sigs.k8s.io/external-dns@v0.14.1/docs/tutorials/alibabacloud.md (about) 1 # Setting up ExternalDNS for Services on Alibaba Cloud 2 3 This tutorial describes how to setup ExternalDNS for usage within a Kubernetes cluster on Alibaba Cloud. Make sure to use **>=0.5.6** version of ExternalDNS for this tutorial 4 5 ## RAM Permissions 6 7 ```json 8 { 9 "Version": "1", 10 "Statement": [ 11 { 12 "Action": "alidns:AddDomainRecord", 13 "Resource": "*", 14 "Effect": "Allow" 15 }, 16 { 17 "Action": "alidns:DeleteDomainRecord", 18 "Resource": "*", 19 "Effect": "Allow" 20 }, 21 { 22 "Action": "alidns:UpdateDomainRecord", 23 "Resource": "*", 24 "Effect": "Allow" 25 }, 26 { 27 "Action": "alidns:DescribeDomainRecords", 28 "Resource": "*", 29 "Effect": "Allow" 30 }, 31 { 32 "Action": "alidns:DescribeDomains", 33 "Resource": "*", 34 "Effect": "Allow" 35 }, 36 { 37 "Action": "pvtz:AddZoneRecord", 38 "Resource": "*", 39 "Effect": "Allow" 40 }, 41 { 42 "Action": "pvtz:DeleteZoneRecord", 43 "Resource": "*", 44 "Effect": "Allow" 45 }, 46 { 47 "Action": "pvtz:UpdateZoneRecord", 48 "Resource": "*", 49 "Effect": "Allow" 50 }, 51 { 52 "Action": "pvtz:DescribeZoneRecords", 53 "Resource": "*", 54 "Effect": "Allow" 55 }, 56 { 57 "Action": "pvtz:DescribeZones", 58 "Resource": "*", 59 "Effect": "Allow" 60 }, 61 { 62 "Action": "pvtz:DescribeZoneInfo", 63 "Resource": "*", 64 "Effect": "Allow" 65 } 66 ] 67 } 68 ``` 69 70 When running on Alibaba Cloud, you need to make sure that your nodes (on which External DNS runs) have the RAM instance profile with the above RAM role assigned. 71 72 ## Set up a Alibaba Cloud DNS service or Private Zone service 73 74 Alibaba Cloud DNS Service is the domain name resolution and management service for public access. It routes access from end-users to the designated web app. 75 Alibaba Cloud Private Zone is the domain name resolution and management service for VPC internal access. 76 77 *If you prefer to try-out ExternalDNS in one of the existing domain or zone you can skip this step* 78 79 Create a DNS domain which will contain the managed DNS records. For public DNS service, the domain name should be valid and owned by yourself. 80 81 ```console 82 $ aliyun alidns AddDomain --DomainName "external-dns-test.com" 83 ``` 84 85 86 Make a note of the ID of the hosted zone you just created. 87 88 ```console 89 $ aliyun alidns DescribeDomains --KeyWord="external-dns-test.com" | jq -r '.Domains.Domain[0].DomainId' 90 ``` 91 92 ## Deploy ExternalDNS 93 94 Connect your `kubectl` client to the cluster you want to test ExternalDNS with. 95 Then apply one of the following manifests file to deploy ExternalDNS. 96 97 ### Manifest (for clusters without RBAC enabled) 98 ```yaml 99 apiVersion: apps/v1 100 kind: Deployment 101 metadata: 102 name: external-dns 103 spec: 104 strategy: 105 type: Recreate 106 selector: 107 matchLabels: 108 app: external-dns 109 template: 110 metadata: 111 labels: 112 app: external-dns 113 spec: 114 containers: 115 - name: external-dns 116 image: registry.k8s.io/external-dns/external-dns:v0.14.0 117 args: 118 - --source=service 119 - --source=ingress 120 - --domain-filter=external-dns-test.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones 121 - --provider=alibabacloud 122 - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization 123 - --alibaba-cloud-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both) 124 - --registry=txt 125 - --txt-owner-id=my-identifier 126 volumeMounts: 127 - mountPath: /usr/share/zoneinfo 128 name: hostpath 129 volumes: 130 - name: hostpath 131 hostPath: 132 path: /usr/share/zoneinfo 133 type: Directory 134 ``` 135 136 ### Manifest (for clusters with RBAC enabled) 137 138 ```yaml 139 apiVersion: v1 140 kind: ServiceAccount 141 metadata: 142 name: external-dns 143 --- 144 apiVersion: rbac.authorization.k8s.io/v1 145 kind: ClusterRole 146 metadata: 147 name: external-dns 148 rules: 149 - apiGroups: [""] 150 resources: ["services","endpoints","pods"] 151 verbs: ["get","watch","list"] 152 - apiGroups: ["extensions","networking.k8s.io"] 153 resources: ["ingresses"] 154 verbs: ["get","watch","list"] 155 - apiGroups: [""] 156 resources: ["nodes"] 157 verbs: ["list"] 158 --- 159 apiVersion: rbac.authorization.k8s.io/v1 160 kind: ClusterRoleBinding 161 metadata: 162 name: external-dns-viewer 163 roleRef: 164 apiGroup: rbac.authorization.k8s.io 165 kind: ClusterRole 166 name: external-dns 167 subjects: 168 - kind: ServiceAccount 169 name: external-dns 170 namespace: default 171 --- 172 apiVersion: apps/v1 173 kind: Deployment 174 metadata: 175 name: external-dns 176 spec: 177 strategy: 178 type: Recreate 179 selector: 180 matchLabels: 181 app: external-dns 182 template: 183 metadata: 184 labels: 185 app: external-dns 186 spec: 187 serviceAccountName: external-dns 188 containers: 189 - name: external-dns 190 image: registry.k8s.io/external-dns/external-dns:v0.14.0 191 args: 192 - --source=service 193 - --source=ingress 194 - --domain-filter=external-dns-test.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones 195 - --provider=alibabacloud 196 - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization 197 - --alibaba-cloud-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both) 198 - --registry=txt 199 - --txt-owner-id=my-identifier 200 - --alibaba-cloud-config-file= # enable sts token 201 volumeMounts: 202 - mountPath: /usr/share/zoneinfo 203 name: hostpath 204 volumes: 205 - name: hostpath 206 hostPath: 207 path: /usr/share/zoneinfo 208 type: Directory 209 ``` 210 211 212 213 ## Arguments 214 215 This list is not the full list, but a few arguments that where chosen. 216 217 ### alibaba-cloud-zone-type 218 219 `alibaba-cloud-zone-type` allows filtering for private and public zones 220 221 * If value is `public`, it will sync with records in Alibaba Cloud DNS Service 222 * If value is `private`, it will sync with records in Alibaba Cloud Private Zone Service 223 224 225 ## Verify ExternalDNS works (Ingress example) 226 227 Create an ingress resource manifest file. 228 229 > For ingress objects ExternalDNS will create a DNS record based on the host specified for the ingress object. 230 231 ```yaml 232 apiVersion: networking.k8s.io/v1 233 kind: Ingress 234 metadata: 235 name: foo 236 spec: 237 ingressClassName: nginx # use the one that corresponds to your ingress controller. 238 rules: 239 - host: foo.external-dns-test.com 240 http: 241 paths: 242 - backend: 243 service: 244 name: foo 245 port: 246 number: 80 247 pathType: Prefix 248 ``` 249 250 ## Verify ExternalDNS works (Service example) 251 252 Create the following sample application to test that ExternalDNS works. 253 254 > For services ExternalDNS will look for the annotation `external-dns.alpha.kubernetes.io/hostname` on the service and use the corresponding value. 255 256 ```yaml 257 apiVersion: v1 258 kind: Service 259 metadata: 260 name: nginx 261 annotations: 262 external-dns.alpha.kubernetes.io/hostname: nginx.external-dns-test.com. 263 spec: 264 type: LoadBalancer 265 ports: 266 - port: 80 267 name: http 268 targetPort: 80 269 selector: 270 app: nginx 271 272 --- 273 274 apiVersion: apps/v1 275 kind: Deployment 276 metadata: 277 name: nginx 278 spec: 279 selector: 280 matchLabels: 281 app: nginx 282 template: 283 metadata: 284 labels: 285 app: nginx 286 spec: 287 containers: 288 - image: nginx 289 name: nginx 290 ports: 291 - containerPort: 80 292 name: http 293 ``` 294 295 After roughly two minutes check that a corresponding DNS record for your service was created. 296 297 ```console 298 $ aliyun alidns DescribeDomainRecords --DomainName=external-dns-test.com 299 { 300 "PageNumber": 1, 301 "TotalCount": 1, 302 "PageSize": 20, 303 "RequestId": "1DBEF426-F771-46C7-9802-4989E9C94EE8", 304 "DomainRecords": { 305 "Record": [ 306 { 307 "RR": "nginx", 308 "Status": "ENABLE", 309 "Value": "1.2.3.4", 310 "Weight": 1, 311 "RecordId": "3994015629411328", 312 "Type": "A", 313 "DomainName": "external-dns-test.com", 314 "Locked": false, 315 "Line": "default", 316 "TTL": 600 317 }, 318 { 319 "RR": "nginx", 320 "Status": "ENABLE", 321 "Value": "heritage=external-dns;external-dns/owner=my-identifier", 322 "Weight": 1, 323 "RecordId": "3994015629411329", 324 "Type": "TTL", 325 "DomainName": "external-dns-test.com", 326 "Locked": false, 327 "Line": "default", 328 "TTL": 600 329 } 330 ] 331 } 332 } 333 ``` 334 335 Note created TXT record alongside ALIAS record. TXT record signifies that the corresponding ALIAS record is managed by ExternalDNS. This makes ExternalDNS safe for running in environments where there are other records managed via other means. 336 337 Let's check that we can resolve this DNS name. We'll ask the nameservers assigned to your zone first. 338 339 ```console 340 $ dig nginx.external-dns-test.com. 341 ``` 342 343 If you hooked up your DNS zone with its parent zone correctly you can use `curl` to access your site. 344 345 ```console 346 $ curl nginx.external-dns-test.com. 347 <!DOCTYPE html> 348 <html> 349 <head> 350 <title>Welcome to nginx!</title> 351 ... 352 </head> 353 <body> 354 ... 355 </body> 356 </html> 357 ``` 358 359 ## Custom TTL 360 361 The default DNS record TTL (Time-To-Live) is 300 seconds. You can customize this value by setting the annotation `external-dns.alpha.kubernetes.io/ttl`. 362 e.g., modify the service manifest YAML file above: 363 364 ```yaml 365 apiVersion: v1 366 kind: Service 367 metadata: 368 name: nginx 369 annotations: 370 external-dns.alpha.kubernetes.io/hostname: nginx.external-dns-test.com 371 external-dns.alpha.kubernetes.io/ttl: 60 372 spec: 373 ... 374 ``` 375 376 This will set the DNS record's TTL to 60 seconds. 377 378 ## Clean up 379 380 Make sure to delete all Service objects before terminating the cluster so all load balancers get cleaned up correctly. 381 382 ```console 383 $ kubectl delete service nginx 384 ``` 385 386 Give ExternalDNS some time to clean up the DNS records for you. Then delete the hosted zone if you created one for the testing purpose. 387 388 ```console 389 $ aliyun alidns DeleteDomain --DomainName external-dns-test.com 390 ``` 391 392 For more info about Alibaba Cloud external dns, please refer this [docs](https://yq.aliyun.com/articles/633412)