apiVersion
permalink: /archives/k8s-install-adguard
categories:
- k8s
- linux
tags: halo
1. 在K8S当中部署DNS服务器Adguard
我们可以使用如下的K8S的资源清单,进行Adguard服务的部署。
apiVersion: v1
kind: Namespace
metadata:
name: adguard
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: adguard
namespace: adguard
spec:
serviceName: adguard
replicas: 1
selector:
matchLabels:
app: adguard
template:
metadata:
labels:
app: adguard
spec:
containers:
- name: adguard
image: harbor.wanna1314y.top/adguard/adguardhome:latest
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
- name: dns-tcp
containerPort: 53
protocol: TCP
- name: dns-udp
containerPort: 53
protocol: UDP
- name: webui
containerPort: 3000
protocol: TCP
volumeMounts:
- name: adguard-config
mountPath: /opt/adguardhome/work
- name: adguard-data
mountPath: /opt/adguardhome/conf
volumeClaimTemplates:
- metadata:
name: adguard-config
spec:
accessModes: ["ReadWriteMany"]
storageClassName: k8s-nfs-storage
resources:
requests:
storage: 1Gi
- metadata:
name: adguard-data
spec:
accessModes: ["ReadWriteMany"]
storageClassName: k8s-nfs-storage
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
name: adguard
namespace: adguard
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
nodePort: 30080
- name: webui
port: 3000
targetPort: 3000
nodePort: 31003
- name: https
port: 443
targetPort: 443
nodePort: 30443
- name: dns-tcp
port: 53
targetPort: 53
protocol: TCP
nodePort: 30553
- name: dns-udp
port: 53
targetPort: 53
protocol: UDP
nodePort: 31553
selector:
app: adguard
接着我们访问服务器的31003端口,可以进入到Adguard的管理页面,进行一些配置之后,就可以进入到如下的Adguard的管理页面。
2.在虚拟机上安装AdguardHome
可以使用如下的命令去安装AdguardHome。(二选一即可,两者都可以实现安装)
curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
wget --no-verbose -O - https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
默认会被安装到/opt/AdGuardHome目录下,AdGuardHome.yaml是AdGuardHome的配置文件,备份时只需要备份它即可。
3. 进入Adguard中添加本地域名映射规则
可以进入Adguard,选择DNS重写,新增一条规则,将*.local.top的域名,都映射到10.168.1.209这个IP上。
接着,可以通过如下的命令去查看DNS服务是否正常解析,其中10.233.11.157是DNS服务器的Pod的IP(或者是Service的ClusterIP)。
dig xxx.local.top @10.233.11.157
如果dig命令不存在的话,可以使用包管理器,去安装dnsutils。
apt install dnsutils
最终会输出如下的内容:
# dig xxx.local.top @10.233.11.157
; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> xxx.local.top @10.233.11.157
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18180
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;xxx.local.top. IN A
;; ANSWER SECTION:
xxx.local.top. 10 IN A 10.168.1.209
;; Query time: 0 msec
;; SERVER: 10.233.11.157#53(10.233.11.157) (UDP)
;; WHEN: Mon Jan 20 03:10:38 CST 2025
;; MSG SIZE rcvd: 47
我们发现,通过dig进行DNS的搜索它找到了10.168.1.209这台机器的IP,说明我们的Adguard的配置就成功啦,成功搭建起DNS服务器!
4. 在K8S集群当中配置DNS服务
在K8S当中,配置自定义的DNS服务器,需要修改coredns的配置文件ConfigMap和nodelocaldns的配置文件ConfigMap才行。(最开始踩坑半天,只配置了coredns,nodedns没有配置,导致一直没配置成功)
我们通过kubectl get all -n kube-system命令可以查看到kube-system这个Namespace下的所有的资源情况(下表的内容已经去掉和DNS无关的内容)。发现coredns是以deployment的方式进行的部署在K8S集群当中的,并且其service的ClusterIP是10.233.0.3,corelocaldns是以daemonset的方式部署在K8S集群当中的。
NAME READY STATUS RESTARTS AGE
pod/coredns-574f68dd5-bdm77 1/1 Running 0 57m
pod/coredns-574f68dd5-s4z7g 1/1 Running 0 58m
pod/nodelocaldns-42g7g 1/1 Running 0 26m
pod/nodelocaldns-b8p69 1/1 Running 0 26m
pod/nodelocaldns-c2gw5 1/1 Running 0 26m
pod/nodelocaldns-hjvhs 1/1 Running 0 26m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/coredns ClusterIP 10.233.0.3 <none> 53/UDP,53/TCP,9153/TCP 51d
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.apps/nodelocaldns 4 4 4 4 4 kubernetes.io/os=linux 51d
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/coredns 2/2 2 2 51d
NAME DESIRED CURRENT READY AGE
replicaset.apps/coredns-54949fdc8c 0 0 0 8d
replicaset.apps/coredns-574f68dd5 2 2 2 58m
replicaset.apps/coredns-5bd6474f7c 0 0 0 8d
replicaset.apps/coredns-5ccdc666f6 0 0 0 8d
replicaset.apps/coredns-69598c84bd 0 0 0 8d
replicaset.apps/coredns-7489f75dc9 0 0 0 8d
replicaset.apps/coredns-7db777c5b5 0 0 0 8d
replicaset.apps/coredns-854f8dcff6 0 0 0 8d
replicaset.apps/coredns-86b4879ffd 0 0 0 8d
replicaset.apps/coredns-c58bdc686 0 0 0 8d
replicaset.apps/coredns-f78c9446d 0 0 0 8d
对于Pod中的DNS的查找流程如下:
- 首先会优先经过nodelocaldns进行查找,如果有则直接用缓存(为了减轻对于coredns服务的压力);
- 如果没有则再经过coredns进行查找,如果有则直接使用缓存;
- 如果还是没有,则再转发给宿主机本地的resolv.conf文件进行查找。
- 如果还是没有,那么再转发给外部的DNS服务器(比如我们常见的114.114.114.114)进行层层查找。
3.1 配置coredns的配置文件
使用下面的命令修改coredns的配置文件。
kubectl edit configmap coredns -n kube-system
内容如下,我们主要新增local.top这部分,把forward指向我们刚才部署的Adguard服务的地址:
Corefile: |
.:53 {
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . /etc/resolv.conf {
prefer_udp
max_concurrent 1000
}
cache 30
loop
reload
loadbalance
}
local.top:53 {
errors
cache 30
reload
forward . 10.233.11.157
}
在配置上coredns的配置文件之后,进入容器ping,发现完全不通。
ping xxx.local.top
我们尝试进入到Pod,去查看本机的DNS配置文件。进入机器,查看/etc/resolv.conf的配置信息,发现是如下的内容:
# cat /etc/resolv.conf
search default.svc.cluster.local svc.cluster.local cluster.local
nameserver 169.254.25.10
options ndots:5
在配置文件当中指定了nameserver为169.254.25.10,它是K8S当中的localdns绑定的IP地址。
4.2 配置localdns的配置文件
进入机器,查看/etc/resolv.conf的配置信息:
# cat /etc/resolv.conf
search default.svc.cluster.local svc.cluster.local cluster.local
nameserver 169.254.25.10
options ndots:5
尝试dig,coredns服务的service的IP。
# dig xxx.local.top @10.233.0.3
; <<>> DiG 9.18.30-0ubuntu0.24.04.1-Ubuntu <<>> xxx.local.top @10.233.0.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37127
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f066b359d26ab2e7 (echoed)
;; QUESTION SECTION:
;xxx.local.top. IN A
;; ANSWER SECTION:
xxx.local.top. 10 IN A 10.168.1.209
;; Query time: 0 msec
;; SERVER: 10.233.0.3#53(10.233.0.3) (UDP)
;; WHEN: Tue Jan 28 03:56:56 CST 2025
;; MSG SIZE rcvd: 83
尝试dig本地dns服务的机器,发现请求到了a.zdnscloud.com这个DNS服务器。
# dig xxx.local.top @169.254.25.10
; <<>> DiG 9.18.30-0ubuntu0.24.04.1-Ubuntu <<>> xxx.local.top @169.254.25.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24900
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: cc438690baac372b (echoed)
;; QUESTION SECTION:
;xxx.local.top. IN A
;; AUTHORITY SECTION:
top. 30 IN SOA a.zdnscloud.com. td_dns_gtld.knet.cn. 1391763961 600 200 2491200 3600
;; Query time: 32 msec
;; SERVER: 169.254.25.10#53(169.254.25.10) (UDP)
;; WHEN: Tue Jan 28 03:57:48 CST 2025
;; MSG SIZE rcvd: 127
也就是说明我们的dns配置没生效,K8S当中还有一层localdns的配置,我们尝试使用命令kubectl edit cm nodelocaldns -n kube-system进行修改localdns的配置文件:
kind: ConfigMap
apiVersion: v1
metadata:
name: nodelocaldns
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
data:
Corefile: |
cluster.local:53 {
errors
cache {
success 9984 30
denial 9984 5
}
reload
loop
bind 169.254.25.10
forward . 10.233.0.3 {
force_tcp
}
prometheus :9253
health 169.254.25.10:9254
}
in-addr.arpa:53 {
errors
cache 30
reload
loop
bind 169.254.25.10
forward . 10.233.0.3 {
force_tcp
}
prometheus :9253
}
ip6.arpa:53 {
errors
cache 30
reload
loop
bind 169.254.25.10
forward . 10.233.0.3 {
force_tcp
}
prometheus :9253
}
local.top:53 {
errors
cache 30
reload
loop
bind 169.254.25.10
forward . 10.233.0.3 {
force_tcp
}
prometheus :9253
}
.:53 {
errors
cache 30
reload
loop
bind 169.254.25.10
forward . /etc/resolv.conf
prometheus :9253
}
我们主要新增下面这个部分,对于10.233.0.3这个IP需要换成K8S集群的coredns的service的IP,表示在localdns查找local.top这个域名时,优先查找coredns当中的DNS服务,查不到时再去查找宿主机的/etc/resolv.conf。
local.top:53 {
errors
cache 30
reload
loop
bind 169.254.25.10
forward . 10.233.0.3 {
force_tcp
}
prometheus :9253
}
接着再去dig,发现已经找到了IP为10.168.1.209。
dig xxx.local.top @169.254.25.10
; <<>> DiG 9.18.30-0ubuntu0.24.04.1-Ubuntu <<>> xxx.local.top @169.254.25.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60859
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 6bfabd67016132eb (echoed)
;; QUESTION SECTION:
;xxx.local.top. IN A
;; ANSWER SECTION:
xxx.local.top. 10 IN A 10.168.1.209
;; Query time: 0 msec
;; SERVER: 169.254.25.10#53(169.254.25.10) (UDP)
;; WHEN: Tue Jan 28 04:01:29 CST 2025
;; MSG SIZE rcvd: 83
我们使用ping命令也可以ping通。
# ping xxx.local.top
PING xxx.local.top (10.168.1.209) 56(84) bytes of data.
64 bytes from 10.168.1.209: icmp_seq=1 ttl=62 time=14.4 ms
64 bytes from 10.168.1.209: icmp_seq=2 ttl=62 time=15.7 ms
64 bytes from 10.168.1.209: icmp_seq=3 ttl=62 time=16.9 ms
评论