二进制部署coredns与kube-apiserver通讯

• 准备

mkdir -p /opt/coredns/{ssl,cfg,bin}
tar zxf coredns_1.6.5_linux_amd64.tgz
cp coredns /opt/coredns/bin

• 认证文件

# cd到kube-apiserver的ca目录下
cat > coredns-csr.json <<EOF
{
  "CN": "system:kube-coredns",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "Shanghai",
      "ST": "Shanghai",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

# 生成coredns的ca
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes coredns-csr.json | cfssljson -bare kube-coredns

cp {ca.pem,kube-coredns-key.pem,kube-coredns.pem} /opt/coredns/ssl

# 生成coredns的用户token
COREDNS_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
echo ${COREDNS_TOKEN},coredns,11000,"system:coredns" >> /opt/kubernetes/cfg/token.csv #这里要修改为实际的token.csv文件存放位置
systemctl restart kube-apiserver

# 生成coredns.kubeconfig
kubectl config set-cluster kubernetes \
--certificate-authority=./ca.pem \
--embed-certs=true \
--server=https://192.168.3.210:6443 \ #这里修改为自己master IP和port
--kubeconfig=coredns.kubeconfig

kubectl config set-credentials coredns \
--token=c16e4b6c0b61a0ed2cdca9b3a845ff50 \ #刚才生成的COREDNS_TOKEN
--kubeconfig=coredns.kubeconfig

kubectl config set-context default \
--cluster=kubernetes \
--user=coredns \
--kubeconfig=coredns.kubeconfig

kubectl config use-context default --kubeconfig=coredns.kubeconfig

cp coredns.kubeconfig /opt/coredns/cfg

# Corefile.conf
vim /opt/coredns/cfg/Corefile.conf
.:53 {
    errors
    #health {   # 这三行要注释掉，health会检查8080端口，coredns跑在pod里没问题，跑在物理机上8080有可能会被其他进程占用，就会报错
    #  lameduck 5s
    #}
    ready
    kubernetes cluster.local 10.0.0.0/24 {
      endpoint https://192.168.3.210:6443 #修改为自己的master IP和Port
      tls /opt/coredns/ssl/ca.pem /opt/core/ssl/kube-coredns-key.pem /opt/coredns/ssl/kube-coredns.pem
      kubeconfig /opt/coredns/cfg/coredns.kubeconfig default
      pods insecure
      fallthrough in-addr.arpa ip6.arpa
    }
    prometheus :9153
    forward . /etc/resolv.conf
    cache 30
    loop
    reload
    loadbalance
} 

• 添加权限

kubectl create clusterrole system:coredns --verbs=get,list,watch --resources=namespaces,endpoints,services
kubectl create clusterrolebinding kube-coredns --clusterrole=system:coredns --user=coredns
# coredns会向kube-apiserver {get, list, watch} {namespaces, services, endpoints}这三种资源

• 运行coredns

/opt/coredns/bin/coredns -conf=/opt/coredns/cfg/Corefile.conf
.:53
[INFO] plugin/reload: Running configuration MD5 = 2299af1028b5058798532783d2adcecf
CoreDNS-1.6.5
linux/amd64, go1.13.4, c2fd1b2

• 其他
  1. 开机启动coredns

cat > /usr/lib/systemd/system/coredns.service <<EOF
[Unit]
Description=CoreDNS DNS server
Documentation=https://coredns.io
After=network.target
[Service]
PermissionsStartOnly=true
LimitNOFILE=1048576
LimitNPROC=512
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
User=coredns  #跑不起来就把这行注释掉，反正我是没有跑起来过……
WorkingDirectory=~
ExecStart=/opt/coredns/bin/coredns -conf=/opt/coredns/cfg/Corefile.conf
ExecReload=/bin/kill -SIGUSR1 $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF

useradd coredns -s /sbin/nologin
systemctl daemon-reload
systemctl enable coredns && systemctl start coredns
systemctl status coredns