0786329GDVAZMXYZ]" time="2023-12-14T17:19:20Z" level=info msg="3 record(s) in zone xxxxx.people.aws.dev. [Id: /hostedzone/Z0786329GDVAZMXYZ] were successfully updated" ...
相关内容
- AWS 官方已更新 10 个月前
- AWS 官方已更新 8 个月前
- AWS 官方已更新 10 个月前
- AWS 官方已更新 9 个月前