kind: DaemonSet apiVersion: apps/v1 metadata: name: node-dns namespace: kube-system annotations: cke.cybozu.com/image: "{{ .unbound }},{{ .unbound_exporter }}" cke.cybozu.com/revision: "4" spec: selector: matchLabels: cke.cybozu.com/appname: node-dns updateStrategy: type: RollingUpdate rollingUpdate: maxSurge: 35% maxUnavailable: 0 template: metadata: labels: cke.cybozu.com/appname: node-dns spec: priorityClassName: system-node-critical nodeSelector: kubernetes.io/os: linux hostNetwork: true tolerations: - operator: Exists terminationGracePeriodSeconds: 1 containers: - name: unbound image: {{ .unbound }} args: - -c - /etc/unbound/unbound.conf securityContext: allowPrivilegeEscalation: false capabilities: add: - NET_BIND_SERVICE drop: - all readOnlyRootFilesystem: true readinessProbe: tcpSocket: port: 53 host: localhost periodSeconds: 1 livenessProbe: tcpSocket: port: 53 host: localhost periodSeconds: 1 initialDelaySeconds: 1 failureThreshold: 6 volumeMounts: - name: config-volume mountPath: /etc/unbound - name: var-run-unbound mountPath: /var/run/unbound resources: requests: cpu: 50m memory: 250Mi - name: reload image: {{ .unbound }} command: - /usr/local/bin/reload-unbound securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true volumeMounts: - name: config-volume mountPath: /etc/unbound - name: var-run-unbound mountPath: /var/run/unbound - name: exporter image: {{ .unbound_exporter }} args: # must be same with the path written in /op/nodedns/nodedns.go - --unbound.host=unix:///var/run/unbound/unbound.sock - --web.reuse-port=true securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true volumeMounts: - name: var-run-unbound mountPath: /var/run/unbound volumes: - name: config-volume configMap: name: node-dns items: - key: unbound.conf path: unbound.conf - name: var-run-unbound emptyDir: {}