New user sign up using AWS Builder ID
New user sign up using AWS Builder ID is currently unavailable on re:Post. To sign up, please use the AWS Management Console instead.
如何使用 Amazon EKS 設置 ExternalDNS?
我想使用我的 Amazon Elastic Kubernetes Service (Amazon EKS) 設置 ExternalDNS。
簡短說明
若要安裝 ExternalDNS,請使用 AWS Identity and Access Management (IAM) 許可授予 Amazon EKS 必要存取權,以便與 Amazon Route 53 互動。
**注意:**在開始執行下列解決方法之前,請確定您有網域名稱和 Route 53 託管區域。
解決方法
設定 IAM 許可並部署 ExternalDNS
請完成下列步驟:
-
建立下方政策來設定 IAM 許可,授權 ExternalDNS Pod 在您的 AWS 帳戶中建立、更新和刪除 Route 53 記錄。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/" ] }, { "Effect": "Allow", "Action": [ "route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:ListTagsForResource" ], "Resource": [ "*" ] } ] }
**注意:**您可以修改上述政策,以允許更新特定託管區域 ID。
-
使用此政策為服務帳戶建立 IAM 角色:
eksctl create iamserviceaccount --name SERVICE_ACCOUNT_NAME --namespace NAMESPACE --cluster CLUSTER_NAME --attach-policy-arn IAM_POLICY_ARN --approve
**注意:**請將 SERVICE_ACCOUNT_NAME 取代為您的服務帳戶名稱,將 NAMESPACE 取代為您的命名空間,將 CLUSTER_NAME 取代為叢集名稱,以及將 IAM_POLICY_ARN 取代為 IAM 政策的 ARN。
若要檢查服務帳戶的名稱,請執行下列命令:kubectl get sa
在下列輸出範例中,external-dns 是建立服務帳戶時提供給服務帳戶的名稱:
NAME SECRETS AGE default 1 23h external-dns 1 23h
-
執行下列命令以判斷 Amazon EKS 叢集中是否已開啟 RBAC:
kubectl api-versions | grep rbac.authorization.k8s.io
**注意:**對於上述命令,請驗證 GitHub 專案上可用的 ExternalDNS 最新版本。
-
執行下列命令來部署 ExternalDNS:
kubectl apply DEPLOYMENT_MANIFEST_FILE_NAME.yaml
**注意:**將 DEPLOYMENT_MANIFEST_FILE_NAME 取代為部署清單檔案的檔案名稱。
如果已開啟 RBAC,則使用下列清單檔案來部署 ExternalDNS:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: external-dns labels: app.kubernetes.io/name: external-dns rules: - apiGroups: [""] resources: ["services","endpoints","pods","nodes"] verbs: ["get","watch","list"] - apiGroups: ["extensions","networking.k8s.io"] resources: ["ingresses"] verbs: ["get","watch","list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: external-dns-viewer labels: app.kubernetes.io/name: external-dns roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: external-dns subjects: - kind: ServiceAccount name: external-dns namespace: default # change to desired namespace: externaldns, kube-addons --- apiVersion: apps/v1 kind: Deployment metadata: name: external-dns labels: app.kubernetes.io/name: external-dns spec: strategy: type: Recreate selector: matchLabels: app.kubernetes.io/name: external-dns template: metadata: labels: app.kubernetes.io/name: external-dns spec: serviceAccountName: external-dns containers: - name: external-dns image: registry.k8s.io/external-dns/external-dns:v0.14.0 args: - --source=service - --source=ingress - --domain-filter=example.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones - --provider=aws - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both) - --registry=txt - --txt-owner-id=external-dns env: - name: AWS_DEFAULT_REGION value: eu-west-1 # change to region where EKS is installed
如果未開啟 RBAC,則使用下列資訊清單來部署 ExternalDNS:
apiVersion: apps/v1 kind: Deployment metadata: name: external-dns labels: app.kubernetes.io/name: external-dns spec: strategy: type: Recreate selector: matchLabels: app.kubernetes.io/name: external-dns template: metadata: labels: app.kubernetes.io/name: external-dns spec: containers: - name: external-dns image: registry.k8s.io/external-dns/external-dns:v0.14.0 args: - --source=service - --source=ingress - --domain-filter=example.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones - --provider=aws - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both) - --registry=txt - --txt-owner-id=my-hostedzone-identifier env: - name: AWS_DEFAULT_REGION value: eu-west-1 # change to region where EKS is installed
-
執行下列命令來確認部署成功:
kubectl get deployments
輸出範例:
NAME READY UP-TO-DATE AVAILABLE AGE external-dns 1/1 1 1 85m
或者,請檢查日誌,確認記錄已更新:
kubectl logs external-dns-9f85d8d5b-sx5f
輸出範例:
.... time="2023-12-14T17:16:16Z" level=info msg="Instantiating new Kubernetes client" time="2023-12-14T17:16:16Z" level=info msg="Using inCluster-config based on serviceaccount-token" time="2023-12-14T17:16:16Z" level=info msg="Created Kubernetes client https://10.100.0.1:443" time="2023-12-14T17:16:18Z" level=info msg="Applying provider record filter for domains: [xxxxx.people.aws.dev. .xxxxx.people.aws.dev. xxxxx.people.aws.dev. .xxxxx.people.aws.dev.]" time="2023-12-14T17:16:18Z" level=info msg="All records are already up to date" ....
驗證 ExternalDNS
若要確認 ExternalDNS 已正確設定,請完成下列步驟:
-
建立公開為 LoadBalancer 的服務。此服務必須透過 Route 53 上託管的網域名稱從外部路由:
kubectl apply SERVICE_MANIFEST_FILE_NAME.yaml Note: Replace SERVICE_MANIFEST_FILE_NAME with your service manifest's file name. Manifest: apiVersion: v1 kind: Service metadata: name: nginx annotations: external-dns.alpha.kubernetes.io/hostname: nginx.xxxxx.people.aws.dev spec: ports: - port: 80 targetPort: 80 protocol: TCP type: LoadBalancer selector: app: nginx --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx spec: selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx name: nginx ports: - containerPort: 80 name: http
**注意:**ExternalDNS 會對服務使用 external-dns.alpha.kubernetes.io/hostname 註解,也會使用關聯的值。若要為服務指派多個名稱,請使用逗號分隔符設定 external-dns.alpha.kubernetes.io/hostname 註解。
-
檢查 NGINX 服務是否使用 LoadBalancer 類型建立:
kubectl get svc
輸出範例:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 05h nginx LoadBalancer 10.100.254.68 xxxxyyyyzzzz-123456789.eu-west-1.elb.amazonaws.com 80:30792/TCP 74m
**注意:**此服務會自動為託管區域建立 Route 53 記錄。
-
執行下列命令以檢視日誌,並確認已成功建立 Route 53 記錄:
kubectl logs external-dns-9f85d8d5b-sx5fg
輸出範例:
... time="2023-12-14T17:19:19Z" level=info msg="Desired change: CREATE cname-nginx.xxxxx.people.aws.dev TXT [Id: /hostedzone/Z0786329GDVAZMXYZ]" time="2023-12-14T17:19:19Z" level=info msg="Desired change: CREATE nginx.xxxxx.people.aws.dev A [Id: /hostedzone/Z0786329GDVAZMXYZ]" time="2023-12-14T17:19:19Z" level=info msg="Desired change: CREATE nginx.xxxxx.people.aws.dev TXT [Id: /hostedzone/Z0786329GDVAZMXYZ]" time="2023-12-14T17:19:20Z" level=info msg="3 record(s) in zone xxxxx.people.aws.dev. [Id: /hostedzone/Z0786329GDVAZMXYZ] were successfully updated" ...
相關內容
- 已提問 4 個月前lg...
- 已提問 4 個月前lg...
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 3 個月前
- AWS 官方已更新 4 個月前