New user sign up using AWS Builder ID
New user sign up using AWS Builder ID is currently unavailable on re:Post. To sign up, please use the AWS Management Console instead.
如何使用 Amazon EKS 设置 ExternalDNS?
我想使用我的 Amazon Elastic Kubernetes Service(Amazon EKS)设置 ExternalDNS。
简短描述
要安装 ExternalDNS,请使用 AWS Identity and Access Management(AWS IAM)权限授予 Amazon EKS 与 Amazon Route 53 交互所需的访问权限。
**注意:**在开始采取以下解决方法之前,请确保您拥有域名和 Route 53 托管区。
解决方法
设置 IAM 权限并部署 ExternalDNS
完成以下步骤:
-
创建以下策略,以设置 IAM 权限,授予 ExternalDNS 容器组在您的 AWS 账户中创建、更新和删除 Route 53 记录的权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/" ] }, { "Effect": "Allow", "Action": [ "route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:ListTagsForResource" ], "Resource": [ "*" ] } ] }
**注意:**您可以修改上述策略以允许更新特定的托管区编号。
-
使用此策略为服务账户创建 IAM 角色:
eksctl create iamserviceaccount --name SERVICE_ACCOUNT_NAME --namespace NAMESPACE --cluster CLUSTER_NAME --attach-policy-arn IAM_POLICY_ARN --approve
**注意:**请将 SERVICE_ACCOUNT_NAME 替换为您服务账户的名称,将 NAMESPACE 替换为您的命名空间,将 CLUSTER_NAME 替换为您集群的名称,将 IAM_POLICY_ARN 替换为您的 IAM 策略的 ARN。
要查看服务账户的名称,请运行以下命令:kubectl get sa
在以下输出示例中,external-dns 是创建服务账户时为其指定的名称:
NAME SECRETS AGE default 1 23h external-dns 1 23h
-
运行以下命令,以确定您的 Amazon EKS 集群中是否已启用 RBAC:
kubectl api-versions | grep rbac.authorization.k8s.io
**注意:**对于上述命令,请验证 GitHub 项目上使用的最新版本的 ExternalDNS。
-
运行以下命令来部署 ExternalDNS:
kubectl apply DEPLOYMENT_MANIFEST_FILE_NAME.yaml
**注意:**请将 DEPLOYMENT_MANIFEST_FILE_NAME 替换为部署清单的文件名。
如果 RBAC 已启用,请使用以下清单部署 ExternalDNS:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: external-dns labels: app.kubernetes.io/name: external-dns rules: - apiGroups: [""] resources: ["services","endpoints","pods","nodes"] verbs: ["get","watch","list"] - apiGroups: ["extensions","networking.k8s.io"] resources: ["ingresses"] verbs: ["get","watch","list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: external-dns-viewer labels: app.kubernetes.io/name: external-dns roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: external-dns subjects: - kind: ServiceAccount name: external-dns namespace: default # change to desired namespace: externaldns, kube-addons --- apiVersion: apps/v1 kind: Deployment metadata: name: external-dns labels: app.kubernetes.io/name: external-dns spec: strategy: type: Recreate selector: matchLabels: app.kubernetes.io/name: external-dns template: metadata: labels: app.kubernetes.io/name: external-dns spec: serviceAccountName: external-dns containers: - name: external-dns image: registry.k8s.io/external-dns/external-dns:v0.14.0 args: - --source=service - --source=ingress - --domain-filter=example.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones - --provider=aws - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both) - --registry=txt - --txt-owner-id=external-dns env: - name: AWS_DEFAULT_REGION value: eu-west-1 # change to region where EKS is installed
如果 RBAC 未启用,请使用以下清单部署 ExternalDNS:
apiVersion: apps/v1 kind: Deployment metadata: name: external-dns labels: app.kubernetes.io/name: external-dns spec: strategy: type: Recreate selector: matchLabels: app.kubernetes.io/name: external-dns template: metadata: labels: app.kubernetes.io/name: external-dns spec: containers: - name: external-dns image: registry.k8s.io/external-dns/external-dns:v0.14.0 args: - --source=service - --source=ingress - --domain-filter=example.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones - --provider=aws - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both) - --registry=txt - --txt-owner-id=my-hostedzone-identifier env: - name: AWS_DEFAULT_REGION value: eu-west-1 # change to region where EKS is installed
-
运行以下命令以验证部署是否成功:
kubectl get deployments
输出示例:
NAME READY UP-TO-DATE AVAILABLE AGE external-dns 1/1 1 1 85m
或者,查看日志以验证记录是否已更新:
kubectl logs external-dns-9f85d8d5b-sx5f
输出示例:
.... time="2023-12-14T17:16:16Z" level=info msg="Instantiating new Kubernetes client" time="2023-12-14T17:16:16Z" level=info msg="Using inCluster-config based on serviceaccount-token" time="2023-12-14T17:16:16Z" level=info msg="Created Kubernetes client https://10.100.0.1:443" time="2023-12-14T17:16:18Z" level=info msg="Applying provider record filter for domains: [xxxxx.people.aws.dev. .xxxxx.people.aws.dev. xxxxx.people.aws.dev. .xxxxx.people.aws.dev.]" time="2023-12-14T17:16:18Z" level=info msg="All records are already up to date" ....
验证 ExternalDNS
要确认 ExternalDNS 设置正确,请完成以下步骤:
-
创建一个以 LoadBalancer 暴露的服务。该服务必须通过托管在 Route 53 上的域名向外路由:
kubectl apply SERVICE_MANIFEST_FILE_NAME.yaml Note: Replace SERVICE_MANIFEST_FILE_NAME with your service manifest's file name. Manifest: apiVersion: v1 kind: Service metadata: name: nginx annotations: external-dns.alpha.kubernetes.io/hostname: nginx.xxxxx.people.aws.dev spec: ports: - port: 80 targetPort: 80 protocol: TCP type: LoadBalancer selector: app: nginx --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx spec: selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx name: nginx ports: - containerPort: 80 name: http
**注意:**ExternalDNS 对服务使用 external-dns.alpha.kubernetes.io/hostname 注解。它还使用关联的值。要为服务分配多个名称,请使用逗号分隔符配置 external-dns.alpha.kubernetes.io/hostname 注解。
-
检查 NGINX 服务是否是使用 LoadBalancer 类型创建的:
kubectl get svc
输出示例:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 05h nginx LoadBalancer 10.100.254.68 xxxxyyyyzzzz-123456789.eu-west-1.elb.amazonaws.com 80:30792/TCP 74m
**注意:**该服务会自动为托管区创建 Route 53 记录。
-
运行以下命令,以查看日志,并确认已成功创建 Route 53 记录:
kubectl logs external-dns-9f85d8d5b-sx5fg
输出示例:
... time="2023-12-14T17:19:19Z" level=info msg="Desired change: CREATE cname-nginx.xxxxx.people.aws.dev TXT [Id: /hostedzone/Z0786329GDVAZMXYZ]" time="2023-12-14T17:19:19Z" level=info msg="Desired change: CREATE nginx.xxxxx.people.aws.dev A [Id: /hostedzone/Z0786329GDVAZMXYZ]" time="2023-12-14T17:19:19Z" level=info msg="Desired change: CREATE nginx.xxxxx.people.aws.dev TXT [Id: /hostedzone/Z0786329GDVAZMXYZ]" time="2023-12-14T17:19:20Z" level=info msg="3 record(s) in zone xxxxx.people.aws.dev. [Id: /hostedzone/Z0786329GDVAZMXYZ] were successfully updated" ...
相关内容
- AWS 官方已更新 4 个月前
- AWS 官方已更新 10 个月前
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前