mirrors/external-dns
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/external-dns.git synced 2025-08-12 20:46:56 +02:00
Code Issues Packages Projects Releases Wiki Activity
gh-pages
external-dns/v0.18.0/docs/tutorials/gke/index.html

3948 lines
137 KiB
HTML
Raw Permalink Blame History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="author" content="external-dns maintainers">
<link rel="prev" href="../gke-nginx/">
<link rel="next" href="../godaddy/">
<link rel="icon" href="../../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.17">
<title>GKE with default controller - external-dns</title>
<link rel="stylesheet" href="../../../assets/stylesheets/main.bcfcd587.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>__md_scope=new URL("../../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#gke-with-default-controller" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-color-scheme="default" data-md-component="outdated" hidden>
</div>
<header class="md-header md-header--shadow md-header--lifted" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../../.." title="external-dns" class="md-header__button md-logo" aria-label="external-dns" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
external-dns
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
GKE with default controller
</span>
</div>
</div>
</div>
<script>var media,input,key,value,palette=__md_get("__palette");if(palette&&palette.color){"(prefers-color-scheme)"===palette.color.media&&(media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']"),palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent"));for([key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/kubernetes-sigs/external-dns/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.5.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
kubernetes-sigs/external-dns
</div>
</a>
</div>
</nav>
<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
<div class="md-grid">
<ul class="md-tabs__list">
<li class="md-tabs__item">
<a href="../../.." class="md-tabs__link">
Home
</a>
</li>
<li class="md-tabs__item">
<a href="../../../charts/external-dns/" class="md-tabs__link">
Chart
</a>
</li>
<li class="md-tabs__item">
<a href="../../faq/" class="md-tabs__link">
About
</a>
</li>
<li class="md-tabs__item md-tabs__item--active">
<a href="../akamai-edgedns/" class="md-tabs__link">
Tutorials
</a>
</li>
<li class="md-tabs__item">
<a href="../../annotations/annotations/" class="md-tabs__link">
Annotations
</a>
</li>
<li class="md-tabs__item">
<a href="../../sources/about/" class="md-tabs__link">
Sources
</a>
</li>
<li class="md-tabs__item">
<a href="../../registry/registry/" class="md-tabs__link">
Registries
</a>
</li>
<li class="md-tabs__item">
<a href="../../initial-design/" class="md-tabs__link">
Advanced Topics
</a>
</li>
<li class="md-tabs__item">
<a href="../../../CONTRIBUTING/" class="md-tabs__link">
Contributing
</a>
</li>
</ul>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../../.." title="external-dns" class="md-nav__button md-logo" aria-label="external-dns" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
</a>
external-dns
</label>
<div class="md-nav__source">
<a href="https://github.com/kubernetes-sigs/external-dns/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.5.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
kubernetes-sigs/external-dns
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../.." class="md-nav__link">
<span class="md-ellipsis">
Home
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2" >
<div class="md-nav__link md-nav__container">
<a href="../../../charts/external-dns/" class="md-nav__link ">
<span class="md-ellipsis">
Chart
</span>
</a>
<label class="md-nav__link " for="__nav_2" id="__nav_2_label" tabindex="0">
<span class="md-nav__icon md-icon"></span>
</label>
</div>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Chart
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../charts/external-dns/CHANGELOG/" class="md-nav__link">
<span class="md-ellipsis">
Changelog
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
<span class="md-ellipsis">
About
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
About
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../faq/" class="md-nav__link">
<span class="md-ellipsis">
FAQ
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../flags/" class="md-nav__link">
<span class="md-ellipsis">
Flags
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../20190708-external-dns-incubator/" class="md-nav__link">
<span class="md-ellipsis">
Out of Incubator
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../code-of-conduct/" class="md-nav__link">
<span class="md-ellipsis">
Code of Conduct
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../LICENSE/" class="md-nav__link">
<span class="md-ellipsis">
License
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../providers/" class="md-nav__link">
<span class="md-ellipsis">
Providers
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked>
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="">
<span class="md-ellipsis">
Tutorials
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Tutorials
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../akamai-edgedns/" class="md-nav__link">
<span class="md-ellipsis">
Akamai Edge DNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../alibabacloud/" class="md-nav__link">
<span class="md-ellipsis">
Alibaba Cloud
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../aws-filters/" class="md-nav__link">
<span class="md-ellipsis">
AWS Filters
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../aws-load-balancer-controller/" class="md-nav__link">
<span class="md-ellipsis">
AWS Load Balancer Controller
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../aws-public-private-route53/" class="md-nav__link">
<span class="md-ellipsis">
AWS Route53 with same domain for public and private zones
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../aws-sd/" class="md-nav__link">
<span class="md-ellipsis">
AWS Cloud Map API
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../aws/" class="md-nav__link">
<span class="md-ellipsis">
AWS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../azure-private-dns/" class="md-nav__link">
<span class="md-ellipsis">
Azure Private DNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../azure/" class="md-nav__link">
<span class="md-ellipsis">
Azure DNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../civo/" class="md-nav__link">
<span class="md-ellipsis">
Civo DNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../cloudflare/" class="md-nav__link">
<span class="md-ellipsis">
Cloudflare DNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../contour/" class="md-nav__link">
<span class="md-ellipsis">
Contour HTTPProxy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../coredns/" class="md-nav__link">
<span class="md-ellipsis">
CoreDNS with minikube
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../crd/" class="md-nav__link">
<span class="md-ellipsis">
Using CRD Source for DNS Records
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../digitalocean/" class="md-nav__link">
<span class="md-ellipsis">
DigitalOcean DNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../dnsimple/" class="md-nav__link">
<span class="md-ellipsis">
DNSimple
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../exoscale/" class="md-nav__link">
<span class="md-ellipsis">
Exoscale
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../externalname/" class="md-nav__link">
<span class="md-ellipsis">
ExternalName Services
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../gandi/" class="md-nav__link">
<span class="md-ellipsis">
Gandi
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../gke-nginx/" class="md-nav__link">
<span class="md-ellipsis">
GKE with nginx-ingress-controller
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
GKE with default controller
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
GKE with default controller
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#single-project-test-scenario-using-access-scopes" class="md-nav__link">
<span class="md-ellipsis">
Single project test scenario using access scopes
</span>
</a>
<nav class="md-nav" aria-label="Single project test scenario using access scopes">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#configure-project-environment" class="md-nav__link">
<span class="md-ellipsis">
Configure Project Environment
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#create-gke-cluster" class="md-nav__link">
<span class="md-ellipsis">
Create GKE Cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#cloud-dns-zone" class="md-nav__link">
<span class="md-ellipsis">
Cloud DNS Zone
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cross-project-access-scenario-using-google-service-account" class="md-nav__link">
<span class="md-ellipsis">
Cross project access scenario using Google Service Account
</span>
</a>
<nav class="md-nav" aria-label="Cross project access scenario using Google Service Account">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#setup-cloud-dns-and-gke" class="md-nav__link">
<span class="md-ellipsis">
Setup Cloud DNS and GKE
</span>
</a>
<nav class="md-nav" aria-label="Setup Cloud DNS and GKE">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#configure-projects" class="md-nav__link">
<span class="md-ellipsis">
Configure Projects
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#provisioning-cloud-dns" class="md-nav__link">
<span class="md-ellipsis">
Provisioning Cloud DNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#provisioning-a-gke-cluster-for-cross-project-access" class="md-nav__link">
<span class="md-ellipsis">
Provisioning a GKE cluster for cross project access
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#workload-identity" class="md-nav__link">
<span class="md-ellipsis">
Workload Identity
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#worker-node-service-account-method" class="md-nav__link">
<span class="md-ellipsis">
Worker Node Service Account method
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#static-credentials" class="md-nav__link">
<span class="md-ellipsis">
Static Credentials
</span>
</a>
<nav class="md-nav" aria-label="Static Credentials">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#create-gsa-for-use-with-static-credentials" class="md-nav__link">
<span class="md-ellipsis">
Create GSA for use with static credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#create-kubernetes-secret-using-static-credentials" class="md-nav__link">
<span class="md-ellipsis">
Create Kubernetes secret using static credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#deploy-external-dns" class="md-nav__link">
<span class="md-ellipsis">
Deploy External DNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#update-externaldns-pods" class="md-nav__link">
<span class="md-ellipsis">
Update ExternalDNS pods
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#deploy-externaldns" class="md-nav__link">
<span class="md-ellipsis">
Deploy ExternalDNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#verify-externaldns-works" class="md-nav__link">
<span class="md-ellipsis">
Verify ExternalDNS works
</span>
</a>
<nav class="md-nav" aria-label="Verify ExternalDNS works">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#verify-using-an-external-load-balancer" class="md-nav__link">
<span class="md-ellipsis">
Verify using an external load balancer
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#verify-using-an-ingress" class="md-nav__link">
<span class="md-ellipsis">
Verify using an ingress
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#clean-up" class="md-nav__link">
<span class="md-ellipsis">
Clean up
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../godaddy/" class="md-nav__link">
<span class="md-ellipsis">
GoDaddy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../hostport/" class="md-nav__link">
<span class="md-ellipsis">
Headless Services
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ionoscloud/" class="md-nav__link">
<span class="md-ellipsis">
IONOS Cloud
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../kops-dns-controller/" class="md-nav__link">
<span class="md-ellipsis">
kOps dns-controller
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../kube-ingress-aws/" class="md-nav__link">
<span class="md-ellipsis">
kube-ingress-aws-controller
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../linode/" class="md-nav__link">
<span class="md-ellipsis">
Linode
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ns1/" class="md-nav__link">
<span class="md-ellipsis">
NS1
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../oracle/" class="md-nav__link">
<span class="md-ellipsis">
Oracle Cloud Infrastructure
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ovh/" class="md-nav__link">
<span class="md-ellipsis">
OVHcloud
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../pdns/" class="md-nav__link">
<span class="md-ellipsis">
PowerDNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../pihole/" class="md-nav__link">
<span class="md-ellipsis">
Pi-hole
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../plural/" class="md-nav__link">
<span class="md-ellipsis">
Plural
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../rfc2136/" class="md-nav__link">
<span class="md-ellipsis">
RFC2136 provider
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../scaleway/" class="md-nav__link">
<span class="md-ellipsis">
Scaleway
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../security-context/" class="md-nav__link">
<span class="md-ellipsis">
Running ExternalDNS with limited privileges
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../transip/" class="md-nav__link">
<span class="md-ellipsis">
TransIP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../webhook-provider/" class="md-nav__link">
<span class="md-ellipsis">
Webhook provider
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
<span class="md-ellipsis">
Annotations
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Annotations
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../annotations/annotations/" class="md-nav__link">
<span class="md-ellipsis">
About
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
<span class="md-ellipsis">
Sources
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
Sources
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../sources/about/" class="md-nav__link">
<span class="md-ellipsis">
About
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/crd/" class="md-nav__link">
<span class="md-ellipsis">
CRD Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/f5-transportserver/" class="md-nav__link">
<span class="md-ellipsis">
F5 Networks TransportServer Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/f5-virtualserver/" class="md-nav__link">
<span class="md-ellipsis">
F5 Networks VirtualServer Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/gateway-api/" class="md-nav__link">
<span class="md-ellipsis">
Gateway API Route Sources
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/gateway/" class="md-nav__link">
<span class="md-ellipsis">
Gateway sources
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/gloo-proxy/" class="md-nav__link">
<span class="md-ellipsis">
Gloo Proxy Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/ingress/" class="md-nav__link">
<span class="md-ellipsis">
Ingress source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/istio/" class="md-nav__link">
<span class="md-ellipsis">
Istio Gateway / Virtual Service Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/kong/" class="md-nav__link">
<span class="md-ellipsis">
Kong TCPIngress Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/mx-record/" class="md-nav__link">
<span class="md-ellipsis">
MX record with CRD source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/nodes/" class="md-nav__link">
<span class="md-ellipsis">
Cluster Nodes as Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/ns-record/" class="md-nav__link">
<span class="md-ellipsis">
NS record with CRD source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/openshift/" class="md-nav__link">
<span class="md-ellipsis">
OpenShift Route Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/pod/" class="md-nav__link">
<span class="md-ellipsis">
Pod Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/service/" class="md-nav__link">
<span class="md-ellipsis">
Service source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/traefik-proxy/" class="md-nav__link">
<span class="md-ellipsis">
Traefik Proxy Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/txt-record/" class="md-nav__link">
<span class="md-ellipsis">
Creating TXT record with CRD source
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7" id="__nav_7_label" tabindex="0">
<span class="md-ellipsis">
Registries
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
Registries
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../registry/registry/" class="md-nav__link">
<span class="md-ellipsis">
About
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../registry/txt/" class="md-nav__link">
<span class="md-ellipsis">
TXT
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../registry/dynamodb/" class="md-nav__link">
<span class="md-ellipsis">
DynamoDB
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8" >
<label class="md-nav__link" for="__nav_8" id="__nav_8_label" tabindex="0">
<span class="md-ellipsis">
Advanced Topics
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
Advanced Topics
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../initial-design/" class="md-nav__link">
<span class="md-ellipsis">
Initial Design
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../proposal/001-leader-election/" class="md-nav__link">
<span class="md-ellipsis">
Leader Election
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8_3" >
<div class="md-nav__link md-nav__container">
<a href="../../monitoring/" class="md-nav__link ">
<span class="md-ellipsis">
Monitoring
</span>
</a>
<label class="md-nav__link " for="__nav_8_3" id="__nav_8_3_label" tabindex="0">
<span class="md-nav__icon md-icon"></span>
</label>
</div>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_8_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8_3">
<span class="md-nav__icon md-icon"></span>
Monitoring
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../monitoring/metrics/" class="md-nav__link">
<span class="md-ellipsis">
Available Metrics
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../proposal/multi-target/" class="md-nav__link">
<span class="md-ellipsis">
MultiTarget
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/nat64/" class="md-nav__link">
<span class="md-ellipsis">
NAT64
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/rate-limits/" class="md-nav__link">
<span class="md-ellipsis">
Rate Limits
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/ttl/" class="md-nav__link">
<span class="md-ellipsis">
TTL
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/fqdn-templating/" class="md-nav__link">
<span class="md-ellipsis">
FQDN Templating
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8_9" >
<label class="md-nav__link" for="__nav_8_9" id="__nav_8_9_label" tabindex="0">
<span class="md-ellipsis">
Decisions
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_8_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8_9">
<span class="md-nav__icon md-icon"></span>
Decisions
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../proposal/002-internal-ipv6-handling-rollback/" class="md-nav__link">
<span class="md-ellipsis">
002 internal ipv6 handling rollback
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../proposal/003-dnsendpoint-graduation-to-beta/" class="md-nav__link">
<span class="md-ellipsis">
003 dnsendpoint graduation to beta
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_9" >
<div class="md-nav__link md-nav__container">
<a href="../../contributing/" class="md-nav__link ">
<span class="md-ellipsis">
Contributing
</span>
</a>
<label class="md-nav__link " for="__nav_9" id="__nav_9_label" tabindex="0">
<span class="md-nav__icon md-icon"></span>
</label>
</div>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_9">
<span class="md-nav__icon md-icon"></span>
Contributing
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../CONTRIBUTING/" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes Contributions
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../release/" class="md-nav__link">
<span class="md-ellipsis">
Release
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../deprecation/" class="md-nav__link">
<span class="md-ellipsis">
Deprecation Policy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../contributing/chart/" class="md-nav__link">
<span class="md-ellipsis">
Helm Chart
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../contributing/design/" class="md-nav__link">
<span class="md-ellipsis">
Design
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../contributing/dev-guide/" class="md-nav__link">
<span class="md-ellipsis">
Developer Reference
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../contributing/sources-and-providers/" class="md-nav__link">
<span class="md-ellipsis">
Sources and Providers
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#single-project-test-scenario-using-access-scopes" class="md-nav__link">
<span class="md-ellipsis">
Single project test scenario using access scopes
</span>
</a>
<nav class="md-nav" aria-label="Single project test scenario using access scopes">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#configure-project-environment" class="md-nav__link">
<span class="md-ellipsis">
Configure Project Environment
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#create-gke-cluster" class="md-nav__link">
<span class="md-ellipsis">
Create GKE Cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#cloud-dns-zone" class="md-nav__link">
<span class="md-ellipsis">
Cloud DNS Zone
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cross-project-access-scenario-using-google-service-account" class="md-nav__link">
<span class="md-ellipsis">
Cross project access scenario using Google Service Account
</span>
</a>
<nav class="md-nav" aria-label="Cross project access scenario using Google Service Account">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#setup-cloud-dns-and-gke" class="md-nav__link">
<span class="md-ellipsis">
Setup Cloud DNS and GKE
</span>
</a>
<nav class="md-nav" aria-label="Setup Cloud DNS and GKE">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#configure-projects" class="md-nav__link">
<span class="md-ellipsis">
Configure Projects
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#provisioning-cloud-dns" class="md-nav__link">
<span class="md-ellipsis">
Provisioning Cloud DNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#provisioning-a-gke-cluster-for-cross-project-access" class="md-nav__link">
<span class="md-ellipsis">
Provisioning a GKE cluster for cross project access
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#workload-identity" class="md-nav__link">
<span class="md-ellipsis">
Workload Identity
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#worker-node-service-account-method" class="md-nav__link">
<span class="md-ellipsis">
Worker Node Service Account method
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#static-credentials" class="md-nav__link">
<span class="md-ellipsis">
Static Credentials
</span>
</a>
<nav class="md-nav" aria-label="Static Credentials">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#create-gsa-for-use-with-static-credentials" class="md-nav__link">
<span class="md-ellipsis">
Create GSA for use with static credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#create-kubernetes-secret-using-static-credentials" class="md-nav__link">
<span class="md-ellipsis">
Create Kubernetes secret using static credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#deploy-external-dns" class="md-nav__link">
<span class="md-ellipsis">
Deploy External DNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#update-externaldns-pods" class="md-nav__link">
<span class="md-ellipsis">
Update ExternalDNS pods
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#deploy-externaldns" class="md-nav__link">
<span class="md-ellipsis">
Deploy ExternalDNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#verify-externaldns-works" class="md-nav__link">
<span class="md-ellipsis">
Verify ExternalDNS works
</span>
</a>
<nav class="md-nav" aria-label="Verify ExternalDNS works">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#verify-using-an-external-load-balancer" class="md-nav__link">
<span class="md-ellipsis">
Verify using an external load balancer
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#verify-using-an-ingress" class="md-nav__link">
<span class="md-ellipsis">
Verify using an ingress
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#clean-up" class="md-nav__link">
<span class="md-ellipsis">
Clean up
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1 id="gke-with-default-controller">GKE with default controller<a class="headerlink" href="#gke-with-default-controller" title="Permanent link">&para;</a></h1>
<p>This tutorial describes how to setup ExternalDNS for usage within a <a href="https://cloud.google.com/kubernetes-engine">GKE</a> (<a href="https://cloud.google.com/kubernetes-engine">Google Kuberentes Engine</a>) cluster. Make sure to use <strong>&gt;=0.11.0</strong> version of ExternalDNS for this tutorial</p>
<h2 id="single-project-test-scenario-using-access-scopes">Single project test scenario using access scopes<a class="headerlink" href="#single-project-test-scenario-using-access-scopes" title="Permanent link">&para;</a></h2>
<p><em>If you prefer to try-out ExternalDNS in one of the existing environments you can skip this step</em></p>
<p>The following instructions use <a href="https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam">access scopes</a> to provide ExternalDNS<br />
with the permissions it needs to manage DNS records within a single <a href="https://cloud.google.com/docs/overview#projects">project</a>, the organizing entity to allocate resources.</p>
<p>Note that since these permissions are associated with the instance, all pods in the cluster will also have these permissions. As such, this approach is not suitable for anything but testing environments.</p>
<p>This solution will only work when both CloudDNS and GKE are provisioned in the same project. If the CloudDNS zone is in a different project, this solution will not work.</p>
<h3 id="configure-project-environment">Configure Project Environment<a class="headerlink" href="#configure-project-environment" title="Permanent link">&para;</a></h3>
<p>Set up your environment to work with Google Cloud Platform. Fill in your variables as needed, e.g. target project.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="c1"># set variables to the appropriate desired values</span>
<a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a><span class="nv">PROJECT_ID</span><span class="o">=</span><span class="s2">&quot;my-external-dns-test&quot;</span>
<a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a><span class="nv">REGION</span><span class="o">=</span><span class="s2">&quot;europe-west1&quot;</span>
<a id="__codelineno-0-4" name="__codelineno-0-4" href="#__codelineno-0-4"></a><span class="nv">ZONE</span><span class="o">=</span><span class="s2">&quot;europe-west1-d&quot;</span>
<a id="__codelineno-0-5" name="__codelineno-0-5" href="#__codelineno-0-5"></a><span class="nv">ClOUD_BILLING_ACCOUNT</span><span class="o">=</span><span class="s2">&quot;&lt;my-cloud-billing-account&gt;&quot;</span>
<a id="__codelineno-0-6" name="__codelineno-0-6" href="#__codelineno-0-6"></a><span class="c1"># set default settings for project</span>
<a id="__codelineno-0-7" name="__codelineno-0-7" href="#__codelineno-0-7"></a>gcloud<span class="w"> </span>config<span class="w"> </span><span class="nb">set</span><span class="w"> </span>project<span class="w"> </span><span class="nv">$PROJECT_ID</span>
<a id="__codelineno-0-8" name="__codelineno-0-8" href="#__codelineno-0-8"></a>gcloud<span class="w"> </span>config<span class="w"> </span><span class="nb">set</span><span class="w"> </span>compute/region<span class="w"> </span><span class="nv">$REGION</span>
<a id="__codelineno-0-9" name="__codelineno-0-9" href="#__codelineno-0-9"></a>gcloud<span class="w"> </span>config<span class="w"> </span><span class="nb">set</span><span class="w"> </span>compute/zone<span class="w"> </span><span class="nv">$ZONE</span>
<a id="__codelineno-0-10" name="__codelineno-0-10" href="#__codelineno-0-10"></a><span class="c1"># enable billing and APIs if not done already</span>
<a id="__codelineno-0-11" name="__codelineno-0-11" href="#__codelineno-0-11"></a>gcloud<span class="w"> </span>beta<span class="w"> </span>billing<span class="w"> </span>projects<span class="w"> </span>link<span class="w"> </span><span class="nv">$PROJECT_ID</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-0-12" name="__codelineno-0-12" href="#__codelineno-0-12"></a><span class="w"> </span>--billing-account<span class="w"> </span><span class="nv">$BILLING_ACCOUNT</span>
<a id="__codelineno-0-13" name="__codelineno-0-13" href="#__codelineno-0-13"></a>gcloud<span class="w"> </span>services<span class="w"> </span><span class="nb">enable</span><span class="w"> </span><span class="s2">&quot;dns.googleapis.com&quot;</span>
<a id="__codelineno-0-14" name="__codelineno-0-14" href="#__codelineno-0-14"></a>gcloud<span class="w"> </span>services<span class="w"> </span><span class="nb">enable</span><span class="w"> </span><span class="s2">&quot;container.googleapis.com&quot;</span>
</code></pre></div>
<h3 id="create-gke-cluster">Create GKE Cluster<a class="headerlink" href="#create-gke-cluster" title="Permanent link">&para;</a></h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a>gcloud<span class="w"> </span>container<span class="w"> </span>clusters<span class="w"> </span>create<span class="w"> </span><span class="nv">$GKE_CLUSTER_NAME</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a><span class="w"> </span>--num-nodes<span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-1-3" name="__codelineno-1-3" href="#__codelineno-1-3"></a><span class="w"> </span>--scopes<span class="w"> </span><span class="s2">&quot;https://www.googleapis.com/auth/ndev.clouddns.readwrite&quot;</span>
</code></pre></div>
<blockquote>
<p>[!WARNING]<br />
Note that this cluster will use the default <a href="https://cloud.google.com/compute/docs/access/service-accounts#default_service_account">compute engine GSA</a> that contians the overly permissive project editor (<code>roles/editor</code>) role.<br />
So essentially, anything on the cluster could potentially grant escalated privileges.<br />
Also, as mentioned earlier, the access scope <code>ndev.clouddns.readwrite</code> will allow anything running on the cluster to have read/write permissions on all Cloud DNS zones within the same project.</p>
</blockquote>
<h3 id="cloud-dns-zone">Cloud DNS Zone<a class="headerlink" href="#cloud-dns-zone" title="Permanent link">&para;</a></h3>
<p>Create a DNS zone which will contain the managed DNS records.<br />
If using your own domain that was registered with a third-party domain registrar, you should point your domain&rsquo;s name servers to the values under the <code>nameServers</code> key.<br />
Please consult your registrar&rsquo;s documentation on how to do that. This tutorial will use example domain of <code>example.com</code>.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1"></a>gcloud<span class="w"> </span>dns<span class="w"> </span>managed-zones<span class="w"> </span>create<span class="w"> </span><span class="s2">&quot;example-com&quot;</span><span class="w"> </span>--dns-name<span class="w"> </span><span class="s2">&quot;example.com.&quot;</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-2-2" name="__codelineno-2-2" href="#__codelineno-2-2"></a><span class="w"> </span>--description<span class="w"> </span><span class="s2">&quot;Automatically managed zone by kubernetes.io/external-dns&quot;</span>
</code></pre></div>
<p>Make a note of the nameservers that were assigned to your new zone.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-3-1" name="__codelineno-3-1" href="#__codelineno-3-1"></a>gcloud<span class="w"> </span>dns<span class="w"> </span>record-sets<span class="w"> </span>list<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-3-2" name="__codelineno-3-2" href="#__codelineno-3-2"></a><span class="w"> </span>--zone<span class="w"> </span><span class="s2">&quot;example-com&quot;</span><span class="w"> </span>--name<span class="w"> </span><span class="s2">&quot;example.com.&quot;</span><span class="w"> </span>--type<span class="w"> </span>NS
</code></pre></div>
<p>Outputs:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a>NAME<span class="w"> </span>TYPE<span class="w"> </span>TTL<span class="w"> </span>DATA
<a id="__codelineno-4-2" name="__codelineno-4-2" href="#__codelineno-4-2"></a>example.com.<span class="w"> </span>NS<span class="w"> </span><span class="m">21600</span><span class="w"> </span>ns-cloud-e1.googledomains.com.,ns-cloud-e2.googledomains.com.,ns-cloud-e3.googledomains.com.,ns-cloud-e4.googledomains.com.
</code></pre></div>
<p>In this case it&rsquo;s <code>ns-cloud-{e1-e4}.googledomains.com.</code> but your&rsquo;s could slightly differ, e.g. <code>{a1-a4}</code>, <code>{b1-b4}</code> etc.</p>
<h2 id="cross-project-access-scenario-using-google-service-account">Cross project access scenario using Google Service Account<a class="headerlink" href="#cross-project-access-scenario-using-google-service-account" title="Permanent link">&para;</a></h2>
<p>More often, following best practices in regards to security and operations, Cloud DNS zones will be managed in a separate project from the Kubernetes cluster.<br />
This section shows how setup ExternalDNS to access Cloud DNS from a different project. These steps will also work for single project scenarios as well.</p>
<p>ExternalDNS will need permissions to make changes to the Cloud DNS zone. There are three ways to configure the access needed:</p>
<ul>
<li><a href="#worker-node-service-account-method">Worker Node Service Account</a></li>
<li><a href="#static-credentials">Static Credentials</a></li>
<li><a href="#workload-identity">Workload Identity</a></li>
</ul>
<h3 id="setup-cloud-dns-and-gke">Setup Cloud DNS and GKE<a class="headerlink" href="#setup-cloud-dns-and-gke" title="Permanent link">&para;</a></h3>
<p>Below are examples on how you can configure Cloud DNS and GKE in separate projects, and then use one of the three methods to grant access to ExternalDNS. Replace the environment variables to values that make sense in your environment.</p>
<h4 id="configure-projects">Configure Projects<a class="headerlink" href="#configure-projects" title="Permanent link">&para;</a></h4>
<p>For this process, create projects with the appropriate APIs enabled.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a><span class="c1"># set variables to appropriate desired values</span>
<a id="__codelineno-5-2" name="__codelineno-5-2" href="#__codelineno-5-2"></a><span class="nv">GKE_PROJECT_ID</span><span class="o">=</span><span class="s2">&quot;my-workload-project&quot;</span>
<a id="__codelineno-5-3" name="__codelineno-5-3" href="#__codelineno-5-3"></a><span class="nv">DNS_PROJECT_ID</span><span class="o">=</span><span class="s2">&quot;my-cloud-dns-project&quot;</span>
<a id="__codelineno-5-4" name="__codelineno-5-4" href="#__codelineno-5-4"></a><span class="nv">ClOUD_BILLING_ACCOUNT</span><span class="o">=</span><span class="s2">&quot;&lt;my-cloud-billing-account&gt;&quot;</span>
<a id="__codelineno-5-5" name="__codelineno-5-5" href="#__codelineno-5-5"></a><span class="c1"># enable billing and APIs for DNS project if not done already</span>
<a id="__codelineno-5-6" name="__codelineno-5-6" href="#__codelineno-5-6"></a>gcloud<span class="w"> </span>config<span class="w"> </span><span class="nb">set</span><span class="w"> </span>project<span class="w"> </span><span class="nv">$DNS_PROJECT_ID</span>
<a id="__codelineno-5-7" name="__codelineno-5-7" href="#__codelineno-5-7"></a>gcloud<span class="w"> </span>beta<span class="w"> </span>billing<span class="w"> </span>projects<span class="w"> </span>link<span class="w"> </span><span class="nv">$CLOUD_DNS_PROJECT</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-5-8" name="__codelineno-5-8" href="#__codelineno-5-8"></a><span class="w"> </span>--billing-account<span class="w"> </span><span class="nv">$ClOUD_BILLING_ACCOUNT</span>
<a id="__codelineno-5-9" name="__codelineno-5-9" href="#__codelineno-5-9"></a>gcloud<span class="w"> </span>services<span class="w"> </span><span class="nb">enable</span><span class="w"> </span><span class="s2">&quot;dns.googleapis.com&quot;</span>
<a id="__codelineno-5-10" name="__codelineno-5-10" href="#__codelineno-5-10"></a><span class="c1"># enable billing and APIs for GKE project if not done already</span>
<a id="__codelineno-5-11" name="__codelineno-5-11" href="#__codelineno-5-11"></a>gcloud<span class="w"> </span>config<span class="w"> </span><span class="nb">set</span><span class="w"> </span>project<span class="w"> </span><span class="nv">$GKE_PROJECT_ID</span>
<a id="__codelineno-5-12" name="__codelineno-5-12" href="#__codelineno-5-12"></a>gcloud<span class="w"> </span>beta<span class="w"> </span>billing<span class="w"> </span>projects<span class="w"> </span>link<span class="w"> </span><span class="nv">$CLOUD_DNS_PROJECT</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-5-13" name="__codelineno-5-13" href="#__codelineno-5-13"></a><span class="w"> </span>--billing-account<span class="w"> </span><span class="nv">$ClOUD_BILLING_ACCOUNT</span>
<a id="__codelineno-5-14" name="__codelineno-5-14" href="#__codelineno-5-14"></a>gcloud<span class="w"> </span>services<span class="w"> </span><span class="nb">enable</span><span class="w"> </span><span class="s2">&quot;container.googleapis.com&quot;</span>
</code></pre></div>
<h4 id="provisioning-cloud-dns">Provisioning Cloud DNS<a class="headerlink" href="#provisioning-cloud-dns" title="Permanent link">&para;</a></h4>
<p>Create a Cloud DNS zone in the designated DNS project.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1" href="#__codelineno-6-1"></a>gcloud<span class="w"> </span>dns<span class="w"> </span>managed-zones<span class="w"> </span>create<span class="w"> </span><span class="s2">&quot;example-com&quot;</span><span class="w"> </span>--project<span class="w"> </span><span class="nv">$DNS_PROJECT_ID</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-6-2" name="__codelineno-6-2" href="#__codelineno-6-2"></a><span class="w"> </span>--description<span class="w"> </span><span class="s2">&quot;example.com&quot;</span><span class="w"> </span>--dns-name<span class="o">=</span><span class="s2">&quot;example.com.&quot;</span><span class="w"> </span>--visibility<span class="o">=</span>public
</code></pre></div>
<p>If using your own domain that was registered with a third-party domain registrar, you should point your domain&rsquo;s name servers to the values under the <code>nameServers</code> key. Please consult your registrar&rsquo;s documentation on how to do that. The example domain of <code>example.com</code> will be used for this tutorial.</p>
<h4 id="provisioning-a-gke-cluster-for-cross-project-access">Provisioning a GKE cluster for cross project access<a class="headerlink" href="#provisioning-a-gke-cluster-for-cross-project-access" title="Permanent link">&para;</a></h4>
<p>Create a GSA (Google Service Account) and grant it the <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa">minimal set of privileges required</a> for GKE nodes:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-7-1" name="__codelineno-7-1" href="#__codelineno-7-1"></a><span class="nv">GKE_CLUSTER_NAME</span><span class="o">=</span><span class="s2">&quot;my-external-dns-cluster&quot;</span>
<a id="__codelineno-7-2" name="__codelineno-7-2" href="#__codelineno-7-2"></a><span class="nv">GKE_REGION</span><span class="o">=</span><span class="s2">&quot;us-central1&quot;</span>
<a id="__codelineno-7-3" name="__codelineno-7-3" href="#__codelineno-7-3"></a><span class="nv">GKE_SA_NAME</span><span class="o">=</span><span class="s2">&quot;worker-nodes-sa&quot;</span>
<a id="__codelineno-7-4" name="__codelineno-7-4" href="#__codelineno-7-4"></a><span class="nv">GKE_SA_EMAIL</span><span class="o">=</span><span class="s2">&quot;</span><span class="nv">$GKE_SA_NAME</span><span class="s2">@</span><span class="si">${</span><span class="nv">GKE_PROJECT_ID</span><span class="si">}</span><span class="s2">.iam.gserviceaccount.com&quot;</span>
<a id="__codelineno-7-5" name="__codelineno-7-5" href="#__codelineno-7-5"></a>
<a id="__codelineno-7-6" name="__codelineno-7-6" href="#__codelineno-7-6"></a><span class="nv">ROLES</span><span class="o">=(</span>
<a id="__codelineno-7-7" name="__codelineno-7-7" href="#__codelineno-7-7"></a><span class="w"> </span>roles/logging.logWriter
<a id="__codelineno-7-8" name="__codelineno-7-8" href="#__codelineno-7-8"></a><span class="w"> </span>roles/monitoring.metricWriter
<a id="__codelineno-7-9" name="__codelineno-7-9" href="#__codelineno-7-9"></a><span class="w"> </span>roles/monitoring.viewer
<a id="__codelineno-7-10" name="__codelineno-7-10" href="#__codelineno-7-10"></a><span class="w"> </span>roles/stackdriver.resourceMetadata.writer
<a id="__codelineno-7-11" name="__codelineno-7-11" href="#__codelineno-7-11"></a><span class="o">)</span>
<a id="__codelineno-7-12" name="__codelineno-7-12" href="#__codelineno-7-12"></a>
<a id="__codelineno-7-13" name="__codelineno-7-13" href="#__codelineno-7-13"></a>gcloud<span class="w"> </span>iam<span class="w"> </span>service-accounts<span class="w"> </span>create<span class="w"> </span><span class="nv">$GKE_SA_NAME</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-7-14" name="__codelineno-7-14" href="#__codelineno-7-14"></a><span class="w"> </span>--display-name<span class="w"> </span><span class="nv">$GKE_SA_NAME</span><span class="w"> </span>--project<span class="w"> </span><span class="nv">$GKE_PROJECT_ID</span>
<a id="__codelineno-7-15" name="__codelineno-7-15" href="#__codelineno-7-15"></a>
<a id="__codelineno-7-16" name="__codelineno-7-16" href="#__codelineno-7-16"></a><span class="c1"># assign google service account to roles in GKE project</span>
<a id="__codelineno-7-17" name="__codelineno-7-17" href="#__codelineno-7-17"></a><span class="k">for</span><span class="w"> </span>ROLE<span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="si">${</span><span class="nv">ROLES</span><span class="p">[*]</span><span class="si">}</span><span class="p">;</span><span class="w"> </span><span class="k">do</span>
<a id="__codelineno-7-18" name="__codelineno-7-18" href="#__codelineno-7-18"></a><span class="w"> </span>gcloud<span class="w"> </span>projects<span class="w"> </span>add-iam-policy-binding<span class="w"> </span><span class="nv">$GKE_PROJECT_ID</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-7-19" name="__codelineno-7-19" href="#__codelineno-7-19"></a><span class="w"> </span>--member<span class="w"> </span><span class="s2">&quot;serviceAccount:</span><span class="nv">$GKE_SA_EMAIL</span><span class="s2">&quot;</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-7-20" name="__codelineno-7-20" href="#__codelineno-7-20"></a><span class="w"> </span>--role<span class="w"> </span><span class="nv">$ROLE</span>
<a id="__codelineno-7-21" name="__codelineno-7-21" href="#__codelineno-7-21"></a><span class="k">done</span>
</code></pre></div>
<p>Create a cluster using this service account and enable <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">workload identity</a>:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a>gcloud<span class="w"> </span>container<span class="w"> </span>clusters<span class="w"> </span>create<span class="w"> </span><span class="nv">$GKE_CLUSTER_NAME</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-8-2" name="__codelineno-8-2" href="#__codelineno-8-2"></a><span class="w"> </span>--project<span class="w"> </span><span class="nv">$GKE_PROJECT_ID</span><span class="w"> </span>--region<span class="w"> </span><span class="nv">$GKE_REGION</span><span class="w"> </span>--num-nodes<span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-8-3" name="__codelineno-8-3" href="#__codelineno-8-3"></a><span class="w"> </span>--service-account<span class="w"> </span><span class="s2">&quot;</span><span class="nv">$GKE_SA_EMAIL</span><span class="s2">&quot;</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-8-4" name="__codelineno-8-4" href="#__codelineno-8-4"></a><span class="w"> </span>--workload-pool<span class="w"> </span><span class="s2">&quot;</span><span class="nv">$GKE_PROJECT_ID</span><span class="s2">.svc.id.goog&quot;</span>
</code></pre></div>
<h3 id="workload-identity">Workload Identity<a class="headerlink" href="#workload-identity" title="Permanent link">&para;</a></h3>
<p><a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">Workload Identity</a> allows workloads in your GKE cluster to <a href="https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#credential-flow">authenticate directly to GCP</a> using Kubernetes Service Accounts</p>
<p>You have an option to chose from using the gcloud CLI or using Terraform.</p>
<div class="tabbed-set tabbed-alternate" data-tabs="1:2"><input checked="checked" id="__tabbed_1_1" name="__tabbed_1" type="radio" /><input id="__tabbed_1_2" name="__tabbed_1" type="radio" /><div class="tabbed-labels"><label for="__tabbed_1_1">gcloud CLI</label><label for="__tabbed_1_2">Terraform</label></div>
<div class="tabbed-content">
<div class="tabbed-block">
<p>The below instructions assume you are using the default Kubernetes Service account name of <code>external-dns</code> in the namespace <code>external-dns</code></p>
<p>Grant the Kubernetes service account DNS <code>roles/dns.admin</code> at project level</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a>gcloud<span class="w"> </span>projects<span class="w"> </span>add-iam-policy-binding<span class="w"> </span>projects/DNS_PROJECT_ID<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-9-2" name="__codelineno-9-2" href="#__codelineno-9-2"></a><span class="w"> </span>--role<span class="o">=</span>roles/dns.admin<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-9-3" name="__codelineno-9-3" href="#__codelineno-9-3"></a><span class="w"> </span>--member<span class="o">=</span>principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/subject/ns/external-dns/sa/external-dns<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-9-4" name="__codelineno-9-4" href="#__codelineno-9-4"></a><span class="w"> </span>--condition<span class="o">=</span>None
</code></pre></div>
<p>Replace the following:</p>
<ul>
<li><code>DNS_PROJECT_ID</code> : Project ID of your DNS project. If DNS is in the same project as your GKE cluster, use your GKE project.</li>
<li><code>PROJECT_ID</code>: your Google Cloud project ID of your GKE Cluster</li>
<li><code>PROJECT_NUMBER</code>: your numerical Google Cloud project number of your GKE cluster</li>
</ul>
<p>If you wish to change the namespace, replace</p>
<ul>
<li><code>ns/external-dns</code> with <code>ns/&lt;your namespace</code></li>
<li><code>sa/external-dns</code> with <code>sa/&lt;your ksa&gt;</code></li>
</ul>
</div>
<div class="tabbed-block">
<p>The below instructions assume you are using the default Kubernetes Service account name of <code>external-dns</code> in the namespace <code>external-dns</code></p>
<p>Create a file called <code>main.tf</code> and place in it the below. <em>Note: If you&rsquo;re an experienced terraform user feel free to split these out in to different files</em></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a><span class="kr">variable</span><span class="w"> </span><span class="nv">&quot;gke-project&quot;</span><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-10-2" name="__codelineno-10-2" href="#__codelineno-10-2"></a><span class="w"> </span><span class="na">type</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kt">string</span>
<a id="__codelineno-10-3" name="__codelineno-10-3" href="#__codelineno-10-3"></a><span class="w"> </span><span class="na">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Name of the project that the GKE cluster exists in&quot;</span>
<a id="__codelineno-10-4" name="__codelineno-10-4" href="#__codelineno-10-4"></a><span class="w"> </span><span class="na">default</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;GKE-PROJECT&quot;</span>
<a id="__codelineno-10-5" name="__codelineno-10-5" href="#__codelineno-10-5"></a><span class="p">}</span>
<a id="__codelineno-10-6" name="__codelineno-10-6" href="#__codelineno-10-6"></a>
<a id="__codelineno-10-7" name="__codelineno-10-7" href="#__codelineno-10-7"></a><span class="kr">variable</span><span class="w"> </span><span class="nv">&quot;ksa_name&quot;</span><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-10-8" name="__codelineno-10-8" href="#__codelineno-10-8"></a><span class="w"> </span><span class="na">type</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kt">string</span>
<a id="__codelineno-10-9" name="__codelineno-10-9" href="#__codelineno-10-9"></a><span class="w"> </span><span class="na">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Name of the Kubernetes service account that will be accessing the DNS Zones&quot;</span>
<a id="__codelineno-10-10" name="__codelineno-10-10" href="#__codelineno-10-10"></a><span class="w"> </span><span class="na">default</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;external-dns&quot;</span>
<a id="__codelineno-10-11" name="__codelineno-10-11" href="#__codelineno-10-11"></a><span class="p">}</span>
<a id="__codelineno-10-12" name="__codelineno-10-12" href="#__codelineno-10-12"></a>
<a id="__codelineno-10-13" name="__codelineno-10-13" href="#__codelineno-10-13"></a><span class="kr">variable</span><span class="w"> </span><span class="nv">&quot;kns_name&quot;</span><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-10-14" name="__codelineno-10-14" href="#__codelineno-10-14"></a><span class="w"> </span><span class="na">type</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kt">string</span>
<a id="__codelineno-10-15" name="__codelineno-10-15" href="#__codelineno-10-15"></a><span class="w"> </span><span class="na">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Name of the Kubernetes Namespace&quot;</span>
<a id="__codelineno-10-16" name="__codelineno-10-16" href="#__codelineno-10-16"></a><span class="w"> </span><span class="na">default</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;external-dns&quot;</span>
<a id="__codelineno-10-17" name="__codelineno-10-17" href="#__codelineno-10-17"></a><span class="p">}</span>
<a id="__codelineno-10-18" name="__codelineno-10-18" href="#__codelineno-10-18"></a>
<a id="__codelineno-10-19" name="__codelineno-10-19" href="#__codelineno-10-19"></a><span class="kr">data</span><span class="w"> </span><span class="nc">&quot;google_project&quot;</span><span class="w"> </span><span class="nv">&quot;project&quot;</span><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-10-20" name="__codelineno-10-20" href="#__codelineno-10-20"></a><span class="w"> </span><span class="na">project_id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">var.gke-project</span>
<a id="__codelineno-10-21" name="__codelineno-10-21" href="#__codelineno-10-21"></a><span class="p">}</span>
<a id="__codelineno-10-22" name="__codelineno-10-22" href="#__codelineno-10-22"></a>
<a id="__codelineno-10-23" name="__codelineno-10-23" href="#__codelineno-10-23"></a><span class="nb">locals</span><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-10-24" name="__codelineno-10-24" href="#__codelineno-10-24"></a><span class="w"> </span><span class="na">member</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;principal://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${var.gke-project}.svc.id.goog/subject/ns/${var.kns_name}/sa/${var.ksa_name}&quot;</span>
<a id="__codelineno-10-25" name="__codelineno-10-25" href="#__codelineno-10-25"></a><span class="p">}</span>
<a id="__codelineno-10-26" name="__codelineno-10-26" href="#__codelineno-10-26"></a>
<a id="__codelineno-10-27" name="__codelineno-10-27" href="#__codelineno-10-27"></a><span class="kr">resource</span><span class="w"> </span><span class="nc">&quot;google_project_iam_member&quot;</span><span class="w"> </span><span class="nv">&quot;external_dns&quot;</span><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-10-28" name="__codelineno-10-28" href="#__codelineno-10-28"></a><span class="w"> </span><span class="na">member</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">local.member</span>
<a id="__codelineno-10-29" name="__codelineno-10-29" href="#__codelineno-10-29"></a><span class="w"> </span><span class="na">project</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;DNS-PROJECT&quot;</span>
<a id="__codelineno-10-30" name="__codelineno-10-30" href="#__codelineno-10-30"></a><span class="w"> </span><span class="na">role</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;roles/dns.reader&quot;</span>
<a id="__codelineno-10-31" name="__codelineno-10-31" href="#__codelineno-10-31"></a><span class="p">}</span>
<a id="__codelineno-10-32" name="__codelineno-10-32" href="#__codelineno-10-32"></a>
<a id="__codelineno-10-33" name="__codelineno-10-33" href="#__codelineno-10-33"></a><span class="kr">resource</span><span class="w"> </span><span class="nc">&quot;google_dns_managed_zone_iam_member&quot;</span><span class="w"> </span><span class="nv">&quot;member&quot;</span><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-10-34" name="__codelineno-10-34" href="#__codelineno-10-34"></a><span class="w"> </span><span class="na">project</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;DNS-PROJECT&quot;</span>
<a id="__codelineno-10-35" name="__codelineno-10-35" href="#__codelineno-10-35"></a><span class="w"> </span><span class="na">managed_zone</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;ZONE-NAME&quot;</span>
<a id="__codelineno-10-36" name="__codelineno-10-36" href="#__codelineno-10-36"></a><span class="w"> </span><span class="na">role</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;roles/dns.admin&quot;</span>
<a id="__codelineno-10-37" name="__codelineno-10-37" href="#__codelineno-10-37"></a><span class="w"> </span><span class="na">member</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">local.member</span>
<a id="__codelineno-10-38" name="__codelineno-10-38" href="#__codelineno-10-38"></a><span class="p">}</span>
</code></pre></div>
<p>Replace the following</p>
<ul>
<li><code>GKE-PROJECT</code> : Project that contains your GKE cluster</li>
<li><code>DNS-PROJECT</code> : Project that holds your DNS zones</li>
</ul>
<p>You can also change the below if you plan to use a different service account name and namespace</p>
<ul>
<li><code>variable "ksa_name"</code> : Name of the Kubernetes service account external-dns will use</li>
<li><code>variable "kns_name"</code> : Name of the Kubernetes Name Space that will have external-dns installed to</li>
</ul>
</div>
</div>
</div>
<h3 id="worker-node-service-account-method">Worker Node Service Account method<a class="headerlink" href="#worker-node-service-account-method" title="Permanent link">&para;</a></h3>
<p>In this method, the GSA (Google Service Account) that is associated with GKE worker nodes will be configured to have access to Cloud DNS.</p>
<p><strong>WARNING</strong>: This will grant access to modify the Cloud DNS zone records for all containers running on cluster, not just ExternalDNS, so use this option with caution. This is not recommended for production environments.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a><span class="nv">GKE_SA_EMAIL</span><span class="o">=</span><span class="s2">&quot;</span><span class="nv">$GKE_SA_NAME</span><span class="s2">@</span><span class="si">${</span><span class="nv">GKE_PROJECT_ID</span><span class="si">}</span><span class="s2">.iam.gserviceaccount.com&quot;</span>
<a id="__codelineno-11-2" name="__codelineno-11-2" href="#__codelineno-11-2"></a>
<a id="__codelineno-11-3" name="__codelineno-11-3" href="#__codelineno-11-3"></a><span class="c1"># assign google service account to dns.admin role in the cloud dns project</span>
<a id="__codelineno-11-4" name="__codelineno-11-4" href="#__codelineno-11-4"></a>gcloud<span class="w"> </span>projects<span class="w"> </span>add-iam-policy-binding<span class="w"> </span><span class="nv">$DNS_PROJECT_ID</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-11-5" name="__codelineno-11-5" href="#__codelineno-11-5"></a><span class="w"> </span>--member<span class="w"> </span>serviceAccount:<span class="nv">$GKE_SA_EMAIL</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-11-6" name="__codelineno-11-6" href="#__codelineno-11-6"></a><span class="w"> </span>--role<span class="w"> </span>roles/dns.admin
</code></pre></div>
<p>After this, follow the steps in <a href="#deploy-externaldns">Deploy ExternalDNS</a>. Make sure to set the <code>--google-project</code> flag to match the Cloud DNS project name.</p>
<h3 id="static-credentials">Static Credentials<a class="headerlink" href="#static-credentials" title="Permanent link">&para;</a></h3>
<p>In this scenario, a new GSA (Google Service Account) is created that has access to the CloudDNS zone. The credentials for this GSA are saved and installed as a Kubernetes secret that will be used by ExternalDNS.</p>
<p>This allows only containers that have access to the secret, such as ExternalDNS to update records on the Cloud DNS Zone.</p>
<h4 id="create-gsa-for-use-with-static-credentials">Create GSA for use with static credentials<a class="headerlink" href="#create-gsa-for-use-with-static-credentials" title="Permanent link">&para;</a></h4>
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a><span class="nv">DNS_SA_NAME</span><span class="o">=</span><span class="s2">&quot;external-dns-sa&quot;</span>
<a id="__codelineno-12-2" name="__codelineno-12-2" href="#__codelineno-12-2"></a><span class="nv">DNS_SA_EMAIL</span><span class="o">=</span><span class="s2">&quot;</span><span class="nv">$DNS_SA_NAME</span><span class="s2">@</span><span class="si">${</span><span class="nv">GKE_PROJECT_ID</span><span class="si">}</span><span class="s2">.iam.gserviceaccount.com&quot;</span>
<a id="__codelineno-12-3" name="__codelineno-12-3" href="#__codelineno-12-3"></a>
<a id="__codelineno-12-4" name="__codelineno-12-4" href="#__codelineno-12-4"></a><span class="c1"># create GSA used to access the Cloud DNS zone</span>
<a id="__codelineno-12-5" name="__codelineno-12-5" href="#__codelineno-12-5"></a>gcloud<span class="w"> </span>iam<span class="w"> </span>service-accounts<span class="w"> </span>create<span class="w"> </span><span class="nv">$DNS_SA_NAME</span><span class="w"> </span>--display-name<span class="w"> </span><span class="nv">$DNS_SA_NAME</span>
<a id="__codelineno-12-6" name="__codelineno-12-6" href="#__codelineno-12-6"></a>
<a id="__codelineno-12-7" name="__codelineno-12-7" href="#__codelineno-12-7"></a><span class="c1"># assign google service account to dns.admin role in cloud-dns project</span>
<a id="__codelineno-12-8" name="__codelineno-12-8" href="#__codelineno-12-8"></a>gcloud<span class="w"> </span>projects<span class="w"> </span>add-iam-policy-binding<span class="w"> </span><span class="nv">$DNS_PROJECT_ID</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-12-9" name="__codelineno-12-9" href="#__codelineno-12-9"></a><span class="w"> </span>--member<span class="w"> </span>serviceAccount:<span class="nv">$DNS_SA_EMAIL</span><span class="w"> </span>--role<span class="w"> </span><span class="s2">&quot;roles/dns.admin&quot;</span>
</code></pre></div>
<h4 id="create-kubernetes-secret-using-static-credentials">Create Kubernetes secret using static credentials<a class="headerlink" href="#create-kubernetes-secret-using-static-credentials" title="Permanent link">&para;</a></h4>
<p>Generate static credentials from the ExternalDNS GSA.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1" href="#__codelineno-13-1"></a><span class="c1"># download static credentials</span>
<a id="__codelineno-13-2" name="__codelineno-13-2" href="#__codelineno-13-2"></a>gcloud<span class="w"> </span>iam<span class="w"> </span>service-accounts<span class="w"> </span>keys<span class="w"> </span>create<span class="w"> </span>/local/path/to/credentials.json<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-13-3" name="__codelineno-13-3" href="#__codelineno-13-3"></a><span class="w"> </span>--iam-account<span class="w"> </span><span class="nv">$DNS_SA_EMAIL</span>
</code></pre></div>
<p>Create a Kubernetes secret with the credentials in the same namespace of ExternalDNS.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1" href="#__codelineno-14-1"></a>kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span><span class="s2">&quot;external-dns&quot;</span><span class="w"> </span>--namespace<span class="w"> </span><span class="si">${</span><span class="nv">EXTERNALDNS_NS</span><span class="k">:-</span><span class="s2">&quot;default&quot;</span><span class="si">}</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-14-2" name="__codelineno-14-2" href="#__codelineno-14-2"></a><span class="w"> </span>--from-file<span class="w"> </span>/local/path/to/credentials.json
</code></pre></div>
<p>After this, follow the steps in <a href="#deploy-externaldns">Deploy ExternalDNS</a>. Make sure to set the <code>--google-project</code> flag to match Cloud DNS project name. Make sure to uncomment out the section that mounts the secret to the ExternalDNS pods.</p>
<h4 id="deploy-external-dns">Deploy External DNS<a class="headerlink" href="#deploy-external-dns" title="Permanent link">&para;</a></h4>
<p>Deploy ExternalDNS with the following steps below, documented under <a href="#deploy-externaldns">Deploy ExternalDNS</a>. Set the <code>--google-project</code> flag to the Cloud DNS project name.</p>
<h4 id="update-externaldns-pods">Update ExternalDNS pods<a class="headerlink" href="#update-externaldns-pods" title="Permanent link">&para;</a></h4>
<div class="admonition note">
<p class="admonition-title">Only required if not enabled on all nodes</p>
<p>If you have GKE Workload Identity enabled on all nodes in your cluster, the below step is not necessary</p>
</div>
<p>Update the Pod spec to schedule the workloads on nodes that use Workload Identity and to use the annotated Kubernetes service account.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-15-1" name="__codelineno-15-1" href="#__codelineno-15-1"></a>kubectl<span class="w"> </span>patch<span class="w"> </span>deployment<span class="w"> </span><span class="s2">&quot;external-dns&quot;</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-15-2" name="__codelineno-15-2" href="#__codelineno-15-2"></a><span class="w"> </span>--namespace<span class="w"> </span><span class="si">${</span><span class="nv">EXTERNALDNS_NS</span><span class="k">:-</span><span class="s2">&quot;default&quot;</span><span class="si">}</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-15-3" name="__codelineno-15-3" href="#__codelineno-15-3"></a><span class="w"> </span>--patch<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-15-4" name="__codelineno-15-4" href="#__codelineno-15-4"></a><span class="w"> </span><span class="s1">&#39;{&quot;spec&quot;: {&quot;template&quot;: {&quot;spec&quot;: {&quot;nodeSelector&quot;: {&quot;iam.gke.io/gke-metadata-server-enabled&quot;: &quot;true&quot;}}}}}&#39;</span>
</code></pre></div>
<p>After all of these steps you may see several messages with <code>googleapi: Error 403: Forbidden, forbidden</code>. After several minutes when the token is refreshed, these error messages will go away, and you should see info messages, such as: <code>All records are already up to date</code>.</p>
<h2 id="deploy-externaldns">Deploy ExternalDNS<a class="headerlink" href="#deploy-externaldns" title="Permanent link">&para;</a></h2>
<p>Then apply the following manifests file to deploy ExternalDNS.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-16-1" name="__codelineno-16-1" href="#__codelineno-16-1"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
<a id="__codelineno-16-2" name="__codelineno-16-2" href="#__codelineno-16-2"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ServiceAccount</span>
<a id="__codelineno-16-3" name="__codelineno-16-3" href="#__codelineno-16-3"></a><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-16-4" name="__codelineno-16-4" href="#__codelineno-16-4"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-16-5" name="__codelineno-16-5" href="#__codelineno-16-5"></a><span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
<a id="__codelineno-16-6" name="__codelineno-16-6" href="#__codelineno-16-6"></a><span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-16-7" name="__codelineno-16-7" href="#__codelineno-16-7"></a><span class="nn">---</span>
<a id="__codelineno-16-8" name="__codelineno-16-8" href="#__codelineno-16-8"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rbac.authorization.k8s.io/v1</span>
<a id="__codelineno-16-9" name="__codelineno-16-9" href="#__codelineno-16-9"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterRole</span>
<a id="__codelineno-16-10" name="__codelineno-16-10" href="#__codelineno-16-10"></a><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-16-11" name="__codelineno-16-11" href="#__codelineno-16-11"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-16-12" name="__codelineno-16-12" href="#__codelineno-16-12"></a><span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
<a id="__codelineno-16-13" name="__codelineno-16-13" href="#__codelineno-16-13"></a><span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-16-14" name="__codelineno-16-14" href="#__codelineno-16-14"></a><span class="nt">rules</span><span class="p">:</span>
<a id="__codelineno-16-15" name="__codelineno-16-15" href="#__codelineno-16-15"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;&quot;</span><span class="p p-Indicator">]</span>
<a id="__codelineno-16-16" name="__codelineno-16-16" href="#__codelineno-16-16"></a><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;services&quot;</span><span class="p p-Indicator">,</span><span class="s">&quot;endpoints&quot;</span><span class="p p-Indicator">,</span><span class="s">&quot;pods&quot;</span><span class="p p-Indicator">,</span><span class="s">&quot;nodes&quot;</span><span class="p p-Indicator">]</span>
<a id="__codelineno-16-17" name="__codelineno-16-17" href="#__codelineno-16-17"></a><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;get&quot;</span><span class="p p-Indicator">,</span><span class="s">&quot;watch&quot;</span><span class="p p-Indicator">,</span><span class="s">&quot;list&quot;</span><span class="p p-Indicator">]</span>
<a id="__codelineno-16-18" name="__codelineno-16-18" href="#__codelineno-16-18"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;extensions&quot;</span><span class="p p-Indicator">,</span><span class="s">&quot;networking.k8s.io&quot;</span><span class="p p-Indicator">]</span>
<a id="__codelineno-16-19" name="__codelineno-16-19" href="#__codelineno-16-19"></a><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;ingresses&quot;</span><span class="p p-Indicator">]</span>
<a id="__codelineno-16-20" name="__codelineno-16-20" href="#__codelineno-16-20"></a><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;get&quot;</span><span class="p p-Indicator">,</span><span class="s">&quot;watch&quot;</span><span class="p p-Indicator">,</span><span class="s">&quot;list&quot;</span><span class="p p-Indicator">]</span>
<a id="__codelineno-16-21" name="__codelineno-16-21" href="#__codelineno-16-21"></a><span class="nn">---</span>
<a id="__codelineno-16-22" name="__codelineno-16-22" href="#__codelineno-16-22"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rbac.authorization.k8s.io/v1</span>
<a id="__codelineno-16-23" name="__codelineno-16-23" href="#__codelineno-16-23"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterRoleBinding</span>
<a id="__codelineno-16-24" name="__codelineno-16-24" href="#__codelineno-16-24"></a><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-16-25" name="__codelineno-16-25" href="#__codelineno-16-25"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns-viewer</span>
<a id="__codelineno-16-26" name="__codelineno-16-26" href="#__codelineno-16-26"></a><span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
<a id="__codelineno-16-27" name="__codelineno-16-27" href="#__codelineno-16-27"></a><span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-16-28" name="__codelineno-16-28" href="#__codelineno-16-28"></a><span class="nt">roleRef</span><span class="p">:</span>
<a id="__codelineno-16-29" name="__codelineno-16-29" href="#__codelineno-16-29"></a><span class="w"> </span><span class="nt">apiGroup</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">rbac.authorization.k8s.io</span>
<a id="__codelineno-16-30" name="__codelineno-16-30" href="#__codelineno-16-30"></a><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterRole</span>
<a id="__codelineno-16-31" name="__codelineno-16-31" href="#__codelineno-16-31"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-16-32" name="__codelineno-16-32" href="#__codelineno-16-32"></a><span class="nt">subjects</span><span class="p">:</span>
<a id="__codelineno-16-33" name="__codelineno-16-33" href="#__codelineno-16-33"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ServiceAccount</span>
<a id="__codelineno-16-34" name="__codelineno-16-34" href="#__codelineno-16-34"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-16-35" name="__codelineno-16-35" href="#__codelineno-16-35"></a><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span><span class="w"> </span><span class="c1"># change if namespace is not &#39;default&#39;</span>
<a id="__codelineno-16-36" name="__codelineno-16-36" href="#__codelineno-16-36"></a><span class="nn">---</span>
<a id="__codelineno-16-37" name="__codelineno-16-37" href="#__codelineno-16-37"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apps/v1</span>
<a id="__codelineno-16-38" name="__codelineno-16-38" href="#__codelineno-16-38"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deployment</span>
<a id="__codelineno-16-39" name="__codelineno-16-39" href="#__codelineno-16-39"></a><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-16-40" name="__codelineno-16-40" href="#__codelineno-16-40"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-16-41" name="__codelineno-16-41" href="#__codelineno-16-41"></a><span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
<a id="__codelineno-16-42" name="__codelineno-16-42" href="#__codelineno-16-42"></a><span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-16-43" name="__codelineno-16-43" href="#__codelineno-16-43"></a><span class="nt">spec</span><span class="p">:</span>
<a id="__codelineno-16-44" name="__codelineno-16-44" href="#__codelineno-16-44"></a><span class="w"> </span><span class="nt">strategy</span><span class="p">:</span>
<a id="__codelineno-16-45" name="__codelineno-16-45" href="#__codelineno-16-45"></a><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Recreate</span>
<a id="__codelineno-16-46" name="__codelineno-16-46" href="#__codelineno-16-46"></a><span class="w"> </span><span class="nt">selector</span><span class="p">:</span>
<a id="__codelineno-16-47" name="__codelineno-16-47" href="#__codelineno-16-47"></a><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span>
<a id="__codelineno-16-48" name="__codelineno-16-48" href="#__codelineno-16-48"></a><span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-16-49" name="__codelineno-16-49" href="#__codelineno-16-49"></a><span class="w"> </span><span class="nt">template</span><span class="p">:</span>
<a id="__codelineno-16-50" name="__codelineno-16-50" href="#__codelineno-16-50"></a><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-16-51" name="__codelineno-16-51" href="#__codelineno-16-51"></a><span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
<a id="__codelineno-16-52" name="__codelineno-16-52" href="#__codelineno-16-52"></a><span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-16-53" name="__codelineno-16-53" href="#__codelineno-16-53"></a><span class="w"> </span><span class="nt">spec</span><span class="p">:</span>
<a id="__codelineno-16-54" name="__codelineno-16-54" href="#__codelineno-16-54"></a><span class="w"> </span><span class="nt">serviceAccountName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-16-55" name="__codelineno-16-55" href="#__codelineno-16-55"></a><span class="w"> </span><span class="nt">containers</span><span class="p">:</span>
<a id="__codelineno-16-56" name="__codelineno-16-56" href="#__codelineno-16-56"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-16-57" name="__codelineno-16-57" href="#__codelineno-16-57"></a><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">registry.k8s.io/external-dns/external-dns:v0.17.0</span>
<a id="__codelineno-16-58" name="__codelineno-16-58" href="#__codelineno-16-58"></a><span class="w"> </span><span class="nt">args</span><span class="p">:</span>
<a id="__codelineno-16-59" name="__codelineno-16-59" href="#__codelineno-16-59"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--source=service</span>
<a id="__codelineno-16-60" name="__codelineno-16-60" href="#__codelineno-16-60"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--source=ingress</span>
<a id="__codelineno-16-61" name="__codelineno-16-61" href="#__codelineno-16-61"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--domain-filter=example.com</span><span class="w"> </span><span class="c1"># will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones</span>
<a id="__codelineno-16-62" name="__codelineno-16-62" href="#__codelineno-16-62"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--provider=google</span>
<a id="__codelineno-16-63" name="__codelineno-16-63" href="#__codelineno-16-63"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--log-format=json</span><span class="w"> </span><span class="c1"># google cloud logs parses severity of the &quot;text&quot; log format incorrectly</span>
<a id="__codelineno-16-64" name="__codelineno-16-64" href="#__codelineno-16-64"></a><span class="w"> </span><span class="c1"># - --google-project=my-cloud-dns-project # Use this to specify a project different from the one external-dns is running inside</span>
<a id="__codelineno-16-65" name="__codelineno-16-65" href="#__codelineno-16-65"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--google-zone-visibility=public</span><span class="w"> </span><span class="c1"># Use this to filter to only zones with this visibility. Set to either &#39;public&#39; or &#39;private&#39;. Omitting will match public and private zones</span>
<a id="__codelineno-16-66" name="__codelineno-16-66" href="#__codelineno-16-66"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--policy=upsert-only</span><span class="w"> </span><span class="c1"># would prevent ExternalDNS from deleting any records, omit to enable full synchronization</span>
<a id="__codelineno-16-67" name="__codelineno-16-67" href="#__codelineno-16-67"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--registry=txt</span>
<a id="__codelineno-16-68" name="__codelineno-16-68" href="#__codelineno-16-68"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--txt-owner-id=my-identifier</span>
<a id="__codelineno-16-69" name="__codelineno-16-69" href="#__codelineno-16-69"></a><span class="w"> </span><span class="c1"># # uncomment below if static credentials are used</span>
<a id="__codelineno-16-70" name="__codelineno-16-70" href="#__codelineno-16-70"></a><span class="w"> </span><span class="c1"># env:</span>
<a id="__codelineno-16-71" name="__codelineno-16-71" href="#__codelineno-16-71"></a><span class="w"> </span><span class="c1"># - name: GOOGLE_APPLICATION_CREDENTIALS</span>
<a id="__codelineno-16-72" name="__codelineno-16-72" href="#__codelineno-16-72"></a><span class="w"> </span><span class="c1"># value: /etc/secrets/service-account/credentials.json</span>
<a id="__codelineno-16-73" name="__codelineno-16-73" href="#__codelineno-16-73"></a><span class="w"> </span><span class="c1"># volumeMounts:</span>
<a id="__codelineno-16-74" name="__codelineno-16-74" href="#__codelineno-16-74"></a><span class="w"> </span><span class="c1"># - name: google-service-account</span>
<a id="__codelineno-16-75" name="__codelineno-16-75" href="#__codelineno-16-75"></a><span class="w"> </span><span class="c1"># mountPath: /etc/secrets/service-account/</span>
<a id="__codelineno-16-76" name="__codelineno-16-76" href="#__codelineno-16-76"></a><span class="w"> </span><span class="c1"># volumes:</span>
<a id="__codelineno-16-77" name="__codelineno-16-77" href="#__codelineno-16-77"></a><span class="w"> </span><span class="c1"># - name: google-service-account</span>
<a id="__codelineno-16-78" name="__codelineno-16-78" href="#__codelineno-16-78"></a><span class="w"> </span><span class="c1"># secret:</span>
<a id="__codelineno-16-79" name="__codelineno-16-79" href="#__codelineno-16-79"></a><span class="w"> </span><span class="c1"># secretName: external-dns</span>
</code></pre></div>
<p>Create the deployment for ExternalDNS:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-17-1" name="__codelineno-17-1" href="#__codelineno-17-1"></a>kubectl<span class="w"> </span>create<span class="w"> </span>--namespace<span class="w"> </span><span class="s2">&quot;default&quot;</span><span class="w"> </span>--filename<span class="w"> </span>externaldns.yaml
</code></pre></div>
<h2 id="verify-externaldns-works">Verify ExternalDNS works<a class="headerlink" href="#verify-externaldns-works" title="Permanent link">&para;</a></h2>
<p>The following will deploy a small nginx server that will be used to demonstrate that ExternalDNS is working.</p>
<h3 id="verify-using-an-external-load-balancer">Verify using an external load balancer<a class="headerlink" href="#verify-using-an-external-load-balancer" title="Permanent link">&para;</a></h3>
<p>Create the following sample application to test that ExternalDNS works. This example will provision a L4 load balancer.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-18-1" name="__codelineno-18-1" href="#__codelineno-18-1"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
<a id="__codelineno-18-2" name="__codelineno-18-2" href="#__codelineno-18-2"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Service</span>
<a id="__codelineno-18-3" name="__codelineno-18-3" href="#__codelineno-18-3"></a><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-18-4" name="__codelineno-18-4" href="#__codelineno-18-4"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-18-5" name="__codelineno-18-5" href="#__codelineno-18-5"></a><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span>
<a id="__codelineno-18-6" name="__codelineno-18-6" href="#__codelineno-18-6"></a><span class="w"> </span><span class="c1"># change nginx.example.com to match an appropriate value</span>
<a id="__codelineno-18-7" name="__codelineno-18-7" href="#__codelineno-18-7"></a><span class="w"> </span><span class="nt">external-dns.alpha.kubernetes.io/hostname</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx.example.com</span>
<a id="__codelineno-18-8" name="__codelineno-18-8" href="#__codelineno-18-8"></a><span class="nt">spec</span><span class="p">:</span>
<a id="__codelineno-18-9" name="__codelineno-18-9" href="#__codelineno-18-9"></a><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">LoadBalancer</span>
<a id="__codelineno-18-10" name="__codelineno-18-10" href="#__codelineno-18-10"></a><span class="w"> </span><span class="nt">ports</span><span class="p">:</span>
<a id="__codelineno-18-11" name="__codelineno-18-11" href="#__codelineno-18-11"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
<a id="__codelineno-18-12" name="__codelineno-18-12" href="#__codelineno-18-12"></a><span class="w"> </span><span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
<a id="__codelineno-18-13" name="__codelineno-18-13" href="#__codelineno-18-13"></a><span class="w"> </span><span class="nt">selector</span><span class="p">:</span>
<a id="__codelineno-18-14" name="__codelineno-18-14" href="#__codelineno-18-14"></a><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-18-15" name="__codelineno-18-15" href="#__codelineno-18-15"></a><span class="nn">---</span>
<a id="__codelineno-18-16" name="__codelineno-18-16" href="#__codelineno-18-16"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apps/v1</span>
<a id="__codelineno-18-17" name="__codelineno-18-17" href="#__codelineno-18-17"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deployment</span>
<a id="__codelineno-18-18" name="__codelineno-18-18" href="#__codelineno-18-18"></a><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-18-19" name="__codelineno-18-19" href="#__codelineno-18-19"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-18-20" name="__codelineno-18-20" href="#__codelineno-18-20"></a><span class="nt">spec</span><span class="p">:</span>
<a id="__codelineno-18-21" name="__codelineno-18-21" href="#__codelineno-18-21"></a><span class="w"> </span><span class="nt">selector</span><span class="p">:</span>
<a id="__codelineno-18-22" name="__codelineno-18-22" href="#__codelineno-18-22"></a><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span>
<a id="__codelineno-18-23" name="__codelineno-18-23" href="#__codelineno-18-23"></a><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-18-24" name="__codelineno-18-24" href="#__codelineno-18-24"></a><span class="w"> </span><span class="nt">template</span><span class="p">:</span>
<a id="__codelineno-18-25" name="__codelineno-18-25" href="#__codelineno-18-25"></a><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-18-26" name="__codelineno-18-26" href="#__codelineno-18-26"></a><span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
<a id="__codelineno-18-27" name="__codelineno-18-27" href="#__codelineno-18-27"></a><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-18-28" name="__codelineno-18-28" href="#__codelineno-18-28"></a><span class="w"> </span><span class="nt">spec</span><span class="p">:</span>
<a id="__codelineno-18-29" name="__codelineno-18-29" href="#__codelineno-18-29"></a><span class="w"> </span><span class="nt">containers</span><span class="p">:</span>
<a id="__codelineno-18-30" name="__codelineno-18-30" href="#__codelineno-18-30"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-18-31" name="__codelineno-18-31" href="#__codelineno-18-31"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-18-32" name="__codelineno-18-32" href="#__codelineno-18-32"></a><span class="w"> </span><span class="nt">ports</span><span class="p">:</span>
<a id="__codelineno-18-33" name="__codelineno-18-33" href="#__codelineno-18-33"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
</code></pre></div>
<p>Create the deployment and service objects:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-19-1" name="__codelineno-19-1" href="#__codelineno-19-1"></a>kubectl<span class="w"> </span>create<span class="w"> </span>--namespace<span class="w"> </span><span class="s2">&quot;default&quot;</span><span class="w"> </span>--filename<span class="w"> </span>nginx.yaml
</code></pre></div>
<p>After roughly two minutes check that a corresponding DNS record for your service was created.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-20-1" name="__codelineno-20-1" href="#__codelineno-20-1"></a>gcloud<span class="w"> </span>dns<span class="w"> </span>record-sets<span class="w"> </span>list<span class="w"> </span>--zone<span class="w"> </span><span class="s2">&quot;example-com&quot;</span><span class="w"> </span>--name<span class="w"> </span><span class="s2">&quot;nginx.example.com.&quot;</span>
</code></pre></div>
<p>Example output:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-21-1" name="__codelineno-21-1" href="#__codelineno-21-1"></a>NAME<span class="w"> </span>TYPE<span class="w"> </span>TTL<span class="w"> </span>DATA
<a id="__codelineno-21-2" name="__codelineno-21-2" href="#__codelineno-21-2"></a>nginx.example.com.<span class="w"> </span>A<span class="w"> </span><span class="m">300</span><span class="w"> </span><span class="m">104</span>.155.60.49
<a id="__codelineno-21-3" name="__codelineno-21-3" href="#__codelineno-21-3"></a>nginx.example.com.<span class="w"> </span>TXT<span class="w"> </span><span class="m">300</span><span class="w"> </span><span class="s2">&quot;heritage=external-dns,external-dns/owner=my-identifier&quot;</span>
</code></pre></div>
<p>Note created <code>TXT</code> record alongside <code>A</code> record. <code>TXT</code> record signifies that the corresponding <code>A</code> record is managed by ExternalDNS. This makes ExternalDNS safe for running in environments where there are other records managed via other means.</p>
<p>Let&rsquo;s check that we can resolve this DNS name. We&rsquo;ll ask the nameservers assigned to your zone first.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-22-1" name="__codelineno-22-1" href="#__codelineno-22-1"></a>dig<span class="w"> </span>+short<span class="w"> </span>@ns-cloud-e1.googledomains.com.<span class="w"> </span>nginx.example.com.
<a id="__codelineno-22-2" name="__codelineno-22-2" href="#__codelineno-22-2"></a><span class="m">104</span>.155.60.49
</code></pre></div>
<p>Given you hooked up your DNS zone with its parent zone you can use <code>curl</code> to access your site.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-23-1" name="__codelineno-23-1" href="#__codelineno-23-1"></a>curl<span class="w"> </span>nginx.example.com
</code></pre></div>
<h3 id="verify-using-an-ingress">Verify using an ingress<a class="headerlink" href="#verify-using-an-ingress" title="Permanent link">&para;</a></h3>
<p>Let&rsquo;s check that Ingress works as well. Create the following Ingress.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-24-1" name="__codelineno-24-1" href="#__codelineno-24-1"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">networking.k8s.io/v1</span>
<a id="__codelineno-24-2" name="__codelineno-24-2" href="#__codelineno-24-2"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Ingress</span>
<a id="__codelineno-24-3" name="__codelineno-24-3" href="#__codelineno-24-3"></a><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-24-4" name="__codelineno-24-4" href="#__codelineno-24-4"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-24-5" name="__codelineno-24-5" href="#__codelineno-24-5"></a><span class="nt">spec</span><span class="p">:</span>
<a id="__codelineno-24-6" name="__codelineno-24-6" href="#__codelineno-24-6"></a><span class="w"> </span><span class="nt">rules</span><span class="p">:</span>
<a id="__codelineno-24-7" name="__codelineno-24-7" href="#__codelineno-24-7"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">host</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">server.example.com</span>
<a id="__codelineno-24-8" name="__codelineno-24-8" href="#__codelineno-24-8"></a><span class="w"> </span><span class="nt">http</span><span class="p">:</span>
<a id="__codelineno-24-9" name="__codelineno-24-9" href="#__codelineno-24-9"></a><span class="w"> </span><span class="nt">paths</span><span class="p">:</span>
<a id="__codelineno-24-10" name="__codelineno-24-10" href="#__codelineno-24-10"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/</span>
<a id="__codelineno-24-11" name="__codelineno-24-11" href="#__codelineno-24-11"></a><span class="w"> </span><span class="nt">pathType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Prefix</span>
<a id="__codelineno-24-12" name="__codelineno-24-12" href="#__codelineno-24-12"></a><span class="w"> </span><span class="nt">backend</span><span class="p">:</span>
<a id="__codelineno-24-13" name="__codelineno-24-13" href="#__codelineno-24-13"></a><span class="w"> </span><span class="nt">service</span><span class="p">:</span>
<a id="__codelineno-24-14" name="__codelineno-24-14" href="#__codelineno-24-14"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-24-15" name="__codelineno-24-15" href="#__codelineno-24-15"></a><span class="w"> </span><span class="nt">port</span><span class="p">:</span>
<a id="__codelineno-24-16" name="__codelineno-24-16" href="#__codelineno-24-16"></a><span class="w"> </span><span class="nt">number</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
</code></pre></div>
<p>Create the ingress objects with:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-25-1" name="__codelineno-25-1" href="#__codelineno-25-1"></a>kubectl<span class="w"> </span>create<span class="w"> </span>--namespace<span class="w"> </span><span class="s2">&quot;default&quot;</span><span class="w"> </span>--filename<span class="w"> </span>ingress.yaml
</code></pre></div>
<p>Note that this will ingress object will use the default ingress controller that comes with GKE to create a L7 load balancer in addition to the L4 load balancer previously with the service object.<br />
To use only the L7 load balancer, update the service manafest to change the Service type to <code>NodePort</code> and remove the ExternalDNS annotation.</p>
<p>After roughly two minutes check that a corresponding DNS record for your Ingress was created.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-26-1" name="__codelineno-26-1" href="#__codelineno-26-1"></a>gcloud<span class="w"> </span>dns<span class="w"> </span>record-sets<span class="w"> </span>list<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-26-2" name="__codelineno-26-2" href="#__codelineno-26-2"></a><span class="w"> </span>--zone<span class="w"> </span><span class="s2">&quot;example-com&quot;</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-26-3" name="__codelineno-26-3" href="#__codelineno-26-3"></a><span class="w"> </span>--name<span class="w"> </span><span class="s2">&quot;server.example.com.&quot;</span><span class="w"> </span><span class="se">\</span>
</code></pre></div>
<p>Output:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-27-1" name="__codelineno-27-1" href="#__codelineno-27-1"></a>NAME<span class="w"> </span>TYPE<span class="w"> </span>TTL<span class="w"> </span>DATA
<a id="__codelineno-27-2" name="__codelineno-27-2" href="#__codelineno-27-2"></a>server.example.com.<span class="w"> </span>A<span class="w"> </span><span class="m">300</span><span class="w"> </span><span class="m">130</span>.211.46.224
<a id="__codelineno-27-3" name="__codelineno-27-3" href="#__codelineno-27-3"></a>server.example.com.<span class="w"> </span>TXT<span class="w"> </span><span class="m">300</span><span class="w"> </span><span class="s2">&quot;heritage=external-dns,external-dns/owner=my-identifier&quot;</span>
</code></pre></div>
<p>Let&rsquo;s check that we can resolve this DNS name as well.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-28-1" name="__codelineno-28-1" href="#__codelineno-28-1"></a>dig<span class="w"> </span>+short<span class="w"> </span>@ns-cloud-e1.googledomains.com.<span class="w"> </span>server.example.com.
<a id="__codelineno-28-2" name="__codelineno-28-2" href="#__codelineno-28-2"></a><span class="m">130</span>.211.46.224
</code></pre></div>
<p>Try with <code>curl</code> as well.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-29-1" name="__codelineno-29-1" href="#__codelineno-29-1"></a>curl<span class="w"> </span>server.example.com
</code></pre></div>
<h3 id="clean-up">Clean up<a class="headerlink" href="#clean-up" title="Permanent link">&para;</a></h3>
<p>Make sure to delete all Service and Ingress objects before terminating the cluster so all load balancers get cleaned up correctly.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-30-1" name="__codelineno-30-1" href="#__codelineno-30-1"></a>kubectl<span class="w"> </span>delete<span class="w"> </span>service<span class="w"> </span>nginx
<a id="__codelineno-30-2" name="__codelineno-30-2" href="#__codelineno-30-2"></a>kubectl<span class="w"> </span>delete<span class="w"> </span>ingress<span class="w"> </span>nginx
</code></pre></div>
<p>Give ExternalDNS some time to clean up the DNS records for you. Then delete the managed zone and cluster.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-31-1" name="__codelineno-31-1" href="#__codelineno-31-1"></a>gcloud<span class="w"> </span>dns<span class="w"> </span>managed-zones<span class="w"> </span>delete<span class="w"> </span><span class="s2">&quot;example-com&quot;</span>
<a id="__codelineno-31-2" name="__codelineno-31-2" href="#__codelineno-31-2"></a>gcloud<span class="w"> </span>container<span class="w"> </span>clusters<span class="w"> </span>delete<span class="w"> </span><span class="s2">&quot;external-dns&quot;</span>
</code></pre></div>
<aside class="md-source-file">
<span class="md-source-file__fact">
<span class="md-icon" title="Last update">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">May 14, 2025</span>
</span>
</aside>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
<button type="button" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12Z"/></svg>
Back to top
</button>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<!--
Copyright (c) 2016-2024 Martin Donath <martin.donath@squidfunk.com>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to
deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
IN THE SOFTWARE.
-->
<!-- Copyright and theme information -->
<div class="md-copyright">
Made with
<a
href="https://squidfunk.github.io/mkdocs-material/"
target="_blank" rel="noopener"
>
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../../..", "features": ["content.code.annotate", "navigation.top", "navigation.tracking", "navigation.indexes", "navigation.instant", "navigation.tabs", "navigation.tabs.sticky"], "search": "../../../assets/javascripts/workers/search.b8dbb3d2.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"provider": "mike"}}</script>
<script src="../../../assets/javascripts/bundle.1e8ae164.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink