DNS
Lokomotive relies on DNS records for cluster bootstrap as well as routine operation. When choosing one of the supported DNS providers , Lokomotive can provision the necessary DNS records on your behalf.
Supported providers
AWS Route 53
The AWS Route 53 DNS provider is supported with AWS and Equinix Metal clusters.
IAM permissions
The AWS Route 53 DNS provider requires the following IAM permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:GetChange",
"route53:GetHostedZone",
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource"
],
"Resource": [
"arn:aws:route53:::change/*",
"arn:aws:route53:::hostedzone/<HOSTED_ZONE_ID>"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": "route53:ListHostedZones",
"Resource": "*"
}
]
}
Cloudflare
The Cloudflare DNS provider is supported with Equinix Metal clusters.
Manual
The Manual DNS provider is supported with Equinix Metal clusters.
This is a special provider. When used, no DNS records are provisioned automatically. Instead, the user is prompted to configure the necessary DNS records on their own.
Records
The records on which Lokomotive relies are mostly DNS A records. They are constructed based on the DNS zone provided by the user and the configured cluster name in the following format:
<record>.<cluster_name>.<zone>
The exact set of records created varies slightly based on the platform on top of which Lokomotive is deployed. The following sections provide a per-platform explanation.
AKS
AKS is a managed Kubernetes platform which takes care of any required DNS configuration on the user’s behalf. Consequently, Lokomotive doesn’t manage DNS for AKS deployments.
AWS
Lokomotive deployments on AWS leverage an AWS Network Load Balancer (NLB). This load balancer serves a dual purpose by default: routing Kubernetes API traffic to the controller nodes and routing HTTP/S traffic to ingress pods.
Following is a sample record set for an AWS cluster called my-cluster with 3 controller nodes
under a zone called example.com. For illustration, assume the controller nodes have the following
IP addresses:
- Controller 1:
35.0.0.1(public) and10.0.0.1(private) - Controller 2:
35.0.0.2(public) and10.0.0.2(private) - Controller 3:
35.0.0.3(public) and10.0.0.3(private)
Based on the information above, the following DNS records are created:
my-cluster.example.com- an alias record which automatically resolves to one of the NLB’s IP addressesmy-cluster-etcd0.example.com- resolves to10.0.0.1my-cluster-etcd1.example.com- resolves to10.0.0.2my-cluster-etcd2.example.com- resolves to10.0.0.3*.my-cluster.example.com- a CNAME record which resolves tomy-cluster.example.com
NOTE: The wildcard CNAME record allows to configure arbitrary subdomains on an ingress controller. This enables exposing Kubernetes services to the internet automatically, without having to configure an individual DNS record for each service.
Bare Metal
Lokomotive currently doesn’t support DNS provisioning for bare metal clusters. The user has to create the necessary records in advance, before deploying a cluster.
Equinix Metal (formerly Packet)
Following is a sample record set for a Equinix Metal cluster called my-cluster with 3 controller nodes
under a zone called example.com. For illustration, assume the controller nodes have the following
IP addresses:
- Controller 1:
147.0.0.1(public) and10.0.0.1(private) - Controller 2:
147.0.0.2(public) and10.0.0.2(private) - Controller 3:
147.0.0.3(public) and10.0.0.3(private)
Based on the information above, the following DNS records are created:
my-cluster.example.com- resolves to the following IPs in round robin:147.0.0.1,147.0.0.2,147.0.0.3my-cluster-private.example.com- resolves to the following IPs in round robin:10.0.0.1,10.0.0.2,10.0.0.3my-cluster-etcd0.example.com- resolves to10.0.0.1my-cluster-etcd1.example.com- resolves to10.0.0.2my-cluster-etcd2.example.com- resolves to10.0.0.3
Edit this page