内容简介:Kubernetes社区的生态繁荣和该领域技术的快速茁壮发展,已经是众所周知。Kubernetes领域有太多强大的、创新的技术产品,而最近引起我注意的项目是ExternalDNS。这是在近期的POC期间客户主动咨询起来的,我承诺客户会尝试一下ExternalDNS子项目,且使用后发现它真的令人印象深刻。ExternalDNS子项目(孵化器流程已被弃用)是由sig-network赞助并由Tim Hockin倡导的,旨在自动配置云DNS提供商。这很重要,因为它进一步支持基础架构自动化,用户可以在应用程序部署的
Kubernetes社区的生态繁荣和该领域技术的快速茁壮发展,已经是众所周知。Kubernetes领域有太多强大的、创新的技术产品,而最近引起我注意的项目是ExternalDNS。这是在近期的POC期间客户主动咨询起来的,我承诺客户会尝试一下ExternalDNS子项目,且使用后发现它真的令人印象深刻。
ExternalDNS子项目
ExternalDNS子项目(孵化器流程已被弃用)是由sig-network赞助并由Tim Hockin倡导的,旨在自动配置云DNS提供商。这很重要,因为它进一步支持基础架构自动化,用户可以在应用程序部署的同时直接完成DNS配置。
传统企业部署模型,通常是由多个孤立业务单元,来处理部署过程的不同部分。但带有ExternalDNS的Kubernetes不同于传统企业部署模型,它可以自动完成此过程的这一部分工作。有时候有可能会出现这种不好的情况:一部分软件已准备就绪,但它却必须等待另一个业务部门手动配置DNS。而有了ExternalDNS,这一潜在问题就被解决了。
通过ExternalDNS,组织团队可实现自动化和共同责任协作,而这将避免手动配置的错误,并使各方都能够更有效地将其产品推向市场。
AKS上的ExternalDNS配置和部署
我曾作为软件开发人员在.NET领域有过多年的工作经验。微软开发人员社区在我心中一直有一个特殊的位置,过去几年以来我参加过不少费城地区的Azure用户meetup,分享如何通过ACS(Azure Container Service)和AKS(Azure Kubernetes Service)使用Kubernetes on Azure。恰巧的是,向我咨询ExternalDNS的用户也正是在选择了Azure作为其IaaS产品。
下文是我准备的在AKS集群上启动ExternalDNS的分步说明和帮助程序代码。即使您使用的是其他公有云上的托管的Kubernetes,本教程依然适用。
先决条件
登录Azure AD,必要情况下请设置订阅。
几点注意事项
1、请注意,本文档中的外部模板文件使用了许多可选设置。
2、它也在debug级别日志中,因此您也可以自行进行troubleshooting。
在Azure AKS或Azure IaaS上设置ExternalDNS
1、创建Azure DNS记录
RESOURCE_GROUP=MC_rancher-group_c-6vkts_eastus DNS_ZONE=vanbrackel.net az network dns zone create -g $RESOURCE_GROUP -n $DNS_ZONE
2、根据您的注册商的需要委派DNS
3、创建服务主体以代表Kubernetes行事。
SUBSCRIPTION_ID="$(az account show | jq '.id')" && SUBSCRIPTION_ID=${SUBSCRIPTION_ID//\"} TENANT_ID=$(az account show | jq '.tenantId') && TENANT_ID=${TENANT_ID//\"} SCOPE=$(az group show --name $RESOURCE_GROUP | jq '.id') && SCOPE=${SCOPE//\"} PRINCIPAL=$(az ad sp create-for-rbac --role="Contributor" --scopes=$SCOPE -n ExternalDnsServicePrincipal) CLIENT_ID=$(echo $PRINCIPAL | jq '.appId') && CLIENT_ID=${CLIENT_ID//\"} CLIENT_SECRET=$(echo $PRINCIPAL | jq '.password') && CLIENT_SECRET=${CLIENT_SECRET//\"
4、创建你的云提供商配置。
echo "{ \"tenantId\": \"$TENANT_ID\", \"subscriptionId\": \"$SUBSCRIPTION_ID\", \"aadClientId\": \"$CLIENT_ID\", \"aadClientSecret\": \"$CLIENT_SECRET\", \"resourceGroup\": \"$RESOURCE_GROUP\"}" >> azure.json
5、使用云提供商配置来创建一个Kubernetes秘钥。
> kubectl create secret generic azure-config-file --from-file=azure.json secret "azure-config-file" created
6、如果你使用的是Rancher配置的Azure IaaS Backed Clusters,从集群中删除ingress controller。
> kubectl get ns NAME STATUS AGE cattle-system Active 1d default Active 1d ingress-nginx Active 1d kube-public Active 1d kube-system Active 1d > kubectl delete ns/ingress-nginx namespace "ingress-nginx" deleted
注意:如果您是使用Rancher中的 AKS配置的集群,则不会提供ingress controller。
7、安装nginx ingress controller并为ExternalDNS配置它。创建ingress-nginx部署和服务。
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml
8、由于在基于Rancher的Kubernetes集群上默认启用了RBAC,因此可以从下面的脚本创建名为
externaldns.yaml的yaml文件,或者使用此repo中的externaldns-template.yaml文件。 apiVersion: v1 kind: ServiceAccount metadata:
name: external-dns
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata: name: external-dns
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get","watch","list"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get","watch","list"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get","watch","list"]
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata: name: external-dns-viewer
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: external-dns
subjects:
- kind: ServiceAccount
name: external-dns
namespace: default
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: external-dns
spec:
strategy:
type: Recreate
template:
metadata:
labels:
app: external-dns
spec:
serviceAccountName: external-dns
containers:
- name: external-dns
image: registry.opensource.zalan.do/teapot/external-dns:v0.5.2
args:
- --source=service
- --source=ingress
- --domain-filter=vanbrackel.net # (optional) limit to only vanbrackel.net domains; change to match the zone created above.
- --provider=azure
- --azure-resource-group=MC_rancher-group_c-6vkts_eastus # (optional) use the DNS zones from above
volumeMounts:
- name: azure-config-file
mountPath: /etc/kubernetes
readOnly: true
volumes:
- name: azure-config-file
secret:
secretName: azure-config-file
EXTERNAL_DNS=$(cat externaldns-template.yaml)
EXTERNAL_DNS=${EXTERNAL_DNS//DOMAIN/$DOMAIN} && echo "${EXTERNAL_DNS//RESOURCE_GROUP/$RESOURCE_GROUP}" >> externaldns.yaml
kubectl create -f externaldns.yaml
验证
1、以与部署ExternalDNS相同的方式在ingress中创建nginx服务
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: nginx spec: template: metadata: labels: app: nginx spec: containers: - image: nginx name: nginx ports:
- containerPort: 80
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
type: ClusterIP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: server.vanbrackel.net
http:
paths:
- backend:
serviceName: nginx-svc
servicePort: 80
path: /
NGINX=$(cat nginx-ingress-test-template.yaml) && echo "${NGINX//DOMAIN/$DOMAIN}" >> nginx-ingress-test.yaml
2、创建nginx-ingress controller
kubectl create -f nginx-ingress-test.yaml
3、稍等几分钟
4、检查一下是否已有record被创建出来
[jason@vblinux ~ ]$ az network dns record-set a list --resource-group $RESOURCE_GROUP --zone-name $DNS_ZONE [ { "arecords": [ { "ipv4Address": "13.68.138.206" } ], "etag": "0fb3eaf9-7bf2-48c4-b8f8-432e05dce94a", "fqdn": "server.vanbrackel.net.", "id": "/subscriptions/c7e23d24-5dcd-4c7c-ae84-22f6f814dc02/resourceGroups/mc_rancher-group_c-6vkts_eastus/providers/Microsoft.Network/dnszones/vanbrackel.net/A/server", "metadata": null, "name": "server", "resourceGroup": "mc_rancher-group_c-6vkts_eastus", "ttl": 300, "type": "Microsoft.Network/dnszones/A" } ]
5、检查日志
kubectl logs external-dns-655df89959-7ztm2 time="2018-06-13T23:57:11Z" level=info msg="config: {Master: KubeConfig: Sources:[service ingress] Namespace: AnnotationFilter: FQDNTemplate: CombineFQDNAndAnnotation:false Compatibility: PublishInternal:false ConnectorSourceServer:localhost:8080 Provider:azure GoogleProject: DomainFilter:[vanbrackel.net] ZoneIDFilter:[] AWSZoneType: AWSAssumeRole: AzureConfigFile:/etc/kubernetes/azure.json AzureResourceGroup:MC_rancher-group_c-6vkts_eastus CloudflareProxied:false InfobloxGridHost: InfobloxWapiPort:443 InfobloxWapiUsername:admin InfobloxWapiPassword: InfobloxWapiVersion:2.3.1 InfobloxSSLVerify:true DynCustomerName: DynUsername: DynPassword: DynMinTTLSeconds:0 InMemoryZones:[] PDNSServer:http://localhost:8081 PDNSAPIKey: Policy:sync Registry:txt TXTOwnerID:default TXTPrefix: Interval:1m0s Once:false DryRun:false LogFormat:text MetricsAddress::7979 LogLevel:debug}" time="2018-06-13T23:57:11Z" level=info msg="Connected to cluster at https://10.0.0.1:443" ... time="2018-06-14T00:02:11Z" level=debug msg="Retrieving Azure DNS zones." time="2018-06-14T00:02:12Z" level=debug msg="Found 1 Azure DNS zone(s)." time="2018-06-14T00:02:12Z" level=debug msg="Retrieving Azure DNS records for zone 'vanbrackel.net'." time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service default/kubernetes" time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service default/nginx-svc" time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service ingress-nginx/default-http-backend" time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service ingress-nginx/ingress-nginx" time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service kube-system/full-guppy-nginx-ingress-controller" time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service kube-system/full-guppy-nginx-ingress-default-backend" time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service kube-system/heapster" time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service kube-system/kube-dns" time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service kube-system/kubernetes-dashboard" time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service kube-system/tiller-deploy" time="2018-06-14T00:02:12Z" level=debug msg="Endpoints generated from ingress: default/nginx: [server.vanbrackel.net 0 IN A 13.68.138.206]" time="2018-06-14T00:02:12Z" level=debug msg="Retrieving Azure DNS zones." time="2018-06-14T00:02:12Z" level=debug msg="Found 1 Azure DNS zone(s)." time="2018-06-14T00:02:12Z" level=info msg="Updating A record named 'server' to '13.68.138.206' for Azure DNS zone 'vanbrackel.net'." time="2018-06-14T00:02:13Z" level=info msg="Updating TXT record named 'server' to '\"heritage=external-dns,external-dns/owner=default,external-dns/resource=ingress/default/nginx\"' for Azure DNS zone 'vanbrackel.net'." time="2018-06-14T00:03:11Z" level=debug msg="Retrieving Azure DNS zones." time="2018-06-14T00:03:12Z" level=debug msg="Found 1 Azure DNS zone(s)." time="2018-06-14T00:03:12Z" level=debug msg="Retrieving Azure DNS records for zone 'vanbrackel.net'." time="2018-06-14T00:03:12Z" level=debug msg="Found A record for 'server.vanbrackel.net' with target '13.68.138.206'." time="2018-06-14T00:03:12Z" level=debug msg="Found TXT record for 'server.vanbrackel.net' with target '\"heritage=external-dns,external-dns/owner=default,external-dns/resource=ingress/default/nginx\"'." time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service default/kubernetes" time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service default/nginx-svc" time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service ingress-nginx/default-http-backend" time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service ingress-nginx/ingress-nginx" time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service kube-system/full-guppy-nginx-ingress-controller" time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service kube-system/full-guppy-nginx-ingress-default-backend" time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service kube-system/heapster" time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service kube-system/kube-dns" time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service kube-system/kubernetes-dashboard" time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service kube-system/tiller-deploy" time="2018-06-14T00:03:12Z" level=debug msg="Endpoints generated from ingress: default/nginx: [server.vanbrackel.net 0 IN A 13.68.138.206]" time="2018-06-14T00:03:12Z" level=debug msg="Retrieving Azure DNS zones." time="2018-06-14T00:03:12Z" level=debug msg="Found 1 Azure DNS zone(s)."
您还可以在ExternalDNS的repo中了解更多信息:
https://github.com/kubernetes- ... l-dns
如希望对原文中的代码有更深入的了解,请猛戳这里:
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:- 更新配置自动化工具
- UI自动化测试之Jenkins配置
- 使用 Docker 实现 Odoo 自动化配置
- Eclipse配置MyBatis代码自动化功能
- 苏宁海量服务器自动化配置运维
- Gulp4 前端自动化工作流配置
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
The Web Application Hacker's Handbook
Dafydd Stuttard、Marcus Pinto / Wiley / 2011-9-27 / USD 50.00
The highly successful security book returns with a new edition, completely updated Web applications are the front door to most organizations, exposing them to attacks that may disclose personal infor......一起来看看 《The Web Application Hacker's Handbook》 这本书的介绍吧!