mirrors/external-dns
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/external-dns.git synced 2025-08-12 20:46:56 +02:00
Code Issues Packages Projects Releases Wiki Activity
gh-pages
external-dns/v0.13.0/tutorials/gke/index.html

2405 lines
109 KiB
HTML
Raw Permalink Blame History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="author" content="external-dns maintainers">
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.3.0, mkdocs-material-8.2.8">
<title>Setting up ExternalDNS on Google Kubernetes Engine - external-dns</title>
<link rel="stylesheet" href="../../assets/stylesheets/main.644de097.min.css">
<link rel="stylesheet" href="../../assets/stylesheets/palette.e6a45f82.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>__md_scope=new URL("../..",location),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#setting-up-externaldns-on-google-kubernetes-engine" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-component="outdated" hidden>
<aside class="md-banner md-banner--warning">
</aside>
</div>
<header class="md-header md-header--lifted" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../.." title="external-dns" class="md-header__button md-logo" aria-label="external-dns" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
external-dns
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Setting up ExternalDNS on Google Kubernetes Engine
</span>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/kubernetes-sigs/external-dns/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
kubernetes-sigs/external-dns
</div>
</a>
</div>
</nav>
<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
<div class="md-tabs__inner md-grid">
<ul class="md-tabs__list">
<li class="md-tabs__item">
<a href="../.." class="md-tabs__link">
Home
</a>
</li>
<li class="md-tabs__item">
<a href="../ANS_Group_SafeDNS/" class="md-tabs__link md-tabs__link--active">
Tutorials
</a>
</li>
<li class="md-tabs__item">
<a href="../../initial-design/" class="md-tabs__link">
Advanced Topics
</a>
</li>
<li class="md-tabs__item">
<a href="../../CONTRIBUTING/" class="md-tabs__link">
Contributing
</a>
</li>
<li class="md-tabs__item">
<a href="../../faq/" class="md-tabs__link">
About
</a>
</li>
</ul>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../.." title="external-dns" class="md-nav__button md-logo" aria-label="external-dns" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg>
</a>
external-dns
</label>
<div class="md-nav__source">
<a href="https://github.com/kubernetes-sigs/external-dns/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
kubernetes-sigs/external-dns
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../.." class="md-nav__link">
Home
</a>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" checked>
<label class="md-nav__link" for="__nav_2">
Tutorials
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Tutorials" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Tutorials
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../ANS_Group_SafeDNS/" class="md-nav__link">
Setting up ExternalDNS for Services on ANS Group's SafeDNS
</a>
</li>
<li class="md-nav__item">
<a href="../akamai-edgedns/" class="md-nav__link">
Setting up External-DNS for Services on Akamai Edge DNS
</a>
</li>
<li class="md-nav__item">
<a href="../alb-ingress/" class="md-nav__link">
Using ExternalDNS with alb-ingress-controller
</a>
</li>
<li class="md-nav__item">
<a href="../alibabacloud/" class="md-nav__link">
Setting up ExternalDNS for Services on Alibaba Cloud
</a>
</li>
<li class="md-nav__item">
<a href="../aws-sd/" class="md-nav__link">
Setting up ExternalDNS using AWS Cloud Map API
</a>
</li>
<li class="md-nav__item">
<a href="../aws/" class="md-nav__link">
Setting up ExternalDNS for Services on AWS
</a>
</li>
<li class="md-nav__item">
<a href="../azure-private-dns/" class="md-nav__link">
Set up ExternalDNS for Azure Private DNS
</a>
</li>
<li class="md-nav__item">
<a href="../azure/" class="md-nav__link">
Setting up ExternalDNS for Services on Azure
</a>
</li>
<li class="md-nav__item">
<a href="../bluecat/" class="md-nav__link">
Setting up external-dns for BlueCat
</a>
</li>
<li class="md-nav__item">
<a href="../cloudflare/" class="md-nav__link">
Setting up ExternalDNS for Services on Cloudflare
</a>
</li>
<li class="md-nav__item">
<a href="../contour/" class="md-nav__link">
Setting up External DNS with Contour
</a>
</li>
<li class="md-nav__item">
<a href="../coredns/" class="md-nav__link">
Setting up ExternalDNS for CoreDNS with minikube
</a>
</li>
<li class="md-nav__item">
<a href="../designate/" class="md-nav__link">
Setting up ExternalDNS for Services on OpenStack Designate
</a>
</li>
<li class="md-nav__item">
<a href="../digitalocean/" class="md-nav__link">
Setting up ExternalDNS for Services on DigitalOcean
</a>
</li>
<li class="md-nav__item">
<a href="../dnsimple/" class="md-nav__link">
Setting up ExternalDNS for Services on DNSimple
</a>
</li>
<li class="md-nav__item">
<a href="../dyn/" class="md-nav__link">
Setting up ExternalDNS for Dyn
</a>
</li>
<li class="md-nav__item">
<a href="../exoscale/" class="md-nav__link">
Setting up ExternalDNS for Exoscale
</a>
</li>
<li class="md-nav__item">
<a href="../externalname/" class="md-nav__link">
Setting up ExternalDNS for ExternalName Services
</a>
</li>
<li class="md-nav__item">
<a href="../gandi/" class="md-nav__link">
Setting up ExternalDNS for Services on Gandi
</a>
</li>
<li class="md-nav__item">
<a href="../gateway-api/" class="md-nav__link">
Configuring ExternalDNS to use Gateway API Route Sources
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Setting up ExternalDNS on Google Kubernetes Engine
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
Setting up ExternalDNS on Google Kubernetes Engine
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#single-project-test-scenario-using-access-scopes" class="md-nav__link">
Single project test scenario using access scopes
</a>
<nav class="md-nav" aria-label="Single project test scenario using access scopes">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#configure-project-environment" class="md-nav__link">
Configure Project Environment
</a>
</li>
<li class="md-nav__item">
<a href="#create-gke-cluster" class="md-nav__link">
Create GKE Cluster
</a>
</li>
<li class="md-nav__item">
<a href="#cloud-dns-zone" class="md-nav__link">
Cloud DNS Zone
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cross-project-access-scenario-using-google-service-account" class="md-nav__link">
Cross project access scenario using Google Service Account
</a>
<nav class="md-nav" aria-label="Cross project access scenario using Google Service Account">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#setup-cloud-dns-and-gke" class="md-nav__link">
Setup Cloud DNS and GKE
</a>
<nav class="md-nav" aria-label="Setup Cloud DNS and GKE">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#configure-projects" class="md-nav__link">
Configure Projects
</a>
</li>
<li class="md-nav__item">
<a href="#provisioning-cloud-dns" class="md-nav__link">
Provisioning Cloud DNS
</a>
</li>
<li class="md-nav__item">
<a href="#provisioning-a-gke-cluster-for-cross-project-access" class="md-nav__link">
Provisioning a GKE cluster for cross project access
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#worker-node-service-account-method" class="md-nav__link">
Worker Node Service Account method
</a>
</li>
<li class="md-nav__item">
<a href="#static-credentials" class="md-nav__link">
Static Credentials
</a>
<nav class="md-nav" aria-label="Static Credentials">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#create-gsa-for-use-with-static-credentials" class="md-nav__link">
Create GSA for use with static credentials
</a>
</li>
<li class="md-nav__item">
<a href="#create-kubernetes-secret-using-static-credentials" class="md-nav__link">
Create Kubernetes secret using static credentials
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#workload-identity" class="md-nav__link">
Workload Identity
</a>
<nav class="md-nav" aria-label="Workload Identity">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#create-gsa-for-use-with-workload-identity" class="md-nav__link">
Create GSA for use with Workload Identity
</a>
</li>
<li class="md-nav__item">
<a href="#link-ksa-to-gsa" class="md-nav__link">
Link KSA to GSA
</a>
</li>
<li class="md-nav__item">
<a href="#deploy-external-dns" class="md-nav__link">
Deploy External DNS
</a>
</li>
<li class="md-nav__item">
<a href="#link-ksa-to-gsa-in-kubernetes" class="md-nav__link">
Link KSA to GSA in Kubernetes
</a>
</li>
<li class="md-nav__item">
<a href="#update-externaldns-pods" class="md-nav__link">
Update ExternalDNS pods
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#deploy-externaldns" class="md-nav__link">
Deploy ExternalDNS
</a>
</li>
<li class="md-nav__item">
<a href="#verify-externaldns-works" class="md-nav__link">
Verify ExternalDNS works
</a>
<nav class="md-nav" aria-label="Verify ExternalDNS works">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#verify-using-an-external-load-balancer" class="md-nav__link">
Verify using an external load balancer
</a>
</li>
<li class="md-nav__item">
<a href="#verify-using-an-ingress" class="md-nav__link">
Verify using an ingress
</a>
</li>
<li class="md-nav__item">
<a href="#clean-up" class="md-nav__link">
Clean up
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../gloo-proxy/" class="md-nav__link">
Configuring ExternalDNS to use the Gloo Proxy Source
</a>
</li>
<li class="md-nav__item">
<a href="../godaddy/" class="md-nav__link">
Setting up ExternalDNS for Services on GoDaddy
</a>
</li>
<li class="md-nav__item">
<a href="../hostport/" class="md-nav__link">
Setting up ExternalDNS for Headless Services
</a>
</li>
<li class="md-nav__item">
<a href="../ibmcloud/" class="md-nav__link">
Setting up ExternalDNS for Services on IBMCloud
</a>
</li>
<li class="md-nav__item">
<a href="../infoblox/" class="md-nav__link">
Setting up ExternalDNS for Infoblox
</a>
</li>
<li class="md-nav__item">
<a href="../istio/" class="md-nav__link">
Configuring ExternalDNS to use the Istio Gateway and/or Istio Virtual Service Source
</a>
</li>
<li class="md-nav__item">
<a href="../kong/" class="md-nav__link">
Configuring ExternalDNS to use the Kong TCPIngress Source
</a>
</li>
<li class="md-nav__item">
<a href="../kops-dns-controller/" class="md-nav__link">
kOps dns-controller compatibility mode
</a>
</li>
<li class="md-nav__item">
<a href="../kube-ingress-aws/" class="md-nav__link">
Using ExternalDNS with kube-ingress-aws-controller
</a>
</li>
<li class="md-nav__item">
<a href="../linode/" class="md-nav__link">
Setting up ExternalDNS for Services on Linode
</a>
</li>
<li class="md-nav__item">
<a href="../nginx-ingress/" class="md-nav__link">
Setting up ExternalDNS on GKE with nginx-ingress-controller
</a>
</li>
<li class="md-nav__item">
<a href="../nodes/" class="md-nav__link">
Configuring ExternalDNS to use Cluster Nodes as Source
</a>
</li>
<li class="md-nav__item">
<a href="../ns-record/" class="md-nav__link">
Creating NS record with CRD source
</a>
</li>
<li class="md-nav__item">
<a href="../ns1/" class="md-nav__link">
Setting up ExternalDNS for Services on NS1
</a>
</li>
<li class="md-nav__item">
<a href="../openshift/" class="md-nav__link">
Configuring ExternalDNS to use the OpenShift Route Source
</a>
</li>
<li class="md-nav__item">
<a href="../oracle/" class="md-nav__link">
Setting up ExternalDNS for Oracle Cloud Infrastructure (OCI)
</a>
</li>
<li class="md-nav__item">
<a href="../ovh/" class="md-nav__link">
Setting up ExternalDNS for Services on OVH
</a>
</li>
<li class="md-nav__item">
<a href="../pdns/" class="md-nav__link">
Setting up ExternalDNS for PowerDNS
</a>
</li>
<li class="md-nav__item">
<a href="../plural/" class="md-nav__link">
Setting up ExternalDNS for Services on Plural
</a>
</li>
<li class="md-nav__item">
<a href="../public-private-route53/" class="md-nav__link">
Setting up ExternalDNS using the same domain for public and private Route53 zones
</a>
</li>
<li class="md-nav__item">
<a href="../rcodezero/" class="md-nav__link">
Setting up ExternalDNS for Services on RcodeZero
</a>
</li>
<li class="md-nav__item">
<a href="../rdns/" class="md-nav__link">
Setting up ExternalDNS for RancherDNS(RDNS) with kubernetes
</a>
</li>
<li class="md-nav__item">
<a href="../rfc2136/" class="md-nav__link">
Configuring RFC2136 provider
</a>
</li>
<li class="md-nav__item">
<a href="../scaleway/" class="md-nav__link">
Setting up ExternalDNS for Services on Scaleway
</a>
</li>
<li class="md-nav__item">
<a href="../security-context/" class="md-nav__link">
Running ExternalDNS with limited privileges
</a>
</li>
<li class="md-nav__item">
<a href="../tencentcloud/" class="md-nav__link">
Setting up ExternalDNS for Tencent Cloud
</a>
</li>
<li class="md-nav__item">
<a href="../transip/" class="md-nav__link">
Setting up ExternalDNS for Services on TransIP
</a>
</li>
<li class="md-nav__item">
<a href="../ultradns/" class="md-nav__link">
Setting up ExternalDNS for Services on UltraDNS
</a>
</li>
<li class="md-nav__item">
<a href="../vinyldns/" class="md-nav__link">
Setting up ExternalDNS for VinylDNS
</a>
</li>
<li class="md-nav__item">
<a href="../vultr/" class="md-nav__link">
Setting up ExternalDNS for Services on Vultr
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3">
Advanced Topics
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Advanced Topics" data-md-level="1">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
Advanced Topics
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../initial-design/" class="md-nav__link">
Initial Design
</a>
</li>
<li class="md-nav__item">
<a href="../../ttl/" class="md-nav__link">
TTL
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4">
Contributing
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Contributing" data-md-level="1">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Contributing
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../CONTRIBUTING/" class="md-nav__link">
Kubernetes Contributions
</a>
</li>
<li class="md-nav__item">
<a href="../../release/" class="md-nav__link">
Release
</a>
</li>
<li class="md-nav__item">
<a href="../../contributing/chart/" class="md-nav__link">
Helm Chart
</a>
</li>
<li class="md-nav__item">
<a href="../../contributing/crd-source/" class="md-nav__link">
CRD Source
</a>
</li>
<li class="md-nav__item">
<a href="../../contributing/getting-started/" class="md-nav__link">
Quick Start
</a>
</li>
<li class="md-nav__item">
<a href="../../contributing/sources-and-providers/" class="md-nav__link">
Sources and Providers
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5" type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5">
About
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="About" data-md-level="1">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
About
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../faq/" class="md-nav__link">
FAQ
</a>
</li>
<li class="md-nav__item">
<a href="../../20190708-external-dns-incubator/" class="md-nav__link">
Out of Incubator
</a>
</li>
<li class="md-nav__item">
<a href="../../code-of-conduct/" class="md-nav__link">
Code of Conduct
</a>
</li>
<li class="md-nav__item">
<a href="../../LICENSE/" class="md-nav__link">
License
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#single-project-test-scenario-using-access-scopes" class="md-nav__link">
Single project test scenario using access scopes
</a>
<nav class="md-nav" aria-label="Single project test scenario using access scopes">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#configure-project-environment" class="md-nav__link">
Configure Project Environment
</a>
</li>
<li class="md-nav__item">
<a href="#create-gke-cluster" class="md-nav__link">
Create GKE Cluster
</a>
</li>
<li class="md-nav__item">
<a href="#cloud-dns-zone" class="md-nav__link">
Cloud DNS Zone
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cross-project-access-scenario-using-google-service-account" class="md-nav__link">
Cross project access scenario using Google Service Account
</a>
<nav class="md-nav" aria-label="Cross project access scenario using Google Service Account">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#setup-cloud-dns-and-gke" class="md-nav__link">
Setup Cloud DNS and GKE
</a>
<nav class="md-nav" aria-label="Setup Cloud DNS and GKE">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#configure-projects" class="md-nav__link">
Configure Projects
</a>
</li>
<li class="md-nav__item">
<a href="#provisioning-cloud-dns" class="md-nav__link">
Provisioning Cloud DNS
</a>
</li>
<li class="md-nav__item">
<a href="#provisioning-a-gke-cluster-for-cross-project-access" class="md-nav__link">
Provisioning a GKE cluster for cross project access
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#worker-node-service-account-method" class="md-nav__link">
Worker Node Service Account method
</a>
</li>
<li class="md-nav__item">
<a href="#static-credentials" class="md-nav__link">
Static Credentials
</a>
<nav class="md-nav" aria-label="Static Credentials">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#create-gsa-for-use-with-static-credentials" class="md-nav__link">
Create GSA for use with static credentials
</a>
</li>
<li class="md-nav__item">
<a href="#create-kubernetes-secret-using-static-credentials" class="md-nav__link">
Create Kubernetes secret using static credentials
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#workload-identity" class="md-nav__link">
Workload Identity
</a>
<nav class="md-nav" aria-label="Workload Identity">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#create-gsa-for-use-with-workload-identity" class="md-nav__link">
Create GSA for use with Workload Identity
</a>
</li>
<li class="md-nav__item">
<a href="#link-ksa-to-gsa" class="md-nav__link">
Link KSA to GSA
</a>
</li>
<li class="md-nav__item">
<a href="#deploy-external-dns" class="md-nav__link">
Deploy External DNS
</a>
</li>
<li class="md-nav__item">
<a href="#link-ksa-to-gsa-in-kubernetes" class="md-nav__link">
Link KSA to GSA in Kubernetes
</a>
</li>
<li class="md-nav__item">
<a href="#update-externaldns-pods" class="md-nav__link">
Update ExternalDNS pods
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#deploy-externaldns" class="md-nav__link">
Deploy ExternalDNS
</a>
</li>
<li class="md-nav__item">
<a href="#verify-externaldns-works" class="md-nav__link">
Verify ExternalDNS works
</a>
<nav class="md-nav" aria-label="Verify ExternalDNS works">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#verify-using-an-external-load-balancer" class="md-nav__link">
Verify using an external load balancer
</a>
</li>
<li class="md-nav__item">
<a href="#verify-using-an-ingress" class="md-nav__link">
Verify using an ingress
</a>
</li>
<li class="md-nav__item">
<a href="#clean-up" class="md-nav__link">
Clean up
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/kubernetes-sigs/external-dns/edit/master/docs/tutorials/gke.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25z"/></svg>
</a>
<h1 id="setting-up-externaldns-on-google-kubernetes-engine">Setting up ExternalDNS on Google Kubernetes Engine<a class="headerlink" href="#setting-up-externaldns-on-google-kubernetes-engine" title="Permanent link">&para;</a></h1>
<p>This tutorial describes how to setup ExternalDNS for usage within a <a href="https://cloud.google.com/kubernetes-engine">GKE</a> (<a href="https://cloud.google.com/kubernetes-engine">Google Kuberentes Engine</a>) cluster. Make sure to use <strong>&gt;=0.11.0</strong> version of ExternalDNS for this tutorial</p>
<h2 id="single-project-test-scenario-using-access-scopes">Single project test scenario using access scopes<a class="headerlink" href="#single-project-test-scenario-using-access-scopes" title="Permanent link">&para;</a></h2>
<p><em>If you prefer to try-out ExternalDNS in one of the existing environments you can skip this step</em></p>
<p>The following instructions use <a href="https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam">access scopes</a> to provide ExternalDNS with the permissions it needs to manage DNS records within a single <a href="https://cloud.google.com/docs/overview#projects">project</a>, the organizing entity to allocate resources.</p>
<p>Note that since these permissions are associated with the instance, all pods in the cluster will also have these permissions. As such, this approach is not suitable for anything but testing environments.</p>
<p>This solution will only work when both CloudDNS and GKE are provisioned in the same project. If the CloudDNS zone is in a different project, this solution will not work.</p>
<h3 id="configure-project-environment">Configure Project Environment<a class="headerlink" href="#configure-project-environment" title="Permanent link">&para;</a></h3>
<p>Setup your environment to work with Google Cloud Platform. Fill in your variables as needed, e.g. target project.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="c1"># set variables to the appropriate desired values</span>
<a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a><span class="nv">PROJECT_ID</span><span class="o">=</span><span class="s2">&quot;my-external-dns-test&quot;</span>
<a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a><span class="nv">REGION</span><span class="o">=</span><span class="s2">&quot;europe-west1&quot;</span>
<a id="__codelineno-0-4" name="__codelineno-0-4" href="#__codelineno-0-4"></a><span class="nv">ZONE</span><span class="o">=</span><span class="s2">&quot;europe-west1-d&quot;</span>
<a id="__codelineno-0-5" name="__codelineno-0-5" href="#__codelineno-0-5"></a><span class="nv">ClOUD_BILLING_ACCOUNT</span><span class="o">=</span><span class="s2">&quot;&lt;my-cloud-billing-account&gt;&quot;</span>
<a id="__codelineno-0-6" name="__codelineno-0-6" href="#__codelineno-0-6"></a><span class="c1"># set default settings for project</span>
<a id="__codelineno-0-7" name="__codelineno-0-7" href="#__codelineno-0-7"></a>gcloud config <span class="nb">set</span> project <span class="nv">$PROJECT_ID</span>
<a id="__codelineno-0-8" name="__codelineno-0-8" href="#__codelineno-0-8"></a>gcloud config <span class="nb">set</span> compute/region <span class="nv">$REGION</span>
<a id="__codelineno-0-9" name="__codelineno-0-9" href="#__codelineno-0-9"></a>gcloud config <span class="nb">set</span> compute/zone <span class="nv">$ZONE</span>
<a id="__codelineno-0-10" name="__codelineno-0-10" href="#__codelineno-0-10"></a><span class="c1"># enable billing and APIs if not done already</span>
<a id="__codelineno-0-11" name="__codelineno-0-11" href="#__codelineno-0-11"></a>gcloud beta billing projects link <span class="nv">$PROJECT_ID</span> <span class="se">\</span>
<a id="__codelineno-0-12" name="__codelineno-0-12" href="#__codelineno-0-12"></a> --billing-account <span class="nv">$BILLING_ACCOUNT</span>
<a id="__codelineno-0-13" name="__codelineno-0-13" href="#__codelineno-0-13"></a>gcloud services <span class="nb">enable</span> <span class="s2">&quot;dns.googleapis.com&quot;</span>
<a id="__codelineno-0-14" name="__codelineno-0-14" href="#__codelineno-0-14"></a>gcloud services <span class="nb">enable</span> <span class="s2">&quot;container.googleapis.com&quot;</span>
</code></pre></div>
<h3 id="create-gke-cluster">Create GKE Cluster<a class="headerlink" href="#create-gke-cluster" title="Permanent link">&para;</a></h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a>gcloud container clusters create <span class="nv">$GKE_CLUSTER_NAME</span> <span class="se">\</span>
<a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a> --num-nodes <span class="m">1</span> <span class="se">\</span>
<a id="__codelineno-1-3" name="__codelineno-1-3" href="#__codelineno-1-3"></a> --scopes <span class="s2">&quot;https://www.googleapis.com/auth/ndev.clouddns.readwrite&quot;</span>
</code></pre></div>
<p><strong>WARNING</strong>: Note that this cluster will use the default <a href="https://cloud.google.com/compute/docs/access/service-accounts#default_service_account">compute engine GSA</a> that contians the overly permissive project editor (<code>roles/editor</code>) role. So essentially, anything on the cluster could potentially grant escalated privileges. Also, as mentioned earlier, the access scope <code>ndev.clouddns.readwrite</code> will allow anything running on the cluster to have read/write permissions on all Cloud DNS zones within the same project.</p>
<h3 id="cloud-dns-zone">Cloud DNS Zone<a class="headerlink" href="#cloud-dns-zone" title="Permanent link">&para;</a></h3>
<p>Create a DNS zone which will contain the managed DNS records. If using your own domain that was registered with a third-party domain registrar, you should point your domain&rsquo;s name servers to the values under the <code>nameServers</code> key. Please consult your registrar&rsquo;s documentation on how to do that. This tutorial will use example domain of <code>example.com</code>.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1"></a>gcloud dns managed-zones create <span class="s2">&quot;example-com&quot;</span> --dns-name <span class="s2">&quot;example.com.&quot;</span> <span class="se">\</span>
<a id="__codelineno-2-2" name="__codelineno-2-2" href="#__codelineno-2-2"></a> --description <span class="s2">&quot;Automatically managed zone by kubernetes.io/external-dns&quot;</span>
</code></pre></div>
<p>Make a note of the nameservers that were assigned to your new zone.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-3-1" name="__codelineno-3-1" href="#__codelineno-3-1"></a>gcloud dns record-sets list <span class="se">\</span>
<a id="__codelineno-3-2" name="__codelineno-3-2" href="#__codelineno-3-2"></a> --zone <span class="s2">&quot;example-com&quot;</span> --name <span class="s2">&quot;example.com.&quot;</span> --type NS
</code></pre></div>
<p>Outputs:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a>NAME TYPE TTL DATA
<a id="__codelineno-4-2" name="__codelineno-4-2" href="#__codelineno-4-2"></a>example.com. NS 21600 ns-cloud-e1.googledomains.com.,ns-cloud-e2.googledomains.com.,ns-cloud-e3.googledomains.com.,ns-cloud-e4.googledomains.com.
</code></pre></div>
<p>In this case it&rsquo;s <code>ns-cloud-{e1-e4}.googledomains.com.</code> but your&rsquo;s could slightly differ, e.g. <code>{a1-a4}</code>, <code>{b1-b4}</code> etc.</p>
<h2 id="cross-project-access-scenario-using-google-service-account">Cross project access scenario using Google Service Account<a class="headerlink" href="#cross-project-access-scenario-using-google-service-account" title="Permanent link">&para;</a></h2>
<p>More often, following best practices in regards to security and operations, Cloud DNS zones will be managed in a separate project from the Kubernetes cluster. This section shows how setup ExternalDNS to access Cloud DNS from a different project. These steps will also work for single project scenarios as well.</p>
<p>ExternalDNS will need permissions to make changes to the Cloud DNS zone. There are three ways to configure the access needed:</p>
<ul>
<li><a href="#worker-node-service-account">Worker Node Service Account</a></li>
<li><a href="#static-credentials">Static Credentials</a></li>
<li><a href="#work-load-identity">Work Load Identity</a></li>
</ul>
<h3 id="setup-cloud-dns-and-gke">Setup Cloud DNS and GKE<a class="headerlink" href="#setup-cloud-dns-and-gke" title="Permanent link">&para;</a></h3>
<p>Below are examples on how you can configure Cloud DNS and GKE in separate projects, and then use one of the three methods to grant access to ExternalDNS. Replace the environment variables to values that make sense in your environment.</p>
<h4 id="configure-projects">Configure Projects<a class="headerlink" href="#configure-projects" title="Permanent link">&para;</a></h4>
<p>For this process, create projects with the appropriate APIs enabled.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a><span class="c1"># set variables to appropriate desired values</span>
<a id="__codelineno-5-2" name="__codelineno-5-2" href="#__codelineno-5-2"></a><span class="nv">GKE_PROJECT_ID</span><span class="o">=</span><span class="s2">&quot;my-workload-project&quot;</span>
<a id="__codelineno-5-3" name="__codelineno-5-3" href="#__codelineno-5-3"></a><span class="nv">DNS_PROJECT_ID</span><span class="o">=</span><span class="s2">&quot;my-cloud-dns-project&quot;</span>
<a id="__codelineno-5-4" name="__codelineno-5-4" href="#__codelineno-5-4"></a><span class="nv">ClOUD_BILLING_ACCOUNT</span><span class="o">=</span><span class="s2">&quot;&lt;my-cloud-billing-account&gt;&quot;</span>
<a id="__codelineno-5-5" name="__codelineno-5-5" href="#__codelineno-5-5"></a><span class="c1"># enable billing and APIs for DNS project if not done already</span>
<a id="__codelineno-5-6" name="__codelineno-5-6" href="#__codelineno-5-6"></a>gcloud config <span class="nb">set</span> project <span class="nv">$DNS_PROJECT_ID</span>
<a id="__codelineno-5-7" name="__codelineno-5-7" href="#__codelineno-5-7"></a>gcloud beta billing projects link <span class="nv">$CLOUD_DNS_PROJECT</span> <span class="se">\</span>
<a id="__codelineno-5-8" name="__codelineno-5-8" href="#__codelineno-5-8"></a> --billing-account <span class="nv">$ClOUD_BILLING_ACCOUNT</span>
<a id="__codelineno-5-9" name="__codelineno-5-9" href="#__codelineno-5-9"></a>gcloud services <span class="nb">enable</span> <span class="s2">&quot;dns.googleapis.com&quot;</span>
<a id="__codelineno-5-10" name="__codelineno-5-10" href="#__codelineno-5-10"></a><span class="c1"># enable billing and APIs for GKE project if not done already</span>
<a id="__codelineno-5-11" name="__codelineno-5-11" href="#__codelineno-5-11"></a>gcloud config <span class="nb">set</span> project <span class="nv">$GKE_PROJECT_ID</span>
<a id="__codelineno-5-12" name="__codelineno-5-12" href="#__codelineno-5-12"></a>gcloud beta billing projects link <span class="nv">$CLOUD_DNS_PROJECT</span> <span class="se">\</span>
<a id="__codelineno-5-13" name="__codelineno-5-13" href="#__codelineno-5-13"></a> --billing-account <span class="nv">$ClOUD_BILLING_ACCOUNT</span>
<a id="__codelineno-5-14" name="__codelineno-5-14" href="#__codelineno-5-14"></a>gcloud services <span class="nb">enable</span> <span class="s2">&quot;container.googleapis.com&quot;</span>
</code></pre></div>
<h4 id="provisioning-cloud-dns">Provisioning Cloud DNS<a class="headerlink" href="#provisioning-cloud-dns" title="Permanent link">&para;</a></h4>
<p>Create a Cloud DNS zone in the designated DNS project. </p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1" href="#__codelineno-6-1"></a>gcloud dns managed-zones create <span class="s2">&quot;example-com&quot;</span> --project <span class="nv">$DNS_PROJECT_ID</span> <span class="se">\</span>
<a id="__codelineno-6-2" name="__codelineno-6-2" href="#__codelineno-6-2"></a> --description <span class="s2">&quot;example.com&quot;</span> --dns-name<span class="o">=</span><span class="s2">&quot;example.com.&quot;</span> --visibility<span class="o">=</span>public
</code></pre></div>
<p>If using your own domain that was registered with a third-party domain registrar, you should point your domain&rsquo;s name servers to the values under the <code>nameServers</code> key. Please consult your registrar&rsquo;s documentation on how to do that. The example domain of <code>example.com</code> will be used for this tutorial.</p>
<h4 id="provisioning-a-gke-cluster-for-cross-project-access">Provisioning a GKE cluster for cross project access<a class="headerlink" href="#provisioning-a-gke-cluster-for-cross-project-access" title="Permanent link">&para;</a></h4>
<p>Create a GSA (Google Service Account) and grant it the <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa">minimal set of privileges required</a> for GKE nodes:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-7-1" name="__codelineno-7-1" href="#__codelineno-7-1"></a><span class="nv">GKE_CLUSTER_NAME</span><span class="o">=</span><span class="s2">&quot;my-external-dns-cluster&quot;</span>
<a id="__codelineno-7-2" name="__codelineno-7-2" href="#__codelineno-7-2"></a><span class="nv">GKE_REGION</span><span class="o">=</span><span class="s2">&quot;us-central1&quot;</span>
<a id="__codelineno-7-3" name="__codelineno-7-3" href="#__codelineno-7-3"></a><span class="nv">GKE_SA_NAME</span><span class="o">=</span><span class="s2">&quot;worker-nodes-sa&quot;</span>
<a id="__codelineno-7-4" name="__codelineno-7-4" href="#__codelineno-7-4"></a><span class="nv">GKE_SA_EMAIL</span><span class="o">=</span><span class="s2">&quot;</span><span class="nv">$GKE_SA_NAME</span><span class="s2">@</span><span class="si">${</span><span class="nv">GKE_PROJECT_ID</span><span class="si">}</span><span class="s2">.iam.gserviceaccount.com&quot;</span>
<a id="__codelineno-7-5" name="__codelineno-7-5" href="#__codelineno-7-5"></a>
<a id="__codelineno-7-6" name="__codelineno-7-6" href="#__codelineno-7-6"></a><span class="nv">ROLES</span><span class="o">=(</span>
<a id="__codelineno-7-7" name="__codelineno-7-7" href="#__codelineno-7-7"></a> roles/logging.logWriter
<a id="__codelineno-7-8" name="__codelineno-7-8" href="#__codelineno-7-8"></a> roles/monitoring.metricWriter
<a id="__codelineno-7-9" name="__codelineno-7-9" href="#__codelineno-7-9"></a> roles/monitoring.viewer
<a id="__codelineno-7-10" name="__codelineno-7-10" href="#__codelineno-7-10"></a> roles/stackdriver.resourceMetadata.writer
<a id="__codelineno-7-11" name="__codelineno-7-11" href="#__codelineno-7-11"></a><span class="o">)</span>
<a id="__codelineno-7-12" name="__codelineno-7-12" href="#__codelineno-7-12"></a>
<a id="__codelineno-7-13" name="__codelineno-7-13" href="#__codelineno-7-13"></a>gcloud iam service-accounts create <span class="nv">$GKE_SA_NAME</span> <span class="se">\</span>
<a id="__codelineno-7-14" name="__codelineno-7-14" href="#__codelineno-7-14"></a> --display-name <span class="nv">$GKE_SA_NAME</span> --project <span class="nv">$GKE_PROJECT_ID</span>
<a id="__codelineno-7-15" name="__codelineno-7-15" href="#__codelineno-7-15"></a>
<a id="__codelineno-7-16" name="__codelineno-7-16" href="#__codelineno-7-16"></a><span class="c1"># assign google service account to roles in GKE project</span>
<a id="__codelineno-7-17" name="__codelineno-7-17" href="#__codelineno-7-17"></a><span class="k">for</span> ROLE <span class="k">in</span> <span class="si">${</span><span class="nv">ROLES</span><span class="p">[*]</span><span class="si">}</span><span class="p">;</span> <span class="k">do</span>
<a id="__codelineno-7-18" name="__codelineno-7-18" href="#__codelineno-7-18"></a> gcloud projects add-iam-policy-binding <span class="nv">$GKE_PROJECT_ID</span> <span class="se">\</span>
<a id="__codelineno-7-19" name="__codelineno-7-19" href="#__codelineno-7-19"></a> --member <span class="s2">&quot;serviceAccount:</span><span class="nv">$GKE_SA_EMAIL</span><span class="s2">&quot;</span> <span class="se">\</span>
<a id="__codelineno-7-20" name="__codelineno-7-20" href="#__codelineno-7-20"></a> --role <span class="nv">$ROLE</span>
<a id="__codelineno-7-21" name="__codelineno-7-21" href="#__codelineno-7-21"></a><span class="k">done</span>
</code></pre></div>
<p>Create a cluster using this service account and enable <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">workload identity</a>:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a>gcloud container clusters create <span class="nv">$GKE_CLUSTER_NAME</span> <span class="se">\</span>
<a id="__codelineno-8-2" name="__codelineno-8-2" href="#__codelineno-8-2"></a> --project <span class="nv">$GKE_PROJECT_ID</span> --region <span class="nv">$GKE_REGION</span> --num-nodes <span class="m">1</span> <span class="se">\</span>
<a id="__codelineno-8-3" name="__codelineno-8-3" href="#__codelineno-8-3"></a> --service-account <span class="s2">&quot;</span><span class="nv">$GKE_SA_EMAIL</span><span class="s2">&quot;</span> <span class="se">\</span>
<a id="__codelineno-8-4" name="__codelineno-8-4" href="#__codelineno-8-4"></a> --workload-pool <span class="s2">&quot;</span><span class="nv">$GKE_PROJECT_ID</span><span class="s2">.svc.id.goog&quot;</span>
</code></pre></div>
<h3 id="worker-node-service-account-method">Worker Node Service Account method<a class="headerlink" href="#worker-node-service-account-method" title="Permanent link">&para;</a></h3>
<p>In this method, the GSA (Google Service Account) that is associated with GKE worker nodes will be configured to have access to Cloud DNS. </p>
<p><strong>WARNING</strong>: This will grant access to modify the Cloud DNS zone records for all containers running on cluster, not just ExternalDNS, so use this option with caution. This is not recommended for production environments.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a><span class="nv">GKE_SA_EMAIL</span><span class="o">=</span><span class="s2">&quot;</span><span class="nv">$GKE_SA_NAME</span><span class="s2">@</span><span class="si">${</span><span class="nv">GKE_PROJECT_ID</span><span class="si">}</span><span class="s2">.iam.gserviceaccount.com&quot;</span>
<a id="__codelineno-9-2" name="__codelineno-9-2" href="#__codelineno-9-2"></a>
<a id="__codelineno-9-3" name="__codelineno-9-3" href="#__codelineno-9-3"></a><span class="c1"># assign google service account to dns.admin role in the cloud dns project</span>
<a id="__codelineno-9-4" name="__codelineno-9-4" href="#__codelineno-9-4"></a>gcloud projects add-iam-policy-binding <span class="nv">$DNS_PROJECT_ID</span> <span class="se">\</span>
<a id="__codelineno-9-5" name="__codelineno-9-5" href="#__codelineno-9-5"></a> --member serviceAccount:<span class="nv">$GKE_SA_EMAIL</span> <span class="se">\</span>
<a id="__codelineno-9-6" name="__codelineno-9-6" href="#__codelineno-9-6"></a> --role roles/dns.admin
</code></pre></div>
<p>After this, follow the steps in <a href="#deploy-externaldns">Deploy ExternalDNS</a>. Make sure to set the <code>--google-project</code> flag to match the Cloud DNS project name.</p>
<h3 id="static-credentials">Static Credentials<a class="headerlink" href="#static-credentials" title="Permanent link">&para;</a></h3>
<p>In this scenario, a new GSA (Google Service Account) is created that has access to the CloudDNS zone. The credentials for this GSA are saved and installed as a Kubernetes secret that will be used by ExternalDNS. </p>
<p>This allows only containers that have access to the secret, such as ExternalDNS to update records on the Cloud DNS Zone.</p>
<h4 id="create-gsa-for-use-with-static-credentials">Create GSA for use with static credentials<a class="headerlink" href="#create-gsa-for-use-with-static-credentials" title="Permanent link">&para;</a></h4>
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a><span class="nv">DNS_SA_NAME</span><span class="o">=</span><span class="s2">&quot;external-dns-sa&quot;</span>
<a id="__codelineno-10-2" name="__codelineno-10-2" href="#__codelineno-10-2"></a><span class="nv">DNS_SA_EMAIL</span><span class="o">=</span><span class="s2">&quot;</span><span class="nv">$DNS_SA_NAME</span><span class="s2">@</span><span class="si">${</span><span class="nv">GKE_PROJECT_ID</span><span class="si">}</span><span class="s2">.iam.gserviceaccount.com&quot;</span>
<a id="__codelineno-10-3" name="__codelineno-10-3" href="#__codelineno-10-3"></a>
<a id="__codelineno-10-4" name="__codelineno-10-4" href="#__codelineno-10-4"></a><span class="c1"># create GSA used to access the Cloud DNS zone</span>
<a id="__codelineno-10-5" name="__codelineno-10-5" href="#__codelineno-10-5"></a>gcloud iam service-accounts create <span class="nv">$DNS_SA_NAME</span> --display-name <span class="nv">$DNS_SA_NAME</span>
<a id="__codelineno-10-6" name="__codelineno-10-6" href="#__codelineno-10-6"></a>
<a id="__codelineno-10-7" name="__codelineno-10-7" href="#__codelineno-10-7"></a><span class="c1"># assign google service account to dns.admin role in cloud-dns project</span>
<a id="__codelineno-10-8" name="__codelineno-10-8" href="#__codelineno-10-8"></a>gcloud projects add-iam-policy-binding <span class="nv">$DNS_PROJECT_ID</span> <span class="se">\</span>
<a id="__codelineno-10-9" name="__codelineno-10-9" href="#__codelineno-10-9"></a> --member serviceAccount:<span class="nv">$DNS_SA_EMAIL</span> --role <span class="s2">&quot;roles/dns.admin&quot;</span>
</code></pre></div>
<h4 id="create-kubernetes-secret-using-static-credentials">Create Kubernetes secret using static credentials<a class="headerlink" href="#create-kubernetes-secret-using-static-credentials" title="Permanent link">&para;</a></h4>
<p>Generate static credentials from the ExternalDNS GSA.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a><span class="c1"># download static credentials</span>
<a id="__codelineno-11-2" name="__codelineno-11-2" href="#__codelineno-11-2"></a>gcloud iam service-accounts keys create /local/path/to/credentials.json <span class="se">\</span>
<a id="__codelineno-11-3" name="__codelineno-11-3" href="#__codelineno-11-3"></a> --iam-account <span class="nv">$DNS_SA_EMAIL</span>
</code></pre></div>
<p>Create a Kubernetes secret with the credentials in the same namespace of ExternalDNS.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a>kubectl create secret generic <span class="s2">&quot;external-dns&quot;</span> --namespace <span class="si">${</span><span class="nv">EXTERNALDNS_NS</span><span class="k">:-</span><span class="s2">&quot;default&quot;</span><span class="si">}</span> <span class="se">\</span>
<a id="__codelineno-12-2" name="__codelineno-12-2" href="#__codelineno-12-2"></a> --from-file /local/path/to/credentials.json
</code></pre></div>
<p>After this, follow the steps in <a href="#deploy-externaldns">Deploy ExternalDNS</a>. Make sure to set the <code>--google-project</code> flag to match Cloud DNS project name. Make sure to uncomment out the section that mounts the secret to the ExternalDNS pods.</p>
<h3 id="workload-identity">Workload Identity<a class="headerlink" href="#workload-identity" title="Permanent link">&para;</a></h3>
<p><a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">Workload Identity</a> allows workloads in your GKE cluster to impersonate GSA (Google Service Accounts) using KSA (Kubernetes Service Accounts) configured during deployemnt. These are the steps to use this feature with ExternalDNS.</p>
<h4 id="create-gsa-for-use-with-workload-identity">Create GSA for use with Workload Identity<a class="headerlink" href="#create-gsa-for-use-with-workload-identity" title="Permanent link">&para;</a></h4>
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1" href="#__codelineno-13-1"></a><span class="nv">DNS_SA_NAME</span><span class="o">=</span><span class="s2">&quot;external-dns-sa&quot;</span>
<a id="__codelineno-13-2" name="__codelineno-13-2" href="#__codelineno-13-2"></a><span class="nv">DNS_SA_EMAIL</span><span class="o">=</span><span class="s2">&quot;</span><span class="nv">$DNS_SA_NAME</span><span class="s2">@</span><span class="si">${</span><span class="nv">GKE_PROJECT_ID</span><span class="si">}</span><span class="s2">.iam.gserviceaccount.com&quot;</span>
<a id="__codelineno-13-3" name="__codelineno-13-3" href="#__codelineno-13-3"></a>
<a id="__codelineno-13-4" name="__codelineno-13-4" href="#__codelineno-13-4"></a>gcloud iam service-accounts create <span class="nv">$DNS_SA_NAME</span> --display-name <span class="nv">$DNS_SA_NAME</span>
<a id="__codelineno-13-5" name="__codelineno-13-5" href="#__codelineno-13-5"></a>gcloud projects add-iam-policy-binding <span class="nv">$DNS_PROJECT_ID</span> <span class="se">\</span>
<a id="__codelineno-13-6" name="__codelineno-13-6" href="#__codelineno-13-6"></a> --member serviceAccount:<span class="nv">$DNS_SA_EMAIL</span> --role <span class="s2">&quot;roles/dns.admin&quot;</span>
</code></pre></div>
<h4 id="link-ksa-to-gsa">Link KSA to GSA<a class="headerlink" href="#link-ksa-to-gsa" title="Permanent link">&para;</a></h4>
<p>Add an IAM policy binding bewtween the workload identity GSA and ExternalDNS GSA. This will link the ExternalDNS KSA to ExternalDNS GSA.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1" href="#__codelineno-14-1"></a>gcloud iam service-accounts add-iam-policy-binding <span class="nv">$DNS_SA_EMAIL</span> <span class="se">\</span>
<a id="__codelineno-14-2" name="__codelineno-14-2" href="#__codelineno-14-2"></a> --role <span class="s2">&quot;roles/iam.workloadIdentityUser&quot;</span> <span class="se">\</span>
<a id="__codelineno-14-3" name="__codelineno-14-3" href="#__codelineno-14-3"></a> --member <span class="s2">&quot;serviceAccount:</span><span class="nv">$GKE_PROJECT_ID</span><span class="s2">.svc.id.goog[</span><span class="si">${</span><span class="nv">EXTERNALDNS_NS</span><span class="k">:-</span><span class="s2">&quot;default&quot;</span><span class="si">}</span><span class="s2">/external-dns]&quot;</span>
</code></pre></div>
<h4 id="deploy-external-dns">Deploy External DNS<a class="headerlink" href="#deploy-external-dns" title="Permanent link">&para;</a></h4>
<p>Deploy ExternalDNS with the following steps below, documented under <a href="#deploy-externaldns">Deploy ExternalDNS</a>. Set the <code>--google-project</code> flag to the Cloud DNS project name.</p>
<h4 id="link-ksa-to-gsa-in-kubernetes">Link KSA to GSA in Kubernetes<a class="headerlink" href="#link-ksa-to-gsa-in-kubernetes" title="Permanent link">&para;</a></h4>
<p>Add the proper workload identity annotation to the ExternalDNS KSA.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-15-1" name="__codelineno-15-1" href="#__codelineno-15-1"></a>kubectl annotate serviceaccount <span class="s2">&quot;external-dns&quot;</span> <span class="se">\</span>
<a id="__codelineno-15-2" name="__codelineno-15-2" href="#__codelineno-15-2"></a> --namespace <span class="si">${</span><span class="nv">EXTERNALDNS_NS</span><span class="k">:-</span><span class="s2">&quot;default&quot;</span><span class="si">}</span> <span class="se">\</span>
<a id="__codelineno-15-3" name="__codelineno-15-3" href="#__codelineno-15-3"></a> <span class="s2">&quot;iam.gke.io/gcp-service-account=</span><span class="nv">$DNS_SA_EMAIL</span><span class="s2">&quot;</span>
</code></pre></div>
<h4 id="update-externaldns-pods">Update ExternalDNS pods<a class="headerlink" href="#update-externaldns-pods" title="Permanent link">&para;</a></h4>
<p>Update the Pod spec to schedule the workloads on nodes that use Workload Identity and to use the annotated Kubernetes service account.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-16-1" name="__codelineno-16-1" href="#__codelineno-16-1"></a>kubectl patch deployment <span class="s2">&quot;external-dns&quot;</span> <span class="se">\</span>
<a id="__codelineno-16-2" name="__codelineno-16-2" href="#__codelineno-16-2"></a> --namespace <span class="si">${</span><span class="nv">EXTERNALDNS_NS</span><span class="k">:-</span><span class="s2">&quot;default&quot;</span><span class="si">}</span> <span class="se">\</span>
<a id="__codelineno-16-3" name="__codelineno-16-3" href="#__codelineno-16-3"></a> --patch <span class="se">\</span>
<a id="__codelineno-16-4" name="__codelineno-16-4" href="#__codelineno-16-4"></a> <span class="s1">&#39;{&quot;spec&quot;: {&quot;template&quot;: {&quot;spec&quot;: {&quot;nodeSelector&quot;: {&quot;iam.gke.io/gke-metadata-server-enabled&quot;: &quot;true&quot;}}}}}&#39;</span>
</code></pre></div>
<p>After all of these steps you may see several messages with <code>googleapi: Error 403: Forbidden, forbidden</code>. After several minutes when the token is refreshed, these error messages will go away, and you should see info messages, such as: <code>All records are already up to date</code>.</p>
<h2 id="deploy-externaldns">Deploy ExternalDNS<a class="headerlink" href="#deploy-externaldns" title="Permanent link">&para;</a></h2>
<p>Then apply the following manifests file to deploy ExternalDNS.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-17-1" name="__codelineno-17-1" href="#__codelineno-17-1"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span><span class="w"></span>
<a id="__codelineno-17-2" name="__codelineno-17-2" href="#__codelineno-17-2"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ServiceAccount</span><span class="w"></span>
<a id="__codelineno-17-3" name="__codelineno-17-3" href="#__codelineno-17-3"></a><span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-4" name="__codelineno-17-4" href="#__codelineno-17-4"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span><span class="w"></span>
<a id="__codelineno-17-5" name="__codelineno-17-5" href="#__codelineno-17-5"></a><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-6" name="__codelineno-17-6" href="#__codelineno-17-6"></a><span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span><span class="w"></span>
<a id="__codelineno-17-7" name="__codelineno-17-7" href="#__codelineno-17-7"></a><span class="nn">---</span><span class="w"></span>
<a id="__codelineno-17-8" name="__codelineno-17-8" href="#__codelineno-17-8"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rbac.authorization.k8s.io/v1</span><span class="w"></span>
<a id="__codelineno-17-9" name="__codelineno-17-9" href="#__codelineno-17-9"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterRole</span><span class="w"></span>
<a id="__codelineno-17-10" name="__codelineno-17-10" href="#__codelineno-17-10"></a><span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-11" name="__codelineno-17-11" href="#__codelineno-17-11"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span><span class="w"></span>
<a id="__codelineno-17-12" name="__codelineno-17-12" href="#__codelineno-17-12"></a><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-13" name="__codelineno-17-13" href="#__codelineno-17-13"></a><span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span><span class="w"></span>
<a id="__codelineno-17-14" name="__codelineno-17-14" href="#__codelineno-17-14"></a><span class="nt">rules</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-15" name="__codelineno-17-15" href="#__codelineno-17-15"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;&quot;</span><span class="p p-Indicator">]</span><span class="w"></span>
<a id="__codelineno-17-16" name="__codelineno-17-16" href="#__codelineno-17-16"></a><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;services&quot;</span><span class="p p-Indicator">,</span><span class="s">&quot;endpoints&quot;</span><span class="p p-Indicator">,</span><span class="s">&quot;pods&quot;</span><span class="p p-Indicator">,</span><span class="s">&quot;nodes&quot;</span><span class="p p-Indicator">]</span><span class="w"></span>
<a id="__codelineno-17-17" name="__codelineno-17-17" href="#__codelineno-17-17"></a><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;get&quot;</span><span class="p p-Indicator">,</span><span class="s">&quot;watch&quot;</span><span class="p p-Indicator">,</span><span class="s">&quot;list&quot;</span><span class="p p-Indicator">]</span><span class="w"></span>
<a id="__codelineno-17-18" name="__codelineno-17-18" href="#__codelineno-17-18"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;extensions&quot;</span><span class="p p-Indicator">,</span><span class="s">&quot;networking.k8s.io&quot;</span><span class="p p-Indicator">]</span><span class="w"></span>
<a id="__codelineno-17-19" name="__codelineno-17-19" href="#__codelineno-17-19"></a><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;ingresses&quot;</span><span class="p p-Indicator">]</span><span class="w"></span>
<a id="__codelineno-17-20" name="__codelineno-17-20" href="#__codelineno-17-20"></a><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;get&quot;</span><span class="p p-Indicator">,</span><span class="s">&quot;watch&quot;</span><span class="p p-Indicator">,</span><span class="s">&quot;list&quot;</span><span class="p p-Indicator">]</span><span class="w"></span>
<a id="__codelineno-17-21" name="__codelineno-17-21" href="#__codelineno-17-21"></a><span class="nn">---</span><span class="w"></span>
<a id="__codelineno-17-22" name="__codelineno-17-22" href="#__codelineno-17-22"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rbac.authorization.k8s.io/v1</span><span class="w"></span>
<a id="__codelineno-17-23" name="__codelineno-17-23" href="#__codelineno-17-23"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterRoleBinding</span><span class="w"></span>
<a id="__codelineno-17-24" name="__codelineno-17-24" href="#__codelineno-17-24"></a><span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-25" name="__codelineno-17-25" href="#__codelineno-17-25"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns-viewer</span><span class="w"></span>
<a id="__codelineno-17-26" name="__codelineno-17-26" href="#__codelineno-17-26"></a><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-27" name="__codelineno-17-27" href="#__codelineno-17-27"></a><span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span><span class="w"></span>
<a id="__codelineno-17-28" name="__codelineno-17-28" href="#__codelineno-17-28"></a><span class="nt">roleRef</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-29" name="__codelineno-17-29" href="#__codelineno-17-29"></a><span class="w"> </span><span class="nt">apiGroup</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rbac.authorization.k8s.io</span><span class="w"></span>
<a id="__codelineno-17-30" name="__codelineno-17-30" href="#__codelineno-17-30"></a><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterRole</span><span class="w"></span>
<a id="__codelineno-17-31" name="__codelineno-17-31" href="#__codelineno-17-31"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span><span class="w"></span>
<a id="__codelineno-17-32" name="__codelineno-17-32" href="#__codelineno-17-32"></a><span class="nt">subjects</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-33" name="__codelineno-17-33" href="#__codelineno-17-33"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ServiceAccount</span><span class="w"></span>
<a id="__codelineno-17-34" name="__codelineno-17-34" href="#__codelineno-17-34"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span><span class="w"></span>
<a id="__codelineno-17-35" name="__codelineno-17-35" href="#__codelineno-17-35"></a><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span><span class="w"> </span><span class="c1"># change if namespace is not &#39;default&#39;</span><span class="w"></span>
<a id="__codelineno-17-36" name="__codelineno-17-36" href="#__codelineno-17-36"></a><span class="nn">---</span><span class="w"></span>
<a id="__codelineno-17-37" name="__codelineno-17-37" href="#__codelineno-17-37"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apps/v1</span><span class="w"></span>
<a id="__codelineno-17-38" name="__codelineno-17-38" href="#__codelineno-17-38"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deployment</span><span class="w"></span>
<a id="__codelineno-17-39" name="__codelineno-17-39" href="#__codelineno-17-39"></a><span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-40" name="__codelineno-17-40" href="#__codelineno-17-40"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span><span class="w"></span>
<a id="__codelineno-17-41" name="__codelineno-17-41" href="#__codelineno-17-41"></a><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-42" name="__codelineno-17-42" href="#__codelineno-17-42"></a><span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span><span class="w"> </span>
<a id="__codelineno-17-43" name="__codelineno-17-43" href="#__codelineno-17-43"></a><span class="nt">spec</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-44" name="__codelineno-17-44" href="#__codelineno-17-44"></a><span class="w"> </span><span class="nt">strategy</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-45" name="__codelineno-17-45" href="#__codelineno-17-45"></a><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Recreate</span><span class="w"></span>
<a id="__codelineno-17-46" name="__codelineno-17-46" href="#__codelineno-17-46"></a><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-47" name="__codelineno-17-47" href="#__codelineno-17-47"></a><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-48" name="__codelineno-17-48" href="#__codelineno-17-48"></a><span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span><span class="w"></span>
<a id="__codelineno-17-49" name="__codelineno-17-49" href="#__codelineno-17-49"></a><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-50" name="__codelineno-17-50" href="#__codelineno-17-50"></a><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-51" name="__codelineno-17-51" href="#__codelineno-17-51"></a><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-52" name="__codelineno-17-52" href="#__codelineno-17-52"></a><span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span><span class="w"></span>
<a id="__codelineno-17-53" name="__codelineno-17-53" href="#__codelineno-17-53"></a><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-54" name="__codelineno-17-54" href="#__codelineno-17-54"></a><span class="w"> </span><span class="nt">serviceAccountName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span><span class="w"></span>
<a id="__codelineno-17-55" name="__codelineno-17-55" href="#__codelineno-17-55"></a><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-56" name="__codelineno-17-56" href="#__codelineno-17-56"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span><span class="w"></span>
<a id="__codelineno-17-57" name="__codelineno-17-57" href="#__codelineno-17-57"></a><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">k8s.gcr.io/external-dns/external-dns:v0.11.0</span><span class="w"></span>
<a id="__codelineno-17-58" name="__codelineno-17-58" href="#__codelineno-17-58"></a><span class="w"> </span><span class="nt">args</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-17-59" name="__codelineno-17-59" href="#__codelineno-17-59"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--source=service</span><span class="w"></span>
<a id="__codelineno-17-60" name="__codelineno-17-60" href="#__codelineno-17-60"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--source=ingress</span><span class="w"></span>
<a id="__codelineno-17-61" name="__codelineno-17-61" href="#__codelineno-17-61"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--domain-filter=example.com</span><span class="w"> </span><span class="c1"># will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones</span><span class="w"></span>
<a id="__codelineno-17-62" name="__codelineno-17-62" href="#__codelineno-17-62"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--provider=google</span><span class="w"></span>
<a id="__codelineno-17-63" name="__codelineno-17-63" href="#__codelineno-17-63"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--log-format=json</span><span class="w"> </span><span class="c1"># google cloud logs parses severity of the &quot;text&quot; log format incorrectly</span><span class="w"></span>
<a id="__codelineno-17-64" name="__codelineno-17-64" href="#__codelineno-17-64"></a><span class="w"> </span><span class="c1"># - --google-project=my-cloud-dns-project # Use this to specify a project different from the one external-dns is running inside</span><span class="w"></span>
<a id="__codelineno-17-65" name="__codelineno-17-65" href="#__codelineno-17-65"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--google-zone-visibility=public</span><span class="w"> </span><span class="c1"># Use this to filter to only zones with this visibility. Set to either &#39;public&#39; or &#39;private&#39;. Omitting will match public and private zones</span><span class="w"></span>
<a id="__codelineno-17-66" name="__codelineno-17-66" href="#__codelineno-17-66"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--policy=upsert-only</span><span class="w"> </span><span class="c1"># would prevent ExternalDNS from deleting any records, omit to enable full synchronization</span><span class="w"></span>
<a id="__codelineno-17-67" name="__codelineno-17-67" href="#__codelineno-17-67"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--registry=txt</span><span class="w"></span>
<a id="__codelineno-17-68" name="__codelineno-17-68" href="#__codelineno-17-68"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--txt-owner-id=my-identifier</span><span class="w"></span>
<a id="__codelineno-17-69" name="__codelineno-17-69" href="#__codelineno-17-69"></a><span class="w"> </span><span class="c1"># # uncomment below if static credentials are used </span><span class="w"></span>
<a id="__codelineno-17-70" name="__codelineno-17-70" href="#__codelineno-17-70"></a><span class="w"> </span><span class="c1"># env:</span><span class="w"></span>
<a id="__codelineno-17-71" name="__codelineno-17-71" href="#__codelineno-17-71"></a><span class="w"> </span><span class="c1"># - name: GOOGLE_APPLICATION_CREDENTIALS</span><span class="w"></span>
<a id="__codelineno-17-72" name="__codelineno-17-72" href="#__codelineno-17-72"></a><span class="w"> </span><span class="c1"># value: /etc/secrets/service-account/credentials.json</span><span class="w"></span>
<a id="__codelineno-17-73" name="__codelineno-17-73" href="#__codelineno-17-73"></a><span class="w"> </span><span class="c1"># volumeMounts:</span><span class="w"></span>
<a id="__codelineno-17-74" name="__codelineno-17-74" href="#__codelineno-17-74"></a><span class="w"> </span><span class="c1"># - name: google-service-account</span><span class="w"></span>
<a id="__codelineno-17-75" name="__codelineno-17-75" href="#__codelineno-17-75"></a><span class="w"> </span><span class="c1"># mountPath: /etc/secrets/service-account/</span><span class="w"></span>
<a id="__codelineno-17-76" name="__codelineno-17-76" href="#__codelineno-17-76"></a><span class="w"> </span><span class="c1"># volumes:</span><span class="w"></span>
<a id="__codelineno-17-77" name="__codelineno-17-77" href="#__codelineno-17-77"></a><span class="w"> </span><span class="c1"># - name: google-service-account</span><span class="w"></span>
<a id="__codelineno-17-78" name="__codelineno-17-78" href="#__codelineno-17-78"></a><span class="w"> </span><span class="c1"># secret:</span><span class="w"></span>
<a id="__codelineno-17-79" name="__codelineno-17-79" href="#__codelineno-17-79"></a><span class="w"> </span><span class="c1"># secretName: external-dns</span><span class="w"></span>
</code></pre></div>
<p>Create the deployment for ExternalDNS:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-18-1" name="__codelineno-18-1" href="#__codelineno-18-1"></a>kubectl create --namespace <span class="s2">&quot;default&quot;</span> --filename externaldns.yaml
</code></pre></div>
<h2 id="verify-externaldns-works">Verify ExternalDNS works<a class="headerlink" href="#verify-externaldns-works" title="Permanent link">&para;</a></h2>
<p>The following will deploy a small nginx server that will be used to demonstrate that ExternalDNS is working.</p>
<h3 id="verify-using-an-external-load-balancer">Verify using an external load balancer<a class="headerlink" href="#verify-using-an-external-load-balancer" title="Permanent link">&para;</a></h3>
<p>Create the following sample application to test that ExternalDNS works. This example will provision a L4 load balancer.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-19-1" name="__codelineno-19-1" href="#__codelineno-19-1"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span><span class="w"></span>
<a id="__codelineno-19-2" name="__codelineno-19-2" href="#__codelineno-19-2"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Service</span><span class="w"></span>
<a id="__codelineno-19-3" name="__codelineno-19-3" href="#__codelineno-19-3"></a><span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-19-4" name="__codelineno-19-4" href="#__codelineno-19-4"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span><span class="w"></span>
<a id="__codelineno-19-5" name="__codelineno-19-5" href="#__codelineno-19-5"></a><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-19-6" name="__codelineno-19-6" href="#__codelineno-19-6"></a><span class="w"> </span><span class="c1"># change nginx.example.com to match an appropriate value</span><span class="w"></span>
<a id="__codelineno-19-7" name="__codelineno-19-7" href="#__codelineno-19-7"></a><span class="w"> </span><span class="nt">external-dns.alpha.kubernetes.io/hostname</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx.example.com</span><span class="w"></span>
<a id="__codelineno-19-8" name="__codelineno-19-8" href="#__codelineno-19-8"></a><span class="nt">spec</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-19-9" name="__codelineno-19-9" href="#__codelineno-19-9"></a><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">LoadBalancer</span><span class="w"></span>
<a id="__codelineno-19-10" name="__codelineno-19-10" href="#__codelineno-19-10"></a><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-19-11" name="__codelineno-19-11" href="#__codelineno-19-11"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span><span class="w"></span>
<a id="__codelineno-19-12" name="__codelineno-19-12" href="#__codelineno-19-12"></a><span class="w"> </span><span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span><span class="w"></span>
<a id="__codelineno-19-13" name="__codelineno-19-13" href="#__codelineno-19-13"></a><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-19-14" name="__codelineno-19-14" href="#__codelineno-19-14"></a><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span><span class="w"></span>
<a id="__codelineno-19-15" name="__codelineno-19-15" href="#__codelineno-19-15"></a><span class="nn">---</span><span class="w"></span>
<a id="__codelineno-19-16" name="__codelineno-19-16" href="#__codelineno-19-16"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apps/v1</span><span class="w"></span>
<a id="__codelineno-19-17" name="__codelineno-19-17" href="#__codelineno-19-17"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deployment</span><span class="w"></span>
<a id="__codelineno-19-18" name="__codelineno-19-18" href="#__codelineno-19-18"></a><span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-19-19" name="__codelineno-19-19" href="#__codelineno-19-19"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span><span class="w"></span>
<a id="__codelineno-19-20" name="__codelineno-19-20" href="#__codelineno-19-20"></a><span class="nt">spec</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-19-21" name="__codelineno-19-21" href="#__codelineno-19-21"></a><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-19-22" name="__codelineno-19-22" href="#__codelineno-19-22"></a><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-19-23" name="__codelineno-19-23" href="#__codelineno-19-23"></a><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span><span class="w"></span>
<a id="__codelineno-19-24" name="__codelineno-19-24" href="#__codelineno-19-24"></a><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-19-25" name="__codelineno-19-25" href="#__codelineno-19-25"></a><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-19-26" name="__codelineno-19-26" href="#__codelineno-19-26"></a><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-19-27" name="__codelineno-19-27" href="#__codelineno-19-27"></a><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span><span class="w"></span>
<a id="__codelineno-19-28" name="__codelineno-19-28" href="#__codelineno-19-28"></a><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-19-29" name="__codelineno-19-29" href="#__codelineno-19-29"></a><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-19-30" name="__codelineno-19-30" href="#__codelineno-19-30"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span><span class="w"></span>
<a id="__codelineno-19-31" name="__codelineno-19-31" href="#__codelineno-19-31"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span><span class="w"></span>
<a id="__codelineno-19-32" name="__codelineno-19-32" href="#__codelineno-19-32"></a><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-19-33" name="__codelineno-19-33" href="#__codelineno-19-33"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span><span class="w"></span>
</code></pre></div>
<p>Create the deployment and service objects:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-20-1" name="__codelineno-20-1" href="#__codelineno-20-1"></a>kubectl create --namespace <span class="s2">&quot;default&quot;</span> --filename nginx.yaml
</code></pre></div>
<p>After roughly two minutes check that a corresponding DNS record for your service was created.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-21-1" name="__codelineno-21-1" href="#__codelineno-21-1"></a>gcloud dns record-sets list --zone <span class="s2">&quot;example-com&quot;</span> --name <span class="s2">&quot;nginx.example.com.&quot;</span>
</code></pre></div>
<p>Example output:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-22-1" name="__codelineno-22-1" href="#__codelineno-22-1"></a>NAME TYPE TTL DATA
<a id="__codelineno-22-2" name="__codelineno-22-2" href="#__codelineno-22-2"></a>nginx.example.com. A 300 104.155.60.49
<a id="__codelineno-22-3" name="__codelineno-22-3" href="#__codelineno-22-3"></a>nginx.example.com. TXT 300 &quot;heritage=external-dns,external-dns/owner=my-identifier&quot;
</code></pre></div>
<p>Note created <code>TXT</code> record alongside <code>A</code> record. <code>TXT</code> record signifies that the corresponding <code>A</code> record is managed by ExternalDNS. This makes ExternalDNS safe for running in environments where there are other records managed via other means.</p>
<p>Let&rsquo;s check that we can resolve this DNS name. We&rsquo;ll ask the nameservers assigned to your zone first.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-23-1" name="__codelineno-23-1" href="#__codelineno-23-1"></a>dig +short @ns-cloud-e1.googledomains.com. nginx.example.com.
<a id="__codelineno-23-2" name="__codelineno-23-2" href="#__codelineno-23-2"></a><span class="m">104</span>.155.60.49
</code></pre></div>
<p>Given you hooked up your DNS zone with its parent zone you can use <code>curl</code> to access your site.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-24-1" name="__codelineno-24-1" href="#__codelineno-24-1"></a>curl nginx.example.com
</code></pre></div>
<h3 id="verify-using-an-ingress">Verify using an ingress<a class="headerlink" href="#verify-using-an-ingress" title="Permanent link">&para;</a></h3>
<p>Let&rsquo;s check that Ingress works as well. Create the following Ingress.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-25-1" name="__codelineno-25-1" href="#__codelineno-25-1"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">networking.k8s.io/v1</span><span class="w"></span>
<a id="__codelineno-25-2" name="__codelineno-25-2" href="#__codelineno-25-2"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Ingress</span><span class="w"></span>
<a id="__codelineno-25-3" name="__codelineno-25-3" href="#__codelineno-25-3"></a><span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-25-4" name="__codelineno-25-4" href="#__codelineno-25-4"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span><span class="w"></span>
<a id="__codelineno-25-5" name="__codelineno-25-5" href="#__codelineno-25-5"></a><span class="nt">spec</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-25-6" name="__codelineno-25-6" href="#__codelineno-25-6"></a><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-25-7" name="__codelineno-25-7" href="#__codelineno-25-7"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">host</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">server.example.com</span><span class="w"></span>
<a id="__codelineno-25-8" name="__codelineno-25-8" href="#__codelineno-25-8"></a><span class="w"> </span><span class="nt">http</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-25-9" name="__codelineno-25-9" href="#__codelineno-25-9"></a><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-25-10" name="__codelineno-25-10" href="#__codelineno-25-10"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/</span><span class="w"></span>
<a id="__codelineno-25-11" name="__codelineno-25-11" href="#__codelineno-25-11"></a><span class="w"> </span><span class="nt">pathType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Prefix</span><span class="w"></span>
<a id="__codelineno-25-12" name="__codelineno-25-12" href="#__codelineno-25-12"></a><span class="w"> </span><span class="nt">backend</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-25-13" name="__codelineno-25-13" href="#__codelineno-25-13"></a><span class="w"> </span><span class="nt">service</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-25-14" name="__codelineno-25-14" href="#__codelineno-25-14"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx-svc</span><span class="w"></span>
<a id="__codelineno-25-15" name="__codelineno-25-15" href="#__codelineno-25-15"></a><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"></span>
<a id="__codelineno-25-16" name="__codelineno-25-16" href="#__codelineno-25-16"></a><span class="w"> </span><span class="nt">number</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span><span class="w"></span>
</code></pre></div>
<p>Create the ingress objects with:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-26-1" name="__codelineno-26-1" href="#__codelineno-26-1"></a>kubectl create --namespace <span class="s2">&quot;default&quot;</span> --filename ingress.yaml
</code></pre></div>
<p>Note that this will ingress object will use the default ingress controller that comes with GKE to create a L7 load balancer in addition to the L4 load balancer previously with the service object. To use only the L7 load balancer, update the service manafest to change the Service type to <code>NodePort</code> and remove the ExternalDNS annotation.</p>
<p>After roughly two minutes check that a corresponding DNS record for your Ingress was created.</p>
<p><div class="highlight"><pre><span></span><code><a id="__codelineno-27-1" name="__codelineno-27-1" href="#__codelineno-27-1"></a>gcloud dns record-sets list <span class="se">\</span>
<a id="__codelineno-27-2" name="__codelineno-27-2" href="#__codelineno-27-2"></a> --zone <span class="s2">&quot;example-com&quot;</span> <span class="se">\</span>
<a id="__codelineno-27-3" name="__codelineno-27-3" href="#__codelineno-27-3"></a> --name <span class="s2">&quot;server.example.com.&quot;</span> <span class="se">\</span>
</code></pre></div><br />
Output:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-28-1" name="__codelineno-28-1" href="#__codelineno-28-1"></a>NAME TYPE TTL DATA
<a id="__codelineno-28-2" name="__codelineno-28-2" href="#__codelineno-28-2"></a>server.example.com. A 300 130.211.46.224
<a id="__codelineno-28-3" name="__codelineno-28-3" href="#__codelineno-28-3"></a>server.example.com. TXT 300 &quot;heritage=external-dns,external-dns/owner=my-identifier&quot;
</code></pre></div>
<p>Let&rsquo;s check that we can resolve this DNS name as well.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-29-1" name="__codelineno-29-1" href="#__codelineno-29-1"></a>dig +short @ns-cloud-e1.googledomains.com. server.example.com.
<a id="__codelineno-29-2" name="__codelineno-29-2" href="#__codelineno-29-2"></a><span class="m">130</span>.211.46.224
</code></pre></div>
<p>Try with <code>curl</code> as well.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-30-1" name="__codelineno-30-1" href="#__codelineno-30-1"></a>curl server.example.com
</code></pre></div>
<h3 id="clean-up">Clean up<a class="headerlink" href="#clean-up" title="Permanent link">&para;</a></h3>
<p>Make sure to delete all Service and Ingress objects before terminating the cluster so all load balancers get cleaned up correctly.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-31-1" name="__codelineno-31-1" href="#__codelineno-31-1"></a>kubectl delete service nginx
<a id="__codelineno-31-2" name="__codelineno-31-2" href="#__codelineno-31-2"></a>kubectl delete ingress nginx
</code></pre></div>
<p>Give ExternalDNS some time to clean up the DNS records for you. Then delete the managed zone and cluster.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-32-1" name="__codelineno-32-1" href="#__codelineno-32-1"></a>gcloud dns managed-zones delete <span class="s2">&quot;example-com&quot;</span>
<a id="__codelineno-32-2" name="__codelineno-32-2" href="#__codelineno-32-2"></a>gcloud container clusters delete <span class="s2">&quot;external-dns&quot;</span>
</code></pre></div>
<hr>
<div class="md-source-file">
<small>
Last update:
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">June 26, 2022</span>
</small>
</div>
</article>
</div>
</div>
<a href="#" class="md-top md-icon" data-md-component="top" data-md-state="hidden">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12z"/></svg>
Back to top
</a>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer">
<a href="../gateway-api/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Configuring ExternalDNS to use Gateway API Route Sources" rel="prev">
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</div>
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Previous
</span>
Configuring ExternalDNS to use Gateway API Route Sources
</div>
</div>
</a>
<a href="../gloo-proxy/" class="md-footer__link md-footer__link--next" aria-label="Next: Configuring ExternalDNS to use the Gloo Proxy Source" rel="next">
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Next
</span>
Configuring ExternalDNS to use the Gloo Proxy Source
</div>
</div>
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../..", "features": ["content.code.annotate", "navigation.top", "navigation.tracking", "navigation.indexes", "navigation.instant", "navigation.tabs", "navigation.tabs.sticky"], "search": "../../assets/javascripts/workers/search.5e67fbfe.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "version": {"provider": "mike"}}</script>
<script src="../../assets/javascripts/bundle.c44cc438.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink