[dns] NodeLocal DNSCache — deploy DaemonSet to all nodes (WS C)
Adds per-node DNS cache that transparently intercepts pod queries on
10.96.0.10 (kube-dns ClusterIP) AND 169.254.20.10 (link-local) via
hostNetwork + NET_ADMIN iptables NOTRACK rules. Pods keep using their
existing /etc/resolv.conf (nameserver 10.96.0.10) unchanged — no kubelet
rollout needed for transparent mode.
Layout mirrors existing stacks (technitium, descheduler, kured):
stacks/nodelocal-dns/
main.tf # module wiring + IP params
modules/nodelocal-dns/main.tf # SA, Services, ConfigMap, DS
Key decisions:
- Image: registry.k8s.io/dns/k8s-dns-node-cache:1.23.1
- Co-listens on 169.254.20.10 + 10.96.0.10 (transparent interception)
- Upstream path: kube-dns-upstream (new headless svc) → CoreDNS pods
(separate ClusterIP avoids cache looping back through itself)
- viktorbarzin.lan zone forwards directly to Technitium ClusterIP
(10.96.0.53), bypassing CoreDNS for internal names
- priorityClassName: system-node-critical
- tolerations: operator=Exists (runs on master + all tainted nodes)
- No CPU limit (cluster-wide policy); mem requests=32Mi, limit=128Mi
- Kyverno dns_config drift suppressed on the DaemonSet
- Kubelet clusterDNS NOT changed — transparent mode is sufficient;
rolling 5 nodes just to switch to 169.254.20.10 has no additional
benefit and expanding blast radius for no reason.
Verified:
- DaemonSet 5/5 Ready across k8s-master + 4 workers
- dig @169.254.20.10 idrac.viktorbarzin.lan -> 192.168.1.4
- dig @169.254.20.10 github.com -> 140.82.121.3
- Deleted all 3 CoreDNS pods; cached queries still resolved via
NodeLocal DNSCache (resilience confirmed)
Docs: architecture/dns.md — adds NodeLocal DNSCache to Components table,
graph diagram, stacks table; rewrites pod DNS resolution paths to show
the cache layer; adds troubleshooting entry.
Closes: code-2k6
This commit is contained in:
parent
eb6ceac5f5
commit
0f6321ce86
4 changed files with 429 additions and 14 deletions
16
stacks/nodelocal-dns/main.tf
Normal file
16
stacks/nodelocal-dns/main.tf
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
module "nodelocal_dns" {
|
||||
source = "./modules/nodelocal-dns"
|
||||
|
||||
# Canonical link-local IP from upstream NodeLocal DNSCache docs.
|
||||
link_local_ip = "169.254.20.10"
|
||||
|
||||
# kube-dns ClusterIP — co-listened so transparent interception works
|
||||
# without mutating kubelet clusterDNS on every node.
|
||||
kube_dns_ip = "10.96.0.10"
|
||||
|
||||
# Technitium ClusterIP — upstream for .viktorbarzin.lan.
|
||||
technitium_ip = "10.96.0.53"
|
||||
|
||||
image = "registry.k8s.io/dns/k8s-dns-node-cache:1.23.1"
|
||||
tier = local.tiers.core
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue