From ffbd1b56c826b2a5308d71306dc0e4c16d672524 Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Sun, 21 Dec 2025 18:23:27 -0500 Subject: [PATCH] Install CoreDNS. --- .../files/manifests/coredns.yaml | 214 ++++++++++++++++++ .../files/manifests/flux_instance.yaml | 9 + .../keys/package/bootstrap-script/package.nix | 2 + .../roles/kubelet/files/kubelet-config.yaml | 2 +- 4 files changed, 226 insertions(+), 1 deletion(-) create mode 100644 nix/kubernetes/keys/package/bootstrap-script/files/manifests/coredns.yaml create mode 100644 nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_instance.yaml diff --git a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/coredns.yaml b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/coredns.yaml new file mode 100644 index 00000000..e1046cd2 --- /dev/null +++ b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/coredns.yaml @@ -0,0 +1,214 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: coredns + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + kubernetes.io/bootstrapping: rbac-defaults + addonmanager.kubernetes.io/mode: Reconcile + name: system:coredns +rules: + - apiGroups: + - "" + resources: + - endpoints + - services + - pods + - namespaces + verbs: + - list + - watch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + labels: + kubernetes.io/bootstrapping: rbac-defaults + addonmanager.kubernetes.io/mode: EnsureExists + name: system:coredns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:coredns +subjects: + - kind: ServiceAccount + name: coredns + namespace: kube-system +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: EnsureExists +data: + Corefile: | + .:53 { + errors + health { + lameduck 5s + } + ready + kubernetes cluster.local in-addr.arpa ip6.arpa { + pods insecure + fallthrough in-addr.arpa ip6.arpa + ttl 30 + } + prometheus :9153 + forward . /etc/resolv.conf { + max_concurrent 1000 + } + cache 30 + loop + reload + loadbalance + } +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: coredns + namespace: kube-system + labels: + k8s-app: kube-dns + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile + kubernetes.io/name: "CoreDNS" +spec: + # replicas: not specified here: + # 1. In order to make Addon Manager do not reconcile this replicas parameter. + # 2. Default is 1. + # 3. Will be tuned in real time if DNS horizontal auto-scaling is turned on. + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + selector: + matchLabels: + k8s-app: kube-dns + template: + metadata: + labels: + k8s-app: kube-dns + spec: + securityContext: + seccompProfile: + type: RuntimeDefault + priorityClassName: system-cluster-critical + serviceAccountName: coredns + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: k8s-app + operator: In + values: ["kube-dns"] + topologyKey: kubernetes.io/hostname + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + nodeSelector: + kubernetes.io/os: linux + containers: + - name: coredns + image: registry.k8s.io/coredns/coredns:v1.13.1 + imagePullPolicy: IfNotPresent + resources: + limits: + memory: 70Mi + requests: + cpu: 100m + memory: 70Mi + args: ["-conf", "/etc/coredns/Corefile"] + volumeMounts: + - name: config-volume + mountPath: /etc/coredns + readOnly: true + ports: + - containerPort: 53 + name: dns + protocol: UDP + - containerPort: 53 + name: dns-tcp + protocol: TCP + - containerPort: 9153 + name: metrics + protocol: TCP + livenessProbe: + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 60 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /ready + port: 8181 + scheme: HTTP + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + dnsPolicy: Default + volumes: + - name: config-volume + configMap: + name: coredns + items: + - key: Corefile + path: Corefile +--- +apiVersion: v1 +kind: Service +metadata: + name: kube-dns + namespace: kube-system + annotations: + prometheus.io/port: "9153" + prometheus.io/scrape: "true" + labels: + k8s-app: kube-dns + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile + kubernetes.io/name: "CoreDNS" +spec: + selector: + k8s-app: kube-dns + # clusterIP: $DNS_SERVER_IP + ports: + - name: dns + port: 53 + protocol: UDP + - name: dns-tcp + port: 53 + protocol: TCP + - name: metrics + port: 9153 + protocol: TCP diff --git a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_instance.yaml b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_instance.yaml new file mode 100644 index 00000000..e0c756a6 --- /dev/null +++ b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_instance.yaml @@ -0,0 +1,9 @@ +apiVersion: fluxcd.controlplane.io/v1 +kind: FluxInstance +metadata: + name: flux + namespace: flux-system +spec: + distribution: + version: "2.7.x" + registry: "ghcr.io/fluxcd" diff --git a/nix/kubernetes/keys/package/bootstrap-script/package.nix b/nix/kubernetes/keys/package/bootstrap-script/package.nix index bfaa8475..ce3d0e31 100644 --- a/nix/kubernetes/keys/package/bootstrap-script/package.nix +++ b/nix/kubernetes/keys/package/bootstrap-script/package.nix @@ -30,8 +30,10 @@ let lib.concatMapStringsSep "," lib.escapeShellArg [ ./files/manifests/initial_clusterrole.yaml ./files/manifests/cilium.yaml + ./files/manifests/coredns.yaml ./files/manifests/flux_namespace.yaml ./files/manifests/flux.yaml + ./files/manifests/flux_instance.yaml ] ); apply_manifests = "kubectl --kubeconfig=${k8s.client-configs.admin}/admin.kubeconfig apply --server-side --force-conflicts -f ${manifests}"; diff --git a/nix/kubernetes/roles/kubelet/files/kubelet-config.yaml b/nix/kubernetes/roles/kubelet/files/kubelet-config.yaml index 2313c535..70890870 100644 --- a/nix/kubernetes/roles/kubelet/files/kubelet-config.yaml +++ b/nix/kubernetes/roles/kubelet/files/kubelet-config.yaml @@ -18,7 +18,7 @@ maxPods: 16 memorySwap: swapBehavior: NoSwap port: 10250 -resolvConf: "/etc/resolv.conf" +resolvConf: "/run/systemd/resolve/resolv.conf" registerNode: true runtimeRequestTimeout: "15m" tlsCertFile: "/.persist/keys/kube/kubelet.crt"