This repository has been archived by the owner on Sep 30, 2020. It is now read-only.
[v0.16.x] Allow dnsmasq to be backed by a local copy of CoreDNS #1895
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
size/XL
|
/lgtm |
dominicgunn
approved these changes
Aug 4, 2020
kfr2
force-pushed
the
coredns-local-v0.16.x
branch
from
c0087f0 to
3e2e774
Compare
|
New changes are detected. LGTM label has been removed. |
kfr2
force-pushed
the
coredns-local-v0.16.x
branch
2 times, most recently
from
e11c828 to
f0ec1cb
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kfr2
force-pushed
the
coredns-local-v0.16.x
branch
from
c8fc2b2 to
745d25a
Compare
dominicgunn
approved these changes
Aug 18, 2020
kfr2
force-pushed
the
coredns-local-v0.16.x
branch
3 times, most recently
from
68c58bb to
313e547
Compare
kfr2
force-pushed
the
coredns-local-v0.16.x
branch
from
25ccf75 to
4beed8a
Compare
This commit allows the user to specify that dnsmasq should be backed by a pod-local copy of CoreDNS rather than relying on the global CoreDNS service. If enabled, the dnsmasq-node DaemonSet will be configured to use a local copy of CoreDNS for its resolution while setting the global CoreDNS service as a fallback. This is handy in situations where the number of DNS requests within a cluster grows large and causes resolution issues as dnsmasq reaches out to the global CoreDNS service. Additionally, several values passed to dnsmasq are now configurable including its `--cache-size` and `--dns-forward-max`. See [this postmortem](https://github.com/zalando-incubator/kubernetes-on-aws/blob/dev/docs/postmortems/jan-2019-dns-outage.md) for an investigation into this situation which was instrumental in understanding issues we were facing. Many thanks to dominicgunn for providing the manifests which I codified into this commit. --- These features can be enabled and tuned by setting the following values within cluster.yaml: ```yaml kubeDns: dnsmasq: coreDNSLocal: # When enabled, this will run a copy of CoreDNS within each DNS-masq pod and # configure the utility to use it for resolution. enabled: true # Defines the resource requests/limits for the coredns-local container. # cpu and/or memory constraints can be removed by setting the appropriate value(s) # to an empty string. resources: requests: cpu: 50m memory: 100Mi limits: cpu: 50m memory: 100Mi # The size of dnsmasq's cache. cacheSize: 50000 # The maximum number of concurrent DNS queries. dnsForwardMax: 500 # This option gives a default value for time-to-live (in seconds) which dnsmasq # uses to cache negative replies even in the absence of an SOA record. negTTL: 60 ```
The dnsmasq-node ServiceAccount must exist whether or not CoreDNS-local
has been enabled. Therefore, it is created alongside the DaemonSet rather
than as part of the coredns-local manifest.
Additionally, always create dnsmasq-node-coredns-local.yaml If this file
does not exist (as would be the case if the CoreDNS local feature has
not been enabled), controller nodes will fail to come up with the error:
> error: the path "/srv/kubernetes/manifests/dnsmasq-node-coredns-local.yaml" does not exist
This is caused when `kubectl delete` is called against the file because
of the line `remove "${mfdir}/dnsmasq-node-coredns-local.yaml`.
This manifest must always be generated because the CoreDNS-local
feature cannot be enabled and then later disabled without otherwise
requiring manual operator intervention.
kfr2
force-pushed
the
coredns-local-v0.16.x
branch
from
4beed8a to
d9906df
Compare
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit allows the user to specify that dnsmasq should be
backed by a pod-local copy of CoreDNS rather than relying on
the global CoreDNS service. If enabled, the dnsmasq-node
DaemonSet will be configured to use a local copy of CoreDN
for its resolution while setting the global CoreDNS service as
a fallback. This is handy in situations where the number of DNS
requests within a cluster grows large and causes resolution issues
as dnsmasq reaches out to the global CoreDNS service.
Additionally, several values passed to dnsmasq are now configurable
including its
--cache-sizeand--dns-forward-max.See this postmortem
for an investigation into this situation which was instrumental in
understanding issues we were facing. Many thanks to dominicgunn
for providing the manifests which I codified into this commit.
These features can be enabled and tuned by setting the following
values within cluster.yaml:
Related: