我想将Route 53用作裸机k8s群集的DNS提供程序。我在互联网上找到了一些指南,但是它们都是针对云k8s集群的。
以前有人做过吗?
是的,external-dns的配置与运行Kubernetes的方式/位置完全分开。您要做的唯一不同的事情是创建一个具有正确权限的专用IAM用户,并将凭据插入正确的环境变量中。我们对GKE集群执行相同的操作。
I've managed to set this up on my on-prem K8s cluster. I used "external-dns" - running locally (https://github.com/kubernetes-sigs/external-dns), and this is what I've done from the AWS side:
--- On AWS
# Summary
Create the following resources:
IAM user k8s-r53-user
IAM policy assume-role-policy (attached to the k8s-r53-user)
IAM policy allow-k8s-r53-connection
IAM role k8s-r53-role (allow-k8s-r53-connection policy attached to this role)
- Create IAM resource:
$ aws iam create-user --user-name k8s-r53-user
- Create policy (pretty generic):
policy-document1.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"sts:AssumeRole"
],
"Resource": "*"
}
]
}
- run: `
$ aws iam create-policy --policy-name assume-role-policy --policy-document policy-document1.json`
- attach the policy to k8s-r53-user:
$ aws iam attach-user-policy --user-name k8s-r53-user --policy-arn "arn:aws:iam::<account_id>:policy/assume-role-policy"
- check:
$ aws iam list-attached-user-policies --user-name k8s-r53-user
- create an IAM policy which will be attached to the role.
policy-document2.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/*"
},
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:ListResourceRecordSets"
],
"Resource": [
"*"
]
}
]
}
- run:
$ aws iam create-policy --policy-name allow-k8s-r53-connection --policy-document policy-document2.json
- Create IAM role:
application-role-trust-policy.json:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::<account_id>:root" },
"Action": "sts:AssumeRole"
}
}
- run:
$ aws iam create-role --role-name k8s-r53-role --assume-role-policy-document application-role-trust-policy.json
- Configure k8s-r53-user on on-premise server
- Create access keys for the k8s-r53-user:
$ aws iam create-access-key --user-name k8s-r53-user
- Use the values from the last command output and run:
$ aws configure
AWS Access Key ID []: xxx
AWS Secret Access Key []: xxx
Default region name []:
Default output format [None]:
--- K8s side
Follow the guide on the External-Dns page, section "Running locally", the only part that changes is the end:
run: $ builds/external-dns --registry txt --provider=aws --aws-assume-`role=arn:aws:iam::<account_id>:role/k8s-r53-role --source service --once --dry-run`
instead of:
$ external-dns --registry txt --txt-owner-id my-cluster-id --provider google --google-project example-project --source service --once --dry-run
- References
> https://medium.com/@lvthillo/connect-on-premise-python-application-with-aws-services-using-roles-8b24ab4872e6
> https://github.com/kubernetes-sigs/external-dns