diff --git a/deploy/helm/kubernetes/manifests/coredns-1.8.yaml b/deploy/helm/kubernetes/manifests/coredns.yaml similarity index 77% rename from deploy/helm/kubernetes/manifests/coredns-1.8.yaml rename to deploy/helm/kubernetes/manifests/coredns.yaml index 7233a8c..5c45bbb 100644 --- a/deploy/helm/kubernetes/manifests/coredns-1.8.yaml +++ b/deploy/helm/kubernetes/manifests/coredns.yaml @@ -1,14 +1,20 @@ +# Source: https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dns/coredns/coredns.yaml.base +--- apiVersion: v1 kind: ServiceAccount metadata: name: coredns namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: kubernetes.io/bootstrapping: rbac-defaults + addonmanager.kubernetes.io/mode: Reconcile name: system:coredns rules: - apiGroups: @@ -42,6 +48,7 @@ metadata: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults + addonmanager.kubernetes.io/mode: EnsureExists name: system:coredns roleRef: apiGroup: rbac.authorization.k8s.io @@ -61,13 +68,19 @@ data: Corefile: | .:53 { errors - health + health { + lameduck 5s + } ready kubernetes cluster.local in-addr.arpa ip6.arpa { - pods insecure - fallthrough in-addr.arpa ip6.arpa + pods insecure + fallthrough in-addr.arpa ip6.arpa + ttl 30 } prometheus :9153 + forward . /etc/resolv.conf { + max_concurrent 1000 + } cache 30 loop reload @@ -81,6 +94,8 @@ metadata: namespace: kube-system labels: k8s-app: kube-dns + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile kubernetes.io/name: "CoreDNS" spec: replicas: {{ .Values.coredns.replicaCount }} @@ -96,13 +111,27 @@ spec: labels: k8s-app: kube-dns spec: + securityContext: + seccompProfile: + type: RuntimeDefault priorityClassName: system-cluster-critical serviceAccountName: coredns + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: k8s-app + operator: In + values: ["kube-dns"] + topologyKey: kubernetes.io/hostname tolerations: - key: "CriticalAddonsOnly" operator: "Exists" nodeSelector: - beta.kubernetes.io/os: linux + kubernetes.io/os: linux {{- with .Values.coredns.image.pullSecrets }} imagePullSecrets: {{- toYaml . | nindent 10 }} @@ -130,14 +159,6 @@ spec: - containerPort: 9153 name: metrics protocol: TCP - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_BIND_SERVICE - drop: - - all - readOnlyRootFilesystem: true livenessProbe: httpGet: path: /health @@ -152,6 +173,14 @@ spec: path: /ready port: 8181 scheme: HTTP + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - all + readOnlyRootFilesystem: true dnsPolicy: Default volumes: - name: config-volume @@ -172,6 +201,7 @@ metadata: labels: k8s-app: kube-dns kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile kubernetes.io/name: "CoreDNS" spec: selector: diff --git a/deploy/helm/kubernetes/templates/kubedns-manifests.yaml b/deploy/helm/kubernetes/templates/kubedns-manifests.yaml index 6b0d65a..6f70787 100644 --- a/deploy/helm/kubernetes/templates/kubedns-manifests.yaml +++ b/deploy/helm/kubernetes/templates/kubedns-manifests.yaml @@ -8,6 +8,6 @@ metadata: data: {{- if .Values.coredns.enabled }} coredns.yaml: | - {{- tpl (.Files.Get "manifests/coredns-1.8.yaml") . | nindent 4 }} + {{- tpl (.Files.Get "manifests/coredns.yaml") . | nindent 4 }} {{- end }} {{- end }}