external-dns

ingress์— ๋งŒ๋“ค์–ด๋‘” hostname์„ ์ž๋™์œผ๋กœ route53์— ์ถ”๊ฐ€ํ•ด์ค€๋‹ค.

namespace๋Š” default๋กœ ๊ฐ€์ •ํ•˜๊ณ  ์ง„ํ–‰ํ–ˆ์Šต๋‹ˆ๋‹ค. ๋‹ค๋ฅธ๊ณณ์„ ์‚ฌ์šฉํ•˜๋ ค๋ฉด ์„ค์ •ํ•ด์ฃผ์‹œ๋ฉด๋ฉ๋‹ˆ๋‹ค.

create policy

AllowExternalDNSUpdates
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["route53:ChangeResourceRecordSets"],
      "Resource": ["arn:aws:route53:::hostedzone/*"]
    },
    {
      "Effect": "Allow",
      "Action": ["route53:ListHostedZones", "route53:ListResourceRecordSets"],
      "Resource": ["*"]
    }
  ]
}

Create IAM Role, k8s Service Account & Associate IAM Policy

k8s Service Account named external-dns

# ํ™•์ธ
eksctl get iamserviceaccount --cluster cluster01

# Template
eksctl create iamserviceaccount \
    --name service_account_name \
    --namespace service_account_namespace \
    --cluster cluster_name \
    --attach-policy-arn IAM_policy_ARN \
    --approve

# Replaced name, namespace, cluster, arn
eksctl create iamserviceaccount \
--name external-dns \
--namespace default \
--cluster cluster01 \
--attach-policy-arn arn:aws:iam::530310009353:policy/AllowExternalDNSUpdates \
--approve

# ํ™•์ธ
eksctl get iamserviceaccount --cluster cluster01

kubectl get sa
# anotation์— ๋‚ด์šฉ์ด ์ž˜ ๋“ค์–ด๊ฐ“๋Š”์ง€๊ฐ€ ์ค‘์š”ํ•จ.

install external-dns

wget https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.0.0/docs/examples/external-dns.yaml

ServiceAccount ๋ถ€๋ถ„์€ ์ง€์šฐ๊ณ  (๋ฒŒ์จ ๋งŒ๋“ค์—‡๊ธฐ๋•Œ๋ฌธ)

- --domain-filter=external-dns-test.my-org.com #์ฃผ์„

- --txt-owner-id=my-identifier #์ฃผ์„

๊ฐ€์ง€๊ณ  ์žˆ๋Š” ๋ชจ๋“  ๋„๋ฉ”์ธ์„ ์‚ฌ์šฉํ•˜๋ ค๋ฉด ์ฃผ์„์ฒ˜๋ฆฌํ•˜๊ณ  ํŠน์ •ํ•œ๊ฑธ๋กœ ๋ฐ”๊พธ๋ ค๋ฉด ์œ„์ฒ˜๋Ÿผ ๋„๋ฉ”์ธ์„ ๋„ฃ์–ด์ค€๋‹ค.

my-identifier๋Š” route53์—์„œ hostid๋ฅผ ๊ฐ€์ ธ๋‹ค ๋„ฃ์œผ๋ฉด ๋œ๋‹ค.

๋‹ค ์ •๋ฆฌํ•˜๋ฉด

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: external-dns
rules:
  - apiGroups: ['']
    resources: ['services']
    verbs: ['get', 'watch', 'list']
  - apiGroups: ['']
    resources: ['pods']
    verbs: ['get', 'watch', 'list']
  - apiGroups: ['extensions']
    resources: ['ingresses']
    verbs: ['get', 'watch', 'list']
  - apiGroups: ['']
    resources: ['nodes']
    verbs: ['list']

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: external-dns-viewer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-dns
subjects:
  - kind: ServiceAccount
    name: external-dns
    namespace: default

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: external-dns
spec:
  selector:
    matchLabels:
      app: external-dns
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: external-dns
    spec:
      serviceAccountName: external-dns
      containers:
        - name: external-dns
          image: bitnami/external-dns:0.7.1
          args:
            - --source=service
            - --source=ingress
            - --provider=aws
            - --policy=upsert-only
            - --aws-zone-type=public
            - --registry=txt

์ ˆ๋Œ€ ๋ฒ„์ „์„ 0.7.1์—์„œ ๋ฐ”๊พธ์ง€ ๋ง์ž. ๋ฐ”๊พธ๋ ค๋ฉด ์—…๋ฐ์ดํŠธ๋œ ๋‚ด์šฉ์„ ํ™•์ธํ•ด์„œ policy๊ฐ€ ๋ฐ”๋€Œ์–ด์•ผํ•จ.

์ ์šฉ

kubectl apply -f external-dns.yaml

pod์˜ ๋กœ๊ทธ๋ฅผ ๋ณด์ž.

uptodate๊ฐ€ ๋œ๋‹ค. ์ด๋Ÿฌ๋ฉด ์„ฑ๊ณต

์ด์ œ ingress์—์„œ host name์„ ๋ณ€๊ฒฝํ•˜๋ฉด route53์— ์ƒ์„ฑ๋˜๋Š”๊ฒƒ์„ ๋ณผ์ˆ˜ ์žˆ๋‹ค.

policy๋Š” ๋”ฐ๋กœ ๋ณด๊ธฐ๋ฐ”๋žŒ. ๊ธฐ๋ณธ๊ฐ’์€ sync,

upsert๋Š” ์ƒˆ๋กœ์šด๊ฑด ๋„ฃ๊ณ  ๊ธฐ์กด๊ฑด ์—…๋ฐ์ดํŠธ delete๋Š” ์•ˆ๋จ.

issue

aws / idc์—์„œ ๋™์‹œ์— ์•„์ดํ”ผ๋ฅผ ์—…๋ฐ์ดํŠธํ•˜๋ฉด ์—๋Ÿฌ๊ฐ€ ๋œ๋‹ค.

์ธ๊ทธ๋ ˆ์Šค ๋ณ„๋กœ ์‚ฌ์šฉ์„ ๋ง‰์œผ๋ ค๊ณ  ํ•ด๋ดฃ๋Š”๋ฐ ์ž˜ ์•ˆ๋œ๋‹ค.

external-dns.alpha.kubernetes.io/exclude: 'true'

์ด๊ฑธ๋กœ ๊ฒ€์ƒ‰ํ•˜๋ฉด ๋‚˜์˜ค๋Š”๋ฐ ๋™์ž‘์ด ์•ˆ๋œ๋‹ค.

์•„์ดํ”ผ๋ฅผ ๋‘๊ฐœ๋ฅผ ๋„ฃ๋Š”๊ฒƒ๋„ ์ž˜ ์•ˆ๋œ๋‹ค. ํด๋ผ์šฐ๋“œ ํ”Œ๋ ˆ์–ด๋Š” 2๊ฐœ์˜ raw๋ฅผ ๋„ฃ์–ด ๋ผ์šด๋“œ๋กœ๋นˆ์„ ํ•จ.

ํŠน์ • ์•„์ดํ”ผ๋ฅผ ๋„ฃ์„๋ ค๊ณ  ํ•˜๋ฉด ์ธ๊ทธ๋ ˆ์Šค์— ๋‹ค์Œ์„ ์‚ฌ์šฉํ•œ๋‹ค.

external-dns.alpha.kubernetes.io/target: "204.16.116.99"

Last updated

Was this helpful?