External DNS Addon
The External DNS Addon is a Kubernetes add-on that automatically manages DNS records for services in a Kubernetes cluster. It ensures that services are discoverable via DNS, making it easier to access applications running within the cluster from outside.
The External DNS Addon simplifies the process of exposing applications running in Kubernetes to the outside world by managing DNS records automatically. It automatically creates DNS records for Kubernetes services and ingresses and keeps them up-to-date as services and ingresses are created, updated, or deleted. This enables users to easily manage and keep track of DNS records without worrying about manually updating them.
The External DNS Addon is a prerequisite to use OBLV Deploy. For additional information, refer to the Prerequisites page.
Configuration
To configure the External DNS Addon, you need to grant necessary permissions to enable it to manage DNS records in your DNS provider. The process involves creating an IAM Policy file and Service Account. You can find detailed instructions on the creation of the IAM Policy file, IAM Policy, and Service Account below:
IAM Policy file creation
The IAM Policy file to be used with the IAM Policy creation command needs to be created by you, as can't be download as others. The code below is an example with the needed properties, followed by descriptions of each:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/${HOSTED_ZONE_ID}"
]
},
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:ListResourceRecordSets"
],
"Resource": [
"*"
]
}
]
}
The code above is described in the table below:
| Field | Description |
|---|---|
| Version | Specifies the policy language version. |
| Statement | Contains an array of individual statements, each describing a set of permissions. |
| Effect | Determines whether the statement results in an allow or an explicit deny. |
| Action | Specifies the action or actions that will be allowed or denied by the policy. |
| Resource | Specifies the object or objects to which the action applies. |
This policy grants the External DNS Addon the following permissions:
- Allow Changes to Resource Record Sets: The policy allows the add-on to modify DNS records within a specific hosted zone in AWS Route 53. This is crucial for dynamically updating DNS records as services and ingresses are created, updated, or deleted within the Kubernetes cluster.
- List Hosted Zones and Resource Record Sets: The policy also allows the add-on to list all hosted zones and resource record sets. This is necessary for the add-on to discover existing DNS records and hosted zones, enabling it to manage DNS records effectively.
IAM Policy creation
The command below is used to create an IAM policy within AWS. This policy is specifically designed for the External DNS Addon, granting it the necessary permissions to manage AWS resources on your behalf.
aws iam create-policy \
--policy-name "ExternalDNSUpdatesPolicyDemoPrivateTest" \
--policy-document file://external_dns_iam_policy.json
The command line above is described in the table below:
| Command | Description |
|---|---|
aws iam create-policy | This is the AWS CLI command used to create a new IAM policy. IAM (Identity and Access Management) is a service provided by AWS that helps you securely control access to AWS resources. |
--policy-name AWSLoadBalancerControllerIAMPolicyDemoPrivateTest | This option specifies the name of the IAM policy you are creating. It's important to choose a name that clearly indicates the purpose of the policy, in this case providing permissions for the LoadBalancer Controller. |
--policy-document file://iam_policy.json | This option points to the file that contains the policy document. The policy document is a JSON-formatted file that defines the permissions granted by the policy. The file:// prefix indicates that the file is located on the local filesystem. In this command, the policy document is iam_policy.json, which has been downloaded from the LoadBalancer Controller's GitHub repository as part of the setup process. |
Service Account creation
The configuration of the External DNS Addon involves creating an IAM service account with the necessary permissions. This is achieved using the eksctl command-line tool. The following code block presents an example of a command used to create an IAM service account for the External DNS Addon.
eksctl create iamserviceaccount \
--name external-dns \
--namespace kube-system \
--cluster ${CLUSTER_NAME} \
--attach-policy-arn=arn:aws:iam::${AWS_CURRENT_ACCOUNT}:policy/ExternalDNSUpdatesPolicy \
--approve \
--override-existing-serviceaccounts --region ${CLUSTER_REGION}
The command line above is described in the table below:
| Parameter | Description |
|---|---|
--cluster=${CLUSTER_NAME} | Specifies the name of the EKS cluster where the service account will be created. Replace ${CLUSTER_NAME} with the actual name of your EKS cluster. |
--namespace=kube-system | Specifies the Kubernetes namespace where the service account will be created. In this case, it is created in the kube-system namespace, which is typically used for system-level resources. |
--name=aws-load-balancer-controller | Specifies the name of the service account. This name is used to identify the service account within the Kubernetes cluster. |
--attach-policy-arn=arn:aws:iam::${AWS_CURRENT_ACCOUNT}:policy/ ExternalDNSUpdatesPolicy | Attaches the specified IAM policy to the role. |
--approve | Automatically approves the creation of the service account and the associated IAM role. |
--override-existing-serviceaccounts | Used to specify whether eksctl should override any existing service accounts with the same name in the specified namespace. When you use this option, eksctl will update the existing service account with the new IAM role and policy attachments, rather than creating a new service account. |
--region ${CLUSTER_REGION} | Specifies the AWS region where the EKS cluster is located. This is important because AWS resources, including IAM roles and policies, are region-specific. By specifying the region, you ensure that eksctl creates the service account in the correct AWS region, matching the region of your EKS cluster. |
- Security: The command attaches the IAM policy
ExternalDNSUpdatesPolicyto the service account. Ensure that this policy exists and grants the necessary permissions for the LoadBalancer Controller to manage AWS resources. - Namespace: The service account is created in the
kube-systemnamespace. This is a common practice for system-level resources, but you may choose to create the service account in a different namespace if your organization's policies dictate so. - Correct Region: Always ensure that the region specified matches the region of your EKS cluster. Using the wrong region can lead to errors or the creation of resources in the wrong location.
What's next?
For additional information about how OBLV Deploy uses External DNS Addon, access the Prerequisites page.