Merge pull request #170 from AkihiroSuda/coredns

Add CoreDNS

README.md

@@ -46,6 +46,7 @@ Usernetes aims to provide a reference distribution of Kubernetes that can be ins
   * CRI-O
 * Multi-node CNI
   * Flannel (VXLAN)
+* CoreDNS
 
 Currently, Usernetes uses our patched version of `kubelet` and `kube-proxy`. We are proposing our patches to the Kubernetes upstream. See [#42](https://github.com/rootless-containers/usernetes/issues/42) for the current status.
 
@@ -198,6 +199,20 @@ Enqueued auxiliary job 540 u7s-kube-proxy.service/start.
     State: running
 ...
 [INFO] Hint: `sudo loginctl enable-linger` to start user services automatically on the system start up.
+[INFO] Hint: To enable addons including CoreDNS, run: kubectl apply -f /home/exampleuser/gopath/src/github.com/rootless-containers/usernetes/manifests/*.yaml
+[INFO] Hint: KUBECONFIG=/home/exampleuser/.config/usernetes/master/admin-localhost.kubeconfig
+```
+
+To enable CoreDNS:
+```console
+$ export KUBECONFIG="$HOME/.config/usernetes/master/admin-localhost.kubeconfig"
+$ kubectl apply -f manifests/*.yaml
+serviceaccount/coredns created
+clusterrole.rbac.authorization.k8s.io/system:coredns created
+clusterrolebinding.rbac.authorization.k8s.io/system:coredns created
+configmap/coredns created
+deployment.apps/coredns created
+service/kube-dns created
 ```
 
 To use CRI-O:
@@ -247,6 +262,7 @@ Wait until `docker ps` shows "healty" as the status of `usernetes-node` containe
 ```console
 $ docker cp usernetes-node:/home/user/.config/usernetes/master/admin-localhost.kubeconfig docker.kubeconfig
 $ export KUBECONFIG=./docker.kubeconfig
+$ kubectl apply -f manifests/*.yaml
 $ kubectl run -it --rm --image busybox foo
 / #
 ```
@@ -256,6 +272,7 @@ $ kubectl run -it --rm --image busybox foo
 ```console
 $ make up
 $ export KUBECONFIG=$HOME/.config/usernetes/docker-compose.kubeconfig
+$ kubectl apply -f manifests/*.yaml
 ```
 
 Flannel VXLAN `10.5.0.0/16` is configured by default.

boot/kube-apiserver.sh

@@ -17,6 +17,7 @@ exec $(dirname $0)/nsenter.sh kube-apiserver \
 	--service-account-key-file=$XDG_CONFIG_HOME/usernetes/master/service-account.pem \
 	--service-cluster-ip-range=10.0.0.0/24 \
 	--port=0 \
+	--advertise-address=$(cat $XDG_RUNTIME_DIR/usernetes/parent_ip) \
 	--allow-privileged \
 	$@
 

boot/kubelet.sh

@@ -14,6 +14,9 @@ authentication:
     clientCAFile: "$XDG_CONFIG_HOME/usernetes/node/ca.pem"
 tlsCertFile: "$XDG_CONFIG_HOME/usernetes/node/node.pem"
 tlsPrivateKeyFile: "$XDG_CONFIG_HOME/usernetes/node/node-key.pem"
+clusterDomain: "cluster.local"
+clusterDNS:
+  - "10.0.0.53"
 failSwapOn: false
 featureGates:
   DevicePlugins: false

common/cfssl.sh

@@ -141,11 +141,12 @@ else
 	log::info "Creating ${master_d}/{kubernetes.pem,kubernetes-key.pem}"
 	k_hostnames="kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local"
 	ip_addrs=$(hostname -I | sed -e 's/ /,/g' -e 's/,$//g')
+	k_cluster_ip="10.0.0.1"
 	cfssl gencert -loglevel="$loglevel" \
 		-ca="${master_d}/ca.pem" \
 		-ca-key="${master_d}/ca-key.pem" \
 		-config="$cc/ca-config.json" \
-		-hostname=${master},$(hostname),${ip_addrs},localhost,127.0.0.1,${k_hostnames} \
+		-hostname=${master},$(hostname),${ip_addrs},localhost,127.0.0.1,${k_hostnames},${k_cluster_ip} \
 		-profile=kubernetes \
 		"$cc/kubernetes-csr.json" | cfssljson -bare "${master_d}/kubernetes"
 fi

install.sh

@@ -413,6 +413,7 @@ time systemctl --user -T start $start
 systemctl --user --all --no-pager list-units 'u7s-*'
 set +x
 INFO 'Hint: `sudo loginctl enable-linger` to start user services automatically on the system start up.'
+INFO "Hint: To enable addons including CoreDNS, run: kubectl apply -f ${base}/manifests/*.yaml"
 if [[ -f ${config_dir}/usernetes/master/admin-localhost.kubeconfig ]]; then
 	INFO "Hint: KUBECONFIG=${config_dir}/usernetes/master/admin-localhost.kubeconfig"
 fi

manifests/coredns.yaml

@@ -0,0 +1,182 @@
+# from https://raw.githubusercontent.com/kelseyhightower/kubernetes-the-hard-way/1.15.3/deployments/coredns.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: coredns
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+  name: system:coredns
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  - services
+  - pods
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+  name: system:coredns
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:coredns
+subjects:
+- kind: ServiceAccount
+  name: coredns
+  namespace: kube-system
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns
+  namespace: kube-system
+data:
+  Corefile: |
+    .:53 {
+        errors
+        health
+        ready
+        kubernetes cluster.local in-addr.arpa ip6.arpa {
+          pods insecure
+          fallthrough in-addr.arpa ip6.arpa
+        }
+        forward . /etc/resolv.conf
+        prometheus :9153
+        cache 30
+        loop
+        reload
+        loadbalance
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coredns
+  namespace: kube-system
+  labels:
+    k8s-app: kube-dns
+    kubernetes.io/name: "CoreDNS"
+spec:
+  replicas: 2
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  selector:
+    matchLabels:
+      k8s-app: kube-dns
+  template:
+    metadata:
+      labels:
+        k8s-app: kube-dns
+    spec:
+      priorityClassName: system-cluster-critical
+      serviceAccountName: coredns
+      tolerations:
+        - key: "CriticalAddonsOnly"
+          operator: "Exists"
+      nodeSelector:
+        beta.kubernetes.io/os: linux
+      containers:
+      - name: coredns
+        image: coredns/coredns:1.6.9
+        imagePullPolicy: IfNotPresent
+        resources:
+          limits:
+            memory: 170Mi
+          requests:
+            cpu: 100m
+            memory: 70Mi
+        args: [ "-conf", "/etc/coredns/Corefile" ]
+        volumeMounts:
+        - name: config-volume
+          mountPath: /etc/coredns
+          readOnly: true
+        ports:
+        - containerPort: 53
+          name: dns
+          protocol: UDP
+        - containerPort: 53
+          name: dns-tcp
+          protocol: TCP
+        - containerPort: 9153
+          name: metrics
+          protocol: TCP
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - all
+          readOnlyRootFilesystem: true
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 60
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 5
+        readinessProbe:
+          httpGet:
+            path: /ready
+            port: 8181
+            scheme: HTTP
+      dnsPolicy: Default
+      volumes:
+        - name: config-volume
+          configMap:
+            name: coredns
+            items:
+            - key: Corefile
+              path: Corefile
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kube-dns
+  namespace: kube-system
+  annotations:
+    prometheus.io/port: "9153"
+    prometheus.io/scrape: "true"
+  labels:
+    k8s-app: kube-dns
+    kubernetes.io/cluster-service: "true"
+    kubernetes.io/name: "CoreDNS"
+spec:
+  selector:
+    k8s-app: kube-dns
+  clusterIP: 10.0.0.53
+  ports:
+  - name: dns
+    port: 53
+    protocol: UDP
+  - name: dns-tcp
+    port: 53
+    protocol: TCP
+  - name: metrics
+    port: 9153
+    protocol: TCP