mirrors/external-dns
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/external-dns.git synced 2025-08-13 13:06:57 +02:00
Code Issues Packages Projects Releases Wiki Activity
71e164cca1
external-dns/v0.18.0/docs/tutorials/aws/index.html

4907 lines
209 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="author" content="external-dns maintainers">
<link rel="prev" href="../aws-sd/">
<link rel="next" href="../azure-private-dns/">
<link rel="icon" href="../../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.17">
<title>AWS - external-dns</title>
<link rel="stylesheet" href="../../../assets/stylesheets/main.bcfcd587.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>__md_scope=new URL("../../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#aws" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-color-scheme="default" data-md-component="outdated" hidden>
</div>
<header class="md-header md-header--shadow md-header--lifted" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../../.." title="external-dns" class="md-header__button md-logo" aria-label="external-dns" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
external-dns
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
AWS
</span>
</div>
</div>
</div>
<script>var media,input,key,value,palette=__md_get("__palette");if(palette&&palette.color){"(prefers-color-scheme)"===palette.color.media&&(media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']"),palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent"));for([key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/kubernetes-sigs/external-dns/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.5.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
kubernetes-sigs/external-dns
</div>
</a>
</div>
</nav>
<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
<div class="md-grid">
<ul class="md-tabs__list">
<li class="md-tabs__item">
<a href="../../.." class="md-tabs__link">
Home
</a>
</li>
<li class="md-tabs__item">
<a href="../../../charts/external-dns/" class="md-tabs__link">
Chart
</a>
</li>
<li class="md-tabs__item">
<a href="../../faq/" class="md-tabs__link">
About
</a>
</li>
<li class="md-tabs__item md-tabs__item--active">
<a href="../akamai-edgedns/" class="md-tabs__link">
Tutorials
</a>
</li>
<li class="md-tabs__item">
<a href="../../annotations/annotations/" class="md-tabs__link">
Annotations
</a>
</li>
<li class="md-tabs__item">
<a href="../../sources/about/" class="md-tabs__link">
Sources
</a>
</li>
<li class="md-tabs__item">
<a href="../../registry/registry/" class="md-tabs__link">
Registries
</a>
</li>
<li class="md-tabs__item">
<a href="../../initial-design/" class="md-tabs__link">
Advanced Topics
</a>
</li>
<li class="md-tabs__item">
<a href="../../../CONTRIBUTING/" class="md-tabs__link">
Contributing
</a>
</li>
</ul>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../../.." title="external-dns" class="md-nav__button md-logo" aria-label="external-dns" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
</a>
external-dns
</label>
<div class="md-nav__source">
<a href="https://github.com/kubernetes-sigs/external-dns/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.5.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
kubernetes-sigs/external-dns
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../.." class="md-nav__link">
<span class="md-ellipsis">
Home
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2" >
<div class="md-nav__link md-nav__container">
<a href="../../../charts/external-dns/" class="md-nav__link ">
<span class="md-ellipsis">
Chart
</span>
</a>
<label class="md-nav__link " for="__nav_2" id="__nav_2_label" tabindex="0">
<span class="md-nav__icon md-icon"></span>
</label>
</div>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Chart
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../charts/external-dns/CHANGELOG/" class="md-nav__link">
<span class="md-ellipsis">
Changelog
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
<span class="md-ellipsis">
About
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
About
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../faq/" class="md-nav__link">
<span class="md-ellipsis">
FAQ
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../flags/" class="md-nav__link">
<span class="md-ellipsis">
Flags
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../20190708-external-dns-incubator/" class="md-nav__link">
<span class="md-ellipsis">
Out of Incubator
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../code-of-conduct/" class="md-nav__link">
<span class="md-ellipsis">
Code of Conduct
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../LICENSE/" class="md-nav__link">
<span class="md-ellipsis">
License
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../providers/" class="md-nav__link">
<span class="md-ellipsis">
Providers
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked>
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="">
<span class="md-ellipsis">
Tutorials
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Tutorials
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../akamai-edgedns/" class="md-nav__link">
<span class="md-ellipsis">
Akamai Edge DNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../alibabacloud/" class="md-nav__link">
<span class="md-ellipsis">
Alibaba Cloud
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../aws-filters/" class="md-nav__link">
<span class="md-ellipsis">
AWS Filters
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../aws-load-balancer-controller/" class="md-nav__link">
<span class="md-ellipsis">
AWS Load Balancer Controller
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../aws-public-private-route53/" class="md-nav__link">
<span class="md-ellipsis">
AWS Route53 with same domain for public and private zones
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../aws-sd/" class="md-nav__link">
<span class="md-ellipsis">
AWS Cloud Map API
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
AWS
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
AWS
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#iam-policy" class="md-nav__link">
<span class="md-ellipsis">
IAM Policy
</span>
</a>
<nav class="md-nav" aria-label="IAM Policy">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#iam-permissions-with-abac" class="md-nav__link">
<span class="md-ellipsis">
IAM Permissions with ABAC
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#create-role-with-aws-cli" class="md-nav__link">
<span class="md-ellipsis">
Create Role with AWS CLI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#provisioning-a-kubernetes-cluster" class="md-nav__link">
<span class="md-ellipsis">
Provisioning a Kubernetes cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#permissions-to-modify-dns-zone" class="md-nav__link">
<span class="md-ellipsis">
Permissions to modify DNS zone
</span>
</a>
<nav class="md-nav" aria-label="Permissions to modify DNS zone">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#node-iam-role" class="md-nav__link">
<span class="md-ellipsis">
Node IAM Role
</span>
</a>
<nav class="md-nav" aria-label="Node IAM Role">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#get-the-node-iam-role-name" class="md-nav__link">
<span class="md-ellipsis">
Get the Node IAM role name
</span>
</a>
<nav class="md-nav" aria-label="Get the Node IAM role name">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#get-role-name-with-a-single-managed-nodegroup" class="md-nav__link">
<span class="md-ellipsis">
Get role name with a single managed nodegroup
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#get-role-name-with-other-configurations" class="md-nav__link">
<span class="md-ellipsis">
Get role name with other configurations
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#deploy-externaldns-with-attached-policy-to-node-iam-role" class="md-nav__link">
<span class="md-ellipsis">
Deploy ExternalDNS with attached policy to Node IAM Role
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#static-credentials" class="md-nav__link">
<span class="md-ellipsis">
Static credentials
</span>
</a>
<nav class="md-nav" aria-label="Static credentials">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#create-iam-user-and-attach-the-policy" class="md-nav__link">
<span class="md-ellipsis">
Create IAM user and attach the policy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#create-the-static-credentials" class="md-nav__link">
<span class="md-ellipsis">
Create the static credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#create-kubernetes-secret-from-credentials" class="md-nav__link">
<span class="md-ellipsis">
Create Kubernetes secret from credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#deploy-externaldns-using-static-credentials" class="md-nav__link">
<span class="md-ellipsis">
Deploy ExternalDNS using static credentials
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#iam-roles-for-service-accounts" class="md-nav__link">
<span class="md-ellipsis">
IAM Roles for Service Accounts
</span>
</a>
<nav class="md-nav" aria-label="IAM Roles for Service Accounts">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#verify-oidc-is-supported" class="md-nav__link">
<span class="md-ellipsis">
Verify OIDC is supported
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#associate-oidc-to-cluster" class="md-nav__link">
<span class="md-ellipsis">
Associate OIDC to cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#create-an-iam-role-bound-to-a-service-account" class="md-nav__link">
<span class="md-ellipsis">
Create an IAM role bound to a service account
</span>
</a>
<nav class="md-nav" aria-label="Create an IAM role bound to a service account">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#use-eksctl-with-eksctl-created-eks-cluster" class="md-nav__link">
<span class="md-ellipsis">
Use eksctl with eksctl created EKS cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#use-aws-cli-with-any-eks-cluster" class="md-nav__link">
<span class="md-ellipsis">
Use aws cli with any EKS cluster
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#deploy-externaldns-using-irsa" class="md-nav__link">
<span class="md-ellipsis">
Deploy ExternalDNS using IRSA
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#set-up-a-hosted-zone" class="md-nav__link">
<span class="md-ellipsis">
Set up a hosted zone
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#deploy-externaldns" class="md-nav__link">
<span class="md-ellipsis">
Deploy ExternalDNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#using-helm-with-oidc" class="md-nav__link">
<span class="md-ellipsis">
Using Helm (with OIDC)
</span>
</a>
<nav class="md-nav" aria-label="Using Helm (with OIDC)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#when-using-clusters-without-rbac-enabled" class="md-nav__link">
<span class="md-ellipsis">
When using clusters without RBAC enabled
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#when-using-clusters-with-rbac-enabled" class="md-nav__link">
<span class="md-ellipsis">
When using clusters with RBAC enabled
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#arguments" class="md-nav__link">
<span class="md-ellipsis">
Arguments
</span>
</a>
<nav class="md-nav" aria-label="Arguments">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#aws-zone-type" class="md-nav__link">
<span class="md-ellipsis">
aws-zone-type
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#annotations" class="md-nav__link">
<span class="md-ellipsis">
Annotations
</span>
</a>
<nav class="md-nav" aria-label="Annotations">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#alias" class="md-nav__link">
<span class="md-ellipsis">
alias
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#target-hosted-zone" class="md-nav__link">
<span class="md-ellipsis">
target-hosted-zone
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#aws-zone-match-parent" class="md-nav__link">
<span class="md-ellipsis">
aws-zone-match-parent
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#verify-externaldns-works-service-example" class="md-nav__link">
<span class="md-ellipsis">
Verify ExternalDNS works (Service example)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#verify-externaldns-works-ingress-example" class="md-nav__link">
<span class="md-ellipsis">
Verify ExternalDNS works (Ingress example)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#more-service-annotation-options" class="md-nav__link">
<span class="md-ellipsis">
More service annotation options
</span>
</a>
<nav class="md-nav" aria-label="More service annotation options">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#custom-ttl" class="md-nav__link">
<span class="md-ellipsis">
Custom TTL
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#routing-policies" class="md-nav__link">
<span class="md-ellipsis">
Routing policies
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#associating-dns-records-with-healthchecks" class="md-nav__link">
<span class="md-ellipsis">
Associating DNS records with healthchecks
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#canonical-hosted-zones" class="md-nav__link">
<span class="md-ellipsis">
Canonical Hosted Zones
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#govcloud-caveats" class="md-nav__link">
<span class="md-ellipsis">
Govcloud caveats
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#dynamodb-registry" class="md-nav__link">
<span class="md-ellipsis">
DynamoDB Registry
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#disable-aaaa-record-creation" class="md-nav__link">
<span class="md-ellipsis">
Disable AAAA Record Creation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#clean-up" class="md-nav__link">
<span class="md-ellipsis">
Clean up
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#throttling" class="md-nav__link">
<span class="md-ellipsis">
Throttling
</span>
</a>
<nav class="md-nav" aria-label="Throttling">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#eks" class="md-nav__link">
<span class="md-ellipsis">
EKS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#batch-size-options" class="md-nav__link">
<span class="md-ellipsis">
Batch size options
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#using-crd-source-to-manage-dns-records-in-aws" class="md-nav__link">
<span class="md-ellipsis">
Using CRD source to manage DNS records in AWS
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../azure-private-dns/" class="md-nav__link">
<span class="md-ellipsis">
Azure Private DNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../azure/" class="md-nav__link">
<span class="md-ellipsis">
Azure DNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../civo/" class="md-nav__link">
<span class="md-ellipsis">
Civo DNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../cloudflare/" class="md-nav__link">
<span class="md-ellipsis">
Cloudflare DNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../contour/" class="md-nav__link">
<span class="md-ellipsis">
Contour HTTPProxy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../coredns/" class="md-nav__link">
<span class="md-ellipsis">
CoreDNS with minikube
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../crd/" class="md-nav__link">
<span class="md-ellipsis">
Using CRD Source for DNS Records
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../digitalocean/" class="md-nav__link">
<span class="md-ellipsis">
DigitalOcean DNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../dnsimple/" class="md-nav__link">
<span class="md-ellipsis">
DNSimple
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../exoscale/" class="md-nav__link">
<span class="md-ellipsis">
Exoscale
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../externalname/" class="md-nav__link">
<span class="md-ellipsis">
ExternalName Services
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../gandi/" class="md-nav__link">
<span class="md-ellipsis">
Gandi
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../gke-nginx/" class="md-nav__link">
<span class="md-ellipsis">
GKE with nginx-ingress-controller
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../gke/" class="md-nav__link">
<span class="md-ellipsis">
GKE with default controller
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../godaddy/" class="md-nav__link">
<span class="md-ellipsis">
GoDaddy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../hostport/" class="md-nav__link">
<span class="md-ellipsis">
Headless Services
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ionoscloud/" class="md-nav__link">
<span class="md-ellipsis">
IONOS Cloud
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../kops-dns-controller/" class="md-nav__link">
<span class="md-ellipsis">
kOps dns-controller
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../kube-ingress-aws/" class="md-nav__link">
<span class="md-ellipsis">
kube-ingress-aws-controller
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../linode/" class="md-nav__link">
<span class="md-ellipsis">
Linode
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ns1/" class="md-nav__link">
<span class="md-ellipsis">
NS1
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../oracle/" class="md-nav__link">
<span class="md-ellipsis">
Oracle Cloud Infrastructure
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ovh/" class="md-nav__link">
<span class="md-ellipsis">
OVHcloud
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../pdns/" class="md-nav__link">
<span class="md-ellipsis">
PowerDNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../pihole/" class="md-nav__link">
<span class="md-ellipsis">
Pi-hole
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../plural/" class="md-nav__link">
<span class="md-ellipsis">
Plural
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../rfc2136/" class="md-nav__link">
<span class="md-ellipsis">
RFC2136 provider
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../scaleway/" class="md-nav__link">
<span class="md-ellipsis">
Scaleway
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../security-context/" class="md-nav__link">
<span class="md-ellipsis">
Running ExternalDNS with limited privileges
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../transip/" class="md-nav__link">
<span class="md-ellipsis">
TransIP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../webhook-provider/" class="md-nav__link">
<span class="md-ellipsis">
Webhook provider
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
<span class="md-ellipsis">
Annotations
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Annotations
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../annotations/annotations/" class="md-nav__link">
<span class="md-ellipsis">
About
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
<span class="md-ellipsis">
Sources
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
Sources
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../sources/about/" class="md-nav__link">
<span class="md-ellipsis">
About
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/crd/" class="md-nav__link">
<span class="md-ellipsis">
CRD Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/f5-transportserver/" class="md-nav__link">
<span class="md-ellipsis">
F5 Networks TransportServer Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/f5-virtualserver/" class="md-nav__link">
<span class="md-ellipsis">
F5 Networks VirtualServer Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/gateway-api/" class="md-nav__link">
<span class="md-ellipsis">
Gateway API Route Sources
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/gateway/" class="md-nav__link">
<span class="md-ellipsis">
Gateway sources
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/gloo-proxy/" class="md-nav__link">
<span class="md-ellipsis">
Gloo Proxy Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/ingress/" class="md-nav__link">
<span class="md-ellipsis">
Ingress source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/istio/" class="md-nav__link">
<span class="md-ellipsis">
Istio Gateway / Virtual Service Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/kong/" class="md-nav__link">
<span class="md-ellipsis">
Kong TCPIngress Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/mx-record/" class="md-nav__link">
<span class="md-ellipsis">
MX record with CRD source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/nodes/" class="md-nav__link">
<span class="md-ellipsis">
Cluster Nodes as Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/ns-record/" class="md-nav__link">
<span class="md-ellipsis">
NS record with CRD source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/openshift/" class="md-nav__link">
<span class="md-ellipsis">
OpenShift Route Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/pod/" class="md-nav__link">
<span class="md-ellipsis">
Pod Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/service/" class="md-nav__link">
<span class="md-ellipsis">
Service source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/traefik-proxy/" class="md-nav__link">
<span class="md-ellipsis">
Traefik Proxy Source
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sources/txt-record/" class="md-nav__link">
<span class="md-ellipsis">
Creating TXT record with CRD source
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7" id="__nav_7_label" tabindex="0">
<span class="md-ellipsis">
Registries
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
Registries
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../registry/registry/" class="md-nav__link">
<span class="md-ellipsis">
About
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../registry/txt/" class="md-nav__link">
<span class="md-ellipsis">
TXT
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../registry/dynamodb/" class="md-nav__link">
<span class="md-ellipsis">
DynamoDB
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8" >
<label class="md-nav__link" for="__nav_8" id="__nav_8_label" tabindex="0">
<span class="md-ellipsis">
Advanced Topics
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
Advanced Topics
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../initial-design/" class="md-nav__link">
<span class="md-ellipsis">
Initial Design
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../proposal/001-leader-election/" class="md-nav__link">
<span class="md-ellipsis">
Leader Election
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8_3" >
<div class="md-nav__link md-nav__container">
<a href="../../monitoring/" class="md-nav__link ">
<span class="md-ellipsis">
Monitoring
</span>
</a>
<label class="md-nav__link " for="__nav_8_3" id="__nav_8_3_label" tabindex="0">
<span class="md-nav__icon md-icon"></span>
</label>
</div>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_8_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8_3">
<span class="md-nav__icon md-icon"></span>
Monitoring
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../monitoring/metrics/" class="md-nav__link">
<span class="md-ellipsis">
Available Metrics
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../proposal/multi-target/" class="md-nav__link">
<span class="md-ellipsis">
MultiTarget
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/nat64/" class="md-nav__link">
<span class="md-ellipsis">
NAT64
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/rate-limits/" class="md-nav__link">
<span class="md-ellipsis">
Rate Limits
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/ttl/" class="md-nav__link">
<span class="md-ellipsis">
TTL
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/fqdn-templating/" class="md-nav__link">
<span class="md-ellipsis">
FQDN Templating
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8_9" >
<label class="md-nav__link" for="__nav_8_9" id="__nav_8_9_label" tabindex="0">
<span class="md-ellipsis">
Decisions
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_8_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8_9">
<span class="md-nav__icon md-icon"></span>
Decisions
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../proposal/002-internal-ipv6-handling-rollback/" class="md-nav__link">
<span class="md-ellipsis">
002 internal ipv6 handling rollback
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../proposal/003-dnsendpoint-graduation-to-beta/" class="md-nav__link">
<span class="md-ellipsis">
003 dnsendpoint graduation to beta
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_9" >
<div class="md-nav__link md-nav__container">
<a href="../../contributing/" class="md-nav__link ">
<span class="md-ellipsis">
Contributing
</span>
</a>
<label class="md-nav__link " for="__nav_9" id="__nav_9_label" tabindex="0">
<span class="md-nav__icon md-icon"></span>
</label>
</div>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_9">
<span class="md-nav__icon md-icon"></span>
Contributing
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../CONTRIBUTING/" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes Contributions
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../release/" class="md-nav__link">
<span class="md-ellipsis">
Release
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../deprecation/" class="md-nav__link">
<span class="md-ellipsis">
Deprecation Policy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../contributing/chart/" class="md-nav__link">
<span class="md-ellipsis">
Helm Chart
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../contributing/design/" class="md-nav__link">
<span class="md-ellipsis">
Design
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../contributing/dev-guide/" class="md-nav__link">
<span class="md-ellipsis">
Developer Reference
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../contributing/sources-and-providers/" class="md-nav__link">
<span class="md-ellipsis">
Sources and Providers
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#iam-policy" class="md-nav__link">
<span class="md-ellipsis">
IAM Policy
</span>
</a>
<nav class="md-nav" aria-label="IAM Policy">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#iam-permissions-with-abac" class="md-nav__link">
<span class="md-ellipsis">
IAM Permissions with ABAC
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#create-role-with-aws-cli" class="md-nav__link">
<span class="md-ellipsis">
Create Role with AWS CLI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#provisioning-a-kubernetes-cluster" class="md-nav__link">
<span class="md-ellipsis">
Provisioning a Kubernetes cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#permissions-to-modify-dns-zone" class="md-nav__link">
<span class="md-ellipsis">
Permissions to modify DNS zone
</span>
</a>
<nav class="md-nav" aria-label="Permissions to modify DNS zone">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#node-iam-role" class="md-nav__link">
<span class="md-ellipsis">
Node IAM Role
</span>
</a>
<nav class="md-nav" aria-label="Node IAM Role">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#get-the-node-iam-role-name" class="md-nav__link">
<span class="md-ellipsis">
Get the Node IAM role name
</span>
</a>
<nav class="md-nav" aria-label="Get the Node IAM role name">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#get-role-name-with-a-single-managed-nodegroup" class="md-nav__link">
<span class="md-ellipsis">
Get role name with a single managed nodegroup
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#get-role-name-with-other-configurations" class="md-nav__link">
<span class="md-ellipsis">
Get role name with other configurations
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#deploy-externaldns-with-attached-policy-to-node-iam-role" class="md-nav__link">
<span class="md-ellipsis">
Deploy ExternalDNS with attached policy to Node IAM Role
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#static-credentials" class="md-nav__link">
<span class="md-ellipsis">
Static credentials
</span>
</a>
<nav class="md-nav" aria-label="Static credentials">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#create-iam-user-and-attach-the-policy" class="md-nav__link">
<span class="md-ellipsis">
Create IAM user and attach the policy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#create-the-static-credentials" class="md-nav__link">
<span class="md-ellipsis">
Create the static credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#create-kubernetes-secret-from-credentials" class="md-nav__link">
<span class="md-ellipsis">
Create Kubernetes secret from credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#deploy-externaldns-using-static-credentials" class="md-nav__link">
<span class="md-ellipsis">
Deploy ExternalDNS using static credentials
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#iam-roles-for-service-accounts" class="md-nav__link">
<span class="md-ellipsis">
IAM Roles for Service Accounts
</span>
</a>
<nav class="md-nav" aria-label="IAM Roles for Service Accounts">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#verify-oidc-is-supported" class="md-nav__link">
<span class="md-ellipsis">
Verify OIDC is supported
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#associate-oidc-to-cluster" class="md-nav__link">
<span class="md-ellipsis">
Associate OIDC to cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#create-an-iam-role-bound-to-a-service-account" class="md-nav__link">
<span class="md-ellipsis">
Create an IAM role bound to a service account
</span>
</a>
<nav class="md-nav" aria-label="Create an IAM role bound to a service account">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#use-eksctl-with-eksctl-created-eks-cluster" class="md-nav__link">
<span class="md-ellipsis">
Use eksctl with eksctl created EKS cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#use-aws-cli-with-any-eks-cluster" class="md-nav__link">
<span class="md-ellipsis">
Use aws cli with any EKS cluster
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#deploy-externaldns-using-irsa" class="md-nav__link">
<span class="md-ellipsis">
Deploy ExternalDNS using IRSA
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#set-up-a-hosted-zone" class="md-nav__link">
<span class="md-ellipsis">
Set up a hosted zone
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#deploy-externaldns" class="md-nav__link">
<span class="md-ellipsis">
Deploy ExternalDNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#using-helm-with-oidc" class="md-nav__link">
<span class="md-ellipsis">
Using Helm (with OIDC)
</span>
</a>
<nav class="md-nav" aria-label="Using Helm (with OIDC)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#when-using-clusters-without-rbac-enabled" class="md-nav__link">
<span class="md-ellipsis">
When using clusters without RBAC enabled
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#when-using-clusters-with-rbac-enabled" class="md-nav__link">
<span class="md-ellipsis">
When using clusters with RBAC enabled
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#arguments" class="md-nav__link">
<span class="md-ellipsis">
Arguments
</span>
</a>
<nav class="md-nav" aria-label="Arguments">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#aws-zone-type" class="md-nav__link">
<span class="md-ellipsis">
aws-zone-type
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#annotations" class="md-nav__link">
<span class="md-ellipsis">
Annotations
</span>
</a>
<nav class="md-nav" aria-label="Annotations">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#alias" class="md-nav__link">
<span class="md-ellipsis">
alias
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#target-hosted-zone" class="md-nav__link">
<span class="md-ellipsis">
target-hosted-zone
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#aws-zone-match-parent" class="md-nav__link">
<span class="md-ellipsis">
aws-zone-match-parent
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#verify-externaldns-works-service-example" class="md-nav__link">
<span class="md-ellipsis">
Verify ExternalDNS works (Service example)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#verify-externaldns-works-ingress-example" class="md-nav__link">
<span class="md-ellipsis">
Verify ExternalDNS works (Ingress example)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#more-service-annotation-options" class="md-nav__link">
<span class="md-ellipsis">
More service annotation options
</span>
</a>
<nav class="md-nav" aria-label="More service annotation options">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#custom-ttl" class="md-nav__link">
<span class="md-ellipsis">
Custom TTL
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#routing-policies" class="md-nav__link">
<span class="md-ellipsis">
Routing policies
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#associating-dns-records-with-healthchecks" class="md-nav__link">
<span class="md-ellipsis">
Associating DNS records with healthchecks
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#canonical-hosted-zones" class="md-nav__link">
<span class="md-ellipsis">
Canonical Hosted Zones
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#govcloud-caveats" class="md-nav__link">
<span class="md-ellipsis">
Govcloud caveats
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#dynamodb-registry" class="md-nav__link">
<span class="md-ellipsis">
DynamoDB Registry
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#disable-aaaa-record-creation" class="md-nav__link">
<span class="md-ellipsis">
Disable AAAA Record Creation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#clean-up" class="md-nav__link">
<span class="md-ellipsis">
Clean up
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#throttling" class="md-nav__link">
<span class="md-ellipsis">
Throttling
</span>
</a>
<nav class="md-nav" aria-label="Throttling">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#eks" class="md-nav__link">
<span class="md-ellipsis">
EKS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#batch-size-options" class="md-nav__link">
<span class="md-ellipsis">
Batch size options
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#using-crd-source-to-manage-dns-records-in-aws" class="md-nav__link">
<span class="md-ellipsis">
Using CRD source to manage DNS records in AWS
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1 id="aws">AWS<a class="headerlink" href="#aws" title="Permanent link">&para;</a></h1>
<p>This tutorial describes how to setup ExternalDNS for usage within a Kubernetes cluster on AWS. Make sure to use <strong>&gt;=0.15.0</strong> version of ExternalDNS for this tutorial</p>
<h2 id="iam-policy">IAM Policy<a class="headerlink" href="#iam-policy" title="Permanent link">&para;</a></h2>
<p>The following IAM Policy document allows ExternalDNS to update Route53 Resource<br />
Record Sets and Hosted Zones. You&rsquo;ll want to create this Policy in IAM first. In<br />
our example, we&rsquo;ll call the policy <code>AllowExternalDNSUpdates</code> (but you can call<br />
it whatever you prefer).</p>
<p>If you prefer, you may fine-tune the policy to permit updates only to explicit<br />
Hosted Zone IDs.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="p">{</span>
<a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a><span class="w"> </span><span class="nt">&quot;Version&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;2012-10-17&quot;</span><span class="p">,</span>
<a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a><span class="w"> </span><span class="nt">&quot;Statement&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<a id="__codelineno-0-4" name="__codelineno-0-4" href="#__codelineno-0-4"></a><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-0-5" name="__codelineno-0-5" href="#__codelineno-0-5"></a><span class="w"> </span><span class="nt">&quot;Effect&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Allow&quot;</span><span class="p">,</span>
<a id="__codelineno-0-6" name="__codelineno-0-6" href="#__codelineno-0-6"></a><span class="w"> </span><span class="nt">&quot;Action&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<a id="__codelineno-0-7" name="__codelineno-0-7" href="#__codelineno-0-7"></a><span class="w"> </span><span class="s2">&quot;route53:ChangeResourceRecordSets&quot;</span>
<a id="__codelineno-0-8" name="__codelineno-0-8" href="#__codelineno-0-8"></a><span class="w"> </span><span class="p">],</span>
<a id="__codelineno-0-9" name="__codelineno-0-9" href="#__codelineno-0-9"></a><span class="w"> </span><span class="nt">&quot;Resource&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<a id="__codelineno-0-10" name="__codelineno-0-10" href="#__codelineno-0-10"></a><span class="w"> </span><span class="s2">&quot;arn:aws:route53:::hostedzone/*&quot;</span>
<a id="__codelineno-0-11" name="__codelineno-0-11" href="#__codelineno-0-11"></a><span class="w"> </span><span class="p">]</span>
<a id="__codelineno-0-12" name="__codelineno-0-12" href="#__codelineno-0-12"></a><span class="w"> </span><span class="p">},</span>
<a id="__codelineno-0-13" name="__codelineno-0-13" href="#__codelineno-0-13"></a><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-0-14" name="__codelineno-0-14" href="#__codelineno-0-14"></a><span class="w"> </span><span class="nt">&quot;Effect&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Allow&quot;</span><span class="p">,</span>
<a id="__codelineno-0-15" name="__codelineno-0-15" href="#__codelineno-0-15"></a><span class="w"> </span><span class="nt">&quot;Action&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<a id="__codelineno-0-16" name="__codelineno-0-16" href="#__codelineno-0-16"></a><span class="w"> </span><span class="s2">&quot;route53:ListHostedZones&quot;</span><span class="p">,</span>
<a id="__codelineno-0-17" name="__codelineno-0-17" href="#__codelineno-0-17"></a><span class="w"> </span><span class="s2">&quot;route53:ListResourceRecordSets&quot;</span><span class="p">,</span>
<a id="__codelineno-0-18" name="__codelineno-0-18" href="#__codelineno-0-18"></a><span class="w"> </span><span class="s2">&quot;route53:ListTagsForResources&quot;</span>
<a id="__codelineno-0-19" name="__codelineno-0-19" href="#__codelineno-0-19"></a><span class="w"> </span><span class="p">],</span>
<a id="__codelineno-0-20" name="__codelineno-0-20" href="#__codelineno-0-20"></a><span class="w"> </span><span class="nt">&quot;Resource&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<a id="__codelineno-0-21" name="__codelineno-0-21" href="#__codelineno-0-21"></a><span class="w"> </span><span class="s2">&quot;*&quot;</span>
<a id="__codelineno-0-22" name="__codelineno-0-22" href="#__codelineno-0-22"></a><span class="w"> </span><span class="p">]</span>
<a id="__codelineno-0-23" name="__codelineno-0-23" href="#__codelineno-0-23"></a><span class="w"> </span><span class="p">}</span>
<a id="__codelineno-0-24" name="__codelineno-0-24" href="#__codelineno-0-24"></a><span class="w"> </span><span class="p">]</span>
<a id="__codelineno-0-25" name="__codelineno-0-25" href="#__codelineno-0-25"></a><span class="p">}</span>
</code></pre></div>
<h3 id="iam-permissions-with-abac">IAM Permissions with ABAC<a class="headerlink" href="#iam-permissions-with-abac" title="Permanent link">&para;</a></h3>
<p>You can use Attribute-based access control(ABAC) for advanced deployments.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a><span class="p">{</span>
<a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a><span class="w"> </span><span class="nt">&quot;Version&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;2012-10-17&quot;</span><span class="p">,</span>
<a id="__codelineno-1-3" name="__codelineno-1-3" href="#__codelineno-1-3"></a><span class="w"> </span><span class="nt">&quot;Statement&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<a id="__codelineno-1-4" name="__codelineno-1-4" href="#__codelineno-1-4"></a><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-1-5" name="__codelineno-1-5" href="#__codelineno-1-5"></a><span class="w"> </span><span class="nt">&quot;Effect&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Allow&quot;</span><span class="p">,</span>
<a id="__codelineno-1-6" name="__codelineno-1-6" href="#__codelineno-1-6"></a><span class="w"> </span><span class="nt">&quot;Action&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<a id="__codelineno-1-7" name="__codelineno-1-7" href="#__codelineno-1-7"></a><span class="w"> </span><span class="s2">&quot;route53:ChangeResourceRecordSets&quot;</span>
<a id="__codelineno-1-8" name="__codelineno-1-8" href="#__codelineno-1-8"></a><span class="w"> </span><span class="p">],</span>
<a id="__codelineno-1-9" name="__codelineno-1-9" href="#__codelineno-1-9"></a><span class="w"> </span><span class="nt">&quot;Resource&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<a id="__codelineno-1-10" name="__codelineno-1-10" href="#__codelineno-1-10"></a><span class="w"> </span><span class="s2">&quot;arn:aws:route53:::hostedzone/*&quot;</span>
<a id="__codelineno-1-11" name="__codelineno-1-11" href="#__codelineno-1-11"></a><span class="w"> </span><span class="p">],</span>
<a id="__codelineno-1-12" name="__codelineno-1-12" href="#__codelineno-1-12"></a><span class="w"> </span><span class="nt">&quot;Condition&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-1-13" name="__codelineno-1-13" href="#__codelineno-1-13"></a><span class="w"> </span><span class="nt">&quot;ForAllValues:StringLike&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-1-14" name="__codelineno-1-14" href="#__codelineno-1-14"></a><span class="w"> </span><span class="nt">&quot;route53:ChangeResourceRecordSetsNormalizedRecordNames&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&quot;*example.com&quot;</span><span class="p">,</span><span class="w"> </span><span class="s2">&quot;marketing.example.com&quot;</span><span class="p">,</span><span class="w"> </span><span class="s2">&quot;*-beta.example.com&quot;</span><span class="p">],</span>
<a id="__codelineno-1-15" name="__codelineno-1-15" href="#__codelineno-1-15"></a><span class="w"> </span><span class="nt">&quot;route53:ChangeResourceRecordSetsActions&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&quot;CREATE&quot;</span><span class="p">,</span><span class="w"> </span><span class="s2">&quot;UPSERT&quot;</span><span class="p">,</span><span class="w"> </span><span class="s2">&quot;DELETE&quot;</span><span class="p">],</span>
<a id="__codelineno-1-16" name="__codelineno-1-16" href="#__codelineno-1-16"></a><span class="w"> </span><span class="nt">&quot;route53:ChangeResourceRecordSetsRecordTypes&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&quot;A&quot;</span><span class="p">,</span><span class="w"> </span><span class="s2">&quot;AAAA&quot;</span><span class="p">,</span><span class="w"> </span><span class="s2">&quot;MX&quot;</span><span class="p">]</span>
<a id="__codelineno-1-17" name="__codelineno-1-17" href="#__codelineno-1-17"></a><span class="w"> </span><span class="p">}</span>
<a id="__codelineno-1-18" name="__codelineno-1-18" href="#__codelineno-1-18"></a><span class="w"> </span><span class="p">}</span>
<a id="__codelineno-1-19" name="__codelineno-1-19" href="#__codelineno-1-19"></a><span class="w"> </span><span class="p">},</span>
<a id="__codelineno-1-20" name="__codelineno-1-20" href="#__codelineno-1-20"></a><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-1-21" name="__codelineno-1-21" href="#__codelineno-1-21"></a><span class="w"> </span><span class="nt">&quot;Effect&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Allow&quot;</span><span class="p">,</span>
<a id="__codelineno-1-22" name="__codelineno-1-22" href="#__codelineno-1-22"></a><span class="w"> </span><span class="nt">&quot;Action&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<a id="__codelineno-1-23" name="__codelineno-1-23" href="#__codelineno-1-23"></a><span class="w"> </span><span class="s2">&quot;route53:ListHostedZones&quot;</span><span class="p">,</span>
<a id="__codelineno-1-24" name="__codelineno-1-24" href="#__codelineno-1-24"></a><span class="w"> </span><span class="s2">&quot;route53:ListResourceRecordSets&quot;</span><span class="p">,</span>
<a id="__codelineno-1-25" name="__codelineno-1-25" href="#__codelineno-1-25"></a><span class="w"> </span><span class="s2">&quot;route53:ListTagsForResources&quot;</span>
<a id="__codelineno-1-26" name="__codelineno-1-26" href="#__codelineno-1-26"></a><span class="w"> </span><span class="p">],</span>
<a id="__codelineno-1-27" name="__codelineno-1-27" href="#__codelineno-1-27"></a><span class="w"> </span><span class="nt">&quot;Resource&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<a id="__codelineno-1-28" name="__codelineno-1-28" href="#__codelineno-1-28"></a><span class="w"> </span><span class="s2">&quot;*&quot;</span>
<a id="__codelineno-1-29" name="__codelineno-1-29" href="#__codelineno-1-29"></a><span class="w"> </span><span class="p">]</span>
<a id="__codelineno-1-30" name="__codelineno-1-30" href="#__codelineno-1-30"></a><span class="w"> </span><span class="p">}</span>
<a id="__codelineno-1-31" name="__codelineno-1-31" href="#__codelineno-1-31"></a><span class="w"> </span><span class="p">]</span>
<a id="__codelineno-1-32" name="__codelineno-1-32" href="#__codelineno-1-32"></a><span class="p">}</span>
</code></pre></div>
<p>Additional resources:</p>
<ul>
<li>AWS IAM actions <a href="https://www.awsiamactions.io/?o=route53%3A">documentation</a></li>
<li>AWS IAM <a href="https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html#route53_rrsetConditionKeys">fine grained controll</a></li>
<li><a href="https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html">Actions and condition keys for Amazon Route 53</a></li>
</ul>
<h2 id="create-role-with-aws-cli">Create Role with AWS CLI<a class="headerlink" href="#create-role-with-aws-cli" title="Permanent link">&para;</a></h2>
<p>If you are using the AWS CLI, you can run the following to install the above policy (saved as <code>policy.json</code>). This can be use in subsequent steps to allow ExternalDNS to access Route53 zones.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1"></a>aws<span class="w"> </span>iam<span class="w"> </span>create-policy<span class="w"> </span>--policy-name<span class="w"> </span><span class="s2">&quot;AllowExternalDNSUpdates&quot;</span><span class="w"> </span>--policy-document<span class="w"> </span>file://policy.json
<a id="__codelineno-2-2" name="__codelineno-2-2" href="#__codelineno-2-2"></a>
<a id="__codelineno-2-3" name="__codelineno-2-3" href="#__codelineno-2-3"></a><span class="c1"># example: arn:aws:iam::XXXXXXXXXXXX:policy/AllowExternalDNSUpdates</span>
<a id="__codelineno-2-4" name="__codelineno-2-4" href="#__codelineno-2-4"></a><span class="nb">export</span><span class="w"> </span><span class="nv">POLICY_ARN</span><span class="o">=</span><span class="k">$(</span>aws<span class="w"> </span>iam<span class="w"> </span>list-policies<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-2-5" name="__codelineno-2-5" href="#__codelineno-2-5"></a><span class="w"> </span>--query<span class="w"> </span><span class="s1">&#39;Policies[?PolicyName==`AllowExternalDNSUpdates`].Arn&#39;</span><span class="w"> </span>--output<span class="w"> </span>text<span class="k">)</span>
</code></pre></div>
<h2 id="provisioning-a-kubernetes-cluster">Provisioning a Kubernetes cluster<a class="headerlink" href="#provisioning-a-kubernetes-cluster" title="Permanent link">&para;</a></h2>
<p>You can use <a href="https://eksctl.io">eksctl</a> to easily provision an <a href="https://aws.amazon.com/eks">Amazon Elastic Kubernetes Service</a> (<a href="https://aws.amazon.com/eks">EKS</a>) cluster that is suitable for this tutorial. See <a href="https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html">Getting started with Amazon EKS eksctl</a>.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-3-1" name="__codelineno-3-1" href="#__codelineno-3-1"></a><span class="nb">export</span><span class="w"> </span><span class="nv">EKS_CLUSTER_NAME</span><span class="o">=</span><span class="s2">&quot;my-externaldns-cluster&quot;</span>
<a id="__codelineno-3-2" name="__codelineno-3-2" href="#__codelineno-3-2"></a><span class="nb">export</span><span class="w"> </span><span class="nv">EKS_CLUSTER_REGION</span><span class="o">=</span><span class="s2">&quot;us-east-2&quot;</span>
<a id="__codelineno-3-3" name="__codelineno-3-3" href="#__codelineno-3-3"></a><span class="nb">export</span><span class="w"> </span><span class="nv">KUBECONFIG</span><span class="o">=</span><span class="s2">&quot;</span><span class="nv">$HOME</span><span class="s2">/.kube/</span><span class="si">${</span><span class="nv">EKS_CLUSTER_NAME</span><span class="si">}</span><span class="s2">-</span><span class="si">${</span><span class="nv">EKS_CLUSTER_REGION</span><span class="si">}</span><span class="s2">.yaml&quot;</span>
<a id="__codelineno-3-4" name="__codelineno-3-4" href="#__codelineno-3-4"></a>
<a id="__codelineno-3-5" name="__codelineno-3-5" href="#__codelineno-3-5"></a>eksctl<span class="w"> </span>create<span class="w"> </span>cluster<span class="w"> </span>--name<span class="w"> </span><span class="nv">$EKS_CLUSTER_NAME</span><span class="w"> </span>--region<span class="w"> </span><span class="nv">$EKS_CLUSTER_REGION</span>
</code></pre></div>
<p>Feel free to use other provisioning tools or an existing cluster.<br />
If <a href="https://www.terraform.io/">Terraform</a> is used, <a href="https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/">vpc</a> and <a href="https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/">eks</a> modules are recommended for standing up an EKS cluster.<br />
Amazon has a workshop called <a href="https://catalog.us-east-1.prod.workshops.aws/workshops/afee4679-89af-408b-8108-44f5b1065cc7/">Amazon EKS Terraform Workshop</a> that may be useful for this process.</p>
<h2 id="permissions-to-modify-dns-zone">Permissions to modify DNS zone<a class="headerlink" href="#permissions-to-modify-dns-zone" title="Permanent link">&para;</a></h2>
<p>You will need to use the above policy (represented by the <code>POLICY_ARN</code> environment variable) to allow ExternalDNS to update records in Route53 DNS zones. Here are three common ways this can be accomplished:</p>
<ul>
<li><a href="#node-iam-role">Node IAM Role</a></li>
<li><a href="#static-credentials">Static credentials</a></li>
<li><a href="#iam-roles-for-service-accounts">IAM Roles for Service Accounts</a></li>
</ul>
<p>For this tutorial, ExternalDNS will use the environment variable <code>EXTERNALDNS_NS</code> to represent the namespace, defaulted to <code>default</code>.<br />
Feel free to change this to something else, such <code>externaldns</code> or <code>kube-addons</code>.<br />
Make sure to edit the <code>subjects[0].namespace</code> for the <code>ClusterRoleBinding</code> resource when deploying ExternalDNS with RBAC enabled.<br />
See <a href="#when-using-clusters-with-rbac-enabled">When using clusters with RBAC enabled</a> for more information.</p>
<p>Additionally, throughout this tutorial, the example domain of <code>example.com</code> is used. Change this to appropriate domain under your control. See <a href="#set-up-a-hosted-zone">Set up a hosted zone</a> section.</p>
<h3 id="node-iam-role">Node IAM Role<a class="headerlink" href="#node-iam-role" title="Permanent link">&para;</a></h3>
<p>In this method, you can attach a policy to the Node IAM Role. This will allow nodes in the Kubernetes cluster to access Route53 zones, which allows ExternalDNS to update DNS records.<br />
Given that this allows all containers to access Route53, not just ExternalDNS, running on the node with these privileges, this method is not recommended, and is only suitable for limited test environments.</p>
<p>If you are using eksctl to provision a new cluster, you add the policy at creation time with:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a>eksctl<span class="w"> </span>create<span class="w"> </span>cluster<span class="w"> </span>--external-dns-access<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-4-2" name="__codelineno-4-2" href="#__codelineno-4-2"></a><span class="w"> </span>--name<span class="w"> </span><span class="nv">$EKS_CLUSTER_NAME</span><span class="w"> </span>--region<span class="w"> </span><span class="nv">$EKS_CLUSTER_REGION</span><span class="w"> </span><span class="se">\</span>
</code></pre></div>
<p><img alt="⚠" class="twemoji" src="https://cdn.jsdelivr.net/gh/jdecked/twemoji@15.1.0/assets/svg/26a0.svg" title=":warning:" /> <strong>WARNING</strong>: This will assign allow read-write access to all nodes in the cluster, not just ExternalDNS. For this reason, this method is only suitable for limited test environments.</p>
<p>If you already provisioned a cluster or use other provisioning tools like Terraform, you can use AWS CLI to attach the policy to the Node IAM Role.</p>
<h4 id="get-the-node-iam-role-name">Get the Node IAM role name<a class="headerlink" href="#get-the-node-iam-role-name" title="Permanent link">&para;</a></h4>
<p>The role name of the role associated with the node(s) where ExternalDNS will run is needed. An easy way to get the role name is to use the AWS web console (https://console.aws.amazon.com/eks/), and find any instance in the target node group and copy the role name associated with that instance.</p>
<h5 id="get-role-name-with-a-single-managed-nodegroup">Get role name with a single managed nodegroup<a class="headerlink" href="#get-role-name-with-a-single-managed-nodegroup" title="Permanent link">&para;</a></h5>
<p>From the command line, if you have a single managed node group, the default with <code>eksctl create cluster</code>, you can find the role name with the following:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a><span class="c1"># get managed node group name (assuming there&#39;s only one node group)</span>
<a id="__codelineno-5-2" name="__codelineno-5-2" href="#__codelineno-5-2"></a><span class="nv">GROUP_NAME</span><span class="o">=</span><span class="k">$(</span>aws<span class="w"> </span>eks<span class="w"> </span>list-nodegroups<span class="w"> </span>--cluster-name<span class="w"> </span><span class="nv">$EKS_CLUSTER_NAME</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-5-3" name="__codelineno-5-3" href="#__codelineno-5-3"></a><span class="w"> </span>--query<span class="w"> </span>nodegroups<span class="w"> </span>--out<span class="w"> </span>text<span class="k">)</span>
<a id="__codelineno-5-4" name="__codelineno-5-4" href="#__codelineno-5-4"></a><span class="c1"># fetch role arn given node group name</span>
<a id="__codelineno-5-5" name="__codelineno-5-5" href="#__codelineno-5-5"></a><span class="nv">ROLE_ARN</span><span class="o">=</span><span class="k">$(</span>aws<span class="w"> </span>eks<span class="w"> </span>describe-nodegroup<span class="w"> </span>--cluster-name<span class="w"> </span><span class="nv">$EKS_CLUSTER_NAME</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-5-6" name="__codelineno-5-6" href="#__codelineno-5-6"></a><span class="w"> </span>--nodegroup-name<span class="w"> </span><span class="nv">$GROUP_NAME</span><span class="w"> </span>--query<span class="w"> </span>nodegroup.nodeRole<span class="w"> </span>--out<span class="w"> </span>text<span class="k">)</span>
<a id="__codelineno-5-7" name="__codelineno-5-7" href="#__codelineno-5-7"></a><span class="c1"># extract just the name part of role arn</span>
<a id="__codelineno-5-8" name="__codelineno-5-8" href="#__codelineno-5-8"></a><span class="nv">ROLE_NAME</span><span class="o">=</span><span class="si">${</span><span class="nv">NODE_ROLE_ARN</span><span class="p">##*/</span><span class="si">}</span>
</code></pre></div>
<h5 id="get-role-name-with-other-configurations">Get role name with other configurations<a class="headerlink" href="#get-role-name-with-other-configurations" title="Permanent link">&para;</a></h5>
<p>If you have multiple node groups or any unmanaged node groups, the process gets more complex. The first step is to get the instance host name of the desired node to where ExternalDNS will be deployed or is already deployed:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1" href="#__codelineno-6-1"></a><span class="c1"># node instance name of one of the external dns pods currently running</span>
<a id="__codelineno-6-2" name="__codelineno-6-2" href="#__codelineno-6-2"></a><span class="nv">INSTANCE_NAME</span><span class="o">=</span><span class="k">$(</span>kubectl<span class="w"> </span>get<span class="w"> </span>pods<span class="w"> </span>--all-namespaces<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-6-3" name="__codelineno-6-3" href="#__codelineno-6-3"></a><span class="w"> </span>--selector<span class="w"> </span>app.kubernetes.io/instance<span class="o">=</span>external-dns<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-6-4" name="__codelineno-6-4" href="#__codelineno-6-4"></a><span class="w"> </span>--output<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s1">&#39;{.items[0].spec.nodeName}&#39;</span><span class="k">)</span>
<a id="__codelineno-6-5" name="__codelineno-6-5" href="#__codelineno-6-5"></a>
<a id="__codelineno-6-6" name="__codelineno-6-6" href="#__codelineno-6-6"></a><span class="c1"># instance name of one of the nodes (change if node group is different)</span>
<a id="__codelineno-6-7" name="__codelineno-6-7" href="#__codelineno-6-7"></a><span class="nv">INSTANCE_NAME</span><span class="o">=</span><span class="k">$(</span>kubectl<span class="w"> </span>get<span class="w"> </span>nodes<span class="w"> </span>--output<span class="w"> </span>name<span class="w"> </span><span class="p">|</span><span class="w"> </span>cut<span class="w"> </span>-d<span class="s1">&#39;/&#39;</span><span class="w"> </span>-f2<span class="w"> </span><span class="p">|</span><span class="w"> </span>tail<span class="w"> </span>-1<span class="k">)</span>
</code></pre></div>
<p>With the instance host name, you can then get the instance id:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-7-1" name="__codelineno-7-1" href="#__codelineno-7-1"></a>get_instance_id<span class="o">()</span><span class="w"> </span><span class="o">{</span>
<a id="__codelineno-7-2" name="__codelineno-7-2" href="#__codelineno-7-2"></a><span class="w"> </span><span class="nv">INSTANCE_NAME</span><span class="o">=</span><span class="nv">$1</span><span class="w"> </span><span class="c1"># example: ip-192-168-74-34.us-east-2.compute.internal</span>
<a id="__codelineno-7-3" name="__codelineno-7-3" href="#__codelineno-7-3"></a>
<a id="__codelineno-7-4" name="__codelineno-7-4" href="#__codelineno-7-4"></a><span class="w"> </span><span class="c1"># get list of nodes</span>
<a id="__codelineno-7-5" name="__codelineno-7-5" href="#__codelineno-7-5"></a><span class="w"> </span><span class="c1"># ip-192-168-74-34.us-east-2.compute.internal aws:///us-east-2a/i-xxxxxxxxxxxxxxxxx</span>
<a id="__codelineno-7-6" name="__codelineno-7-6" href="#__codelineno-7-6"></a><span class="w"> </span><span class="c1"># ip-192-168-86-105.us-east-2.compute.internal aws:///us-east-2a/i-xxxxxxxxxxxxxxxxx</span>
<a id="__codelineno-7-7" name="__codelineno-7-7" href="#__codelineno-7-7"></a><span class="w"> </span><span class="nv">NODES</span><span class="o">=</span><span class="k">$(</span>kubectl<span class="w"> </span>get<span class="w"> </span>nodes<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-7-8" name="__codelineno-7-8" href="#__codelineno-7-8"></a><span class="w"> </span>--output<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s1">&#39;{range .items[*]}{.metadata.name}{&quot;\t&quot;}{.spec.providerID}{&quot;\n&quot;}{end}&#39;</span><span class="k">)</span>
<a id="__codelineno-7-9" name="__codelineno-7-9" href="#__codelineno-7-9"></a>
<a id="__codelineno-7-10" name="__codelineno-7-10" href="#__codelineno-7-10"></a><span class="w"> </span><span class="c1"># print instance id from matching node</span>
<a id="__codelineno-7-11" name="__codelineno-7-11" href="#__codelineno-7-11"></a><span class="w"> </span>grep<span class="w"> </span><span class="nv">$INSTANCE_NAME</span><span class="w"> </span><span class="o">&lt;&lt;&lt;</span><span class="w"> </span><span class="s2">&quot;</span><span class="nv">$NODES</span><span class="s2">&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>cut<span class="w"> </span>-d<span class="s1">&#39;/&#39;</span><span class="w"> </span>-f5
<a id="__codelineno-7-12" name="__codelineno-7-12" href="#__codelineno-7-12"></a><span class="o">}</span>
<a id="__codelineno-7-13" name="__codelineno-7-13" href="#__codelineno-7-13"></a>
<a id="__codelineno-7-14" name="__codelineno-7-14" href="#__codelineno-7-14"></a><span class="nv">INSTANCE_ID</span><span class="o">=</span><span class="k">$(</span>get_instance_id<span class="w"> </span><span class="nv">$INSTANCE_NAME</span><span class="k">)</span>
</code></pre></div>
<p>With the instance id, you can get the associated role name:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a>findRoleName<span class="o">()</span><span class="w"> </span><span class="o">{</span>
<a id="__codelineno-8-2" name="__codelineno-8-2" href="#__codelineno-8-2"></a><span class="w"> </span><span class="nv">INSTANCE_ID</span><span class="o">=</span><span class="nv">$1</span>
<a id="__codelineno-8-3" name="__codelineno-8-3" href="#__codelineno-8-3"></a>
<a id="__codelineno-8-4" name="__codelineno-8-4" href="#__codelineno-8-4"></a><span class="w"> </span><span class="c1"># get all of the roles</span>
<a id="__codelineno-8-5" name="__codelineno-8-5" href="#__codelineno-8-5"></a><span class="w"> </span><span class="nv">ROLES</span><span class="o">=(</span><span class="k">$(</span>aws<span class="w"> </span>iam<span class="w"> </span>list-roles<span class="w"> </span>--query<span class="w"> </span>Roles<span class="o">[</span>*<span class="o">]</span>.RoleName<span class="w"> </span>--out<span class="w"> </span>text<span class="k">)</span><span class="o">)</span>
<a id="__codelineno-8-6" name="__codelineno-8-6" href="#__codelineno-8-6"></a><span class="w"> </span><span class="k">for</span><span class="w"> </span>ROLE<span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="si">${</span><span class="nv">ROLES</span><span class="p">[*]</span><span class="si">}</span><span class="p">;</span><span class="w"> </span><span class="k">do</span>
<a id="__codelineno-8-7" name="__codelineno-8-7" href="#__codelineno-8-7"></a><span class="w"> </span><span class="c1"># get instance profile arn</span>
<a id="__codelineno-8-8" name="__codelineno-8-8" href="#__codelineno-8-8"></a><span class="w"> </span><span class="nv">PROFILE_ARN</span><span class="o">=</span><span class="k">$(</span>aws<span class="w"> </span>iam<span class="w"> </span>list-instance-profiles-for-role<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-8-9" name="__codelineno-8-9" href="#__codelineno-8-9"></a><span class="w"> </span>--role-name<span class="w"> </span><span class="nv">$ROLE</span><span class="w"> </span>--query<span class="w"> </span>InstanceProfiles<span class="o">[</span><span class="m">0</span><span class="o">]</span>.Arn<span class="w"> </span>--output<span class="w"> </span>text<span class="k">)</span>
<a id="__codelineno-8-10" name="__codelineno-8-10" href="#__codelineno-8-10"></a><span class="w"> </span><span class="c1"># if there is an instance profile</span>
<a id="__codelineno-8-11" name="__codelineno-8-11" href="#__codelineno-8-11"></a><span class="w"> </span><span class="k">if</span><span class="w"> </span>True<span class="p">;</span><span class="w"> </span><span class="k">then</span>
<a id="__codelineno-8-12" name="__codelineno-8-12" href="#__codelineno-8-12"></a><span class="w"> </span><span class="c1"># get all the instances with this associated instance profile</span>
<a id="__codelineno-8-13" name="__codelineno-8-13" href="#__codelineno-8-13"></a><span class="w"> </span><span class="nv">INSTANCES</span><span class="o">=</span><span class="k">$(</span>aws<span class="w"> </span>ec2<span class="w"> </span>describe-instances<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-8-14" name="__codelineno-8-14" href="#__codelineno-8-14"></a><span class="w"> </span>--filters<span class="w"> </span><span class="nv">Name</span><span class="o">=</span>iam-instance-profile.arn,Values<span class="o">=</span><span class="nv">$PROFILE_ARN</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-8-15" name="__codelineno-8-15" href="#__codelineno-8-15"></a><span class="w"> </span>--query<span class="w"> </span>Reservations<span class="o">[</span>*<span class="o">]</span>.Instances<span class="o">[</span><span class="m">0</span><span class="o">]</span>.InstanceId<span class="w"> </span>--out<span class="w"> </span>text<span class="k">)</span>
<a id="__codelineno-8-16" name="__codelineno-8-16" href="#__codelineno-8-16"></a><span class="w"> </span><span class="c1"># find instances that match the instant profile</span>
<a id="__codelineno-8-17" name="__codelineno-8-17" href="#__codelineno-8-17"></a><span class="w"> </span><span class="k">for</span><span class="w"> </span>INSTANCE<span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="si">${</span><span class="nv">INSTANCES</span><span class="p">[*]</span><span class="si">}</span><span class="p">;</span><span class="w"> </span><span class="k">do</span>
<a id="__codelineno-8-18" name="__codelineno-8-18" href="#__codelineno-8-18"></a><span class="w"> </span><span class="c1"># set role name value if there is a match</span>
<a id="__codelineno-8-19" name="__codelineno-8-19" href="#__codelineno-8-19"></a><span class="w"> </span><span class="k">if</span><span class="w"> </span>False<span class="p">;</span><span class="w"> </span><span class="k">then</span><span class="w"> </span><span class="nv">ROLE_NAME</span><span class="o">=</span><span class="nv">$ROLE</span><span class="p">;</span><span class="w"> </span><span class="k">fi</span>
<a id="__codelineno-8-20" name="__codelineno-8-20" href="#__codelineno-8-20"></a><span class="w"> </span><span class="k">done</span>
<a id="__codelineno-8-21" name="__codelineno-8-21" href="#__codelineno-8-21"></a><span class="w"> </span><span class="k">fi</span>
<a id="__codelineno-8-22" name="__codelineno-8-22" href="#__codelineno-8-22"></a><span class="w"> </span><span class="k">done</span>
<a id="__codelineno-8-23" name="__codelineno-8-23" href="#__codelineno-8-23"></a>
<a id="__codelineno-8-24" name="__codelineno-8-24" href="#__codelineno-8-24"></a><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">$ROLE_NAME</span>
<a id="__codelineno-8-25" name="__codelineno-8-25" href="#__codelineno-8-25"></a><span class="o">}</span>
<a id="__codelineno-8-26" name="__codelineno-8-26" href="#__codelineno-8-26"></a>
<a id="__codelineno-8-27" name="__codelineno-8-27" href="#__codelineno-8-27"></a><span class="nv">NODE_ROLE_NAME</span><span class="o">=</span><span class="k">$(</span>findRoleName<span class="w"> </span><span class="nv">$INSTANCE_ID</span><span class="k">)</span>
</code></pre></div>
<p>Using the role name, you can associate the policy that was created earlier:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a><span class="c1"># attach policy arn created earlier to node IAM role</span>
<a id="__codelineno-9-2" name="__codelineno-9-2" href="#__codelineno-9-2"></a>aws<span class="w"> </span>iam<span class="w"> </span>attach-role-policy<span class="w"> </span>--role-name<span class="w"> </span><span class="nv">$NODE_ROLE_NAME</span><span class="w"> </span>--policy-arn<span class="w"> </span><span class="nv">$POLICY_ARN</span>
</code></pre></div>
<p><img alt="⚠" class="twemoji" src="https://cdn.jsdelivr.net/gh/jdecked/twemoji@15.1.0/assets/svg/26a0.svg" title=":warning:" /> <strong>WARNING</strong>: This will assign allow read-write access to all pods running on the same node pool, not just the ExternalDNS pod(s).</p>
<h4 id="deploy-externaldns-with-attached-policy-to-node-iam-role">Deploy ExternalDNS with attached policy to Node IAM Role<a class="headerlink" href="#deploy-externaldns-with-attached-policy-to-node-iam-role" title="Permanent link">&para;</a></h4>
<p>If ExternalDNS is not yet deployed, follow the steps under <a href="#deploy-externaldns">Deploy ExternalDNS</a> using either RBAC or non-RBAC.</p>
<p><strong>NOTE</strong>: Before deleting the cluster during, be sure to run <code>aws iam detach-role-policy</code>. Otherwise, there can be errors as the provisioning system, such as <code>eksctl</code> or <code>terraform</code>, will not be able to delete the roles with the attached policy.</p>
<h3 id="static-credentials">Static credentials<a class="headerlink" href="#static-credentials" title="Permanent link">&para;</a></h3>
<p>In this method, the policy is attached to an IAM user, and the credentials secrets for the IAM user are then made available using a Kubernetes secret.</p>
<p>This method is not the preferred method as the secrets in the credential file could be copied and used by an unauthorized threat actor.<br />
However, if the Kubernetes cluster is not hosted on AWS, it may be the only method available.<br />
Given this situation, it is important to limit the associated privileges to just minimal required privileges, i.e. read-write access to Route53, and not used a credentials file that has extra privileges beyond what is required.</p>
<h4 id="create-iam-user-and-attach-the-policy">Create IAM user and attach the policy<a class="headerlink" href="#create-iam-user-and-attach-the-policy" title="Permanent link">&para;</a></h4>
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a><span class="c1"># create IAM user</span>
<a id="__codelineno-10-2" name="__codelineno-10-2" href="#__codelineno-10-2"></a>aws<span class="w"> </span>iam<span class="w"> </span>create-user<span class="w"> </span>--user-name<span class="w"> </span><span class="s2">&quot;externaldns&quot;</span>
<a id="__codelineno-10-3" name="__codelineno-10-3" href="#__codelineno-10-3"></a>
<a id="__codelineno-10-4" name="__codelineno-10-4" href="#__codelineno-10-4"></a><span class="c1"># attach policy arn created earlier to IAM user</span>
<a id="__codelineno-10-5" name="__codelineno-10-5" href="#__codelineno-10-5"></a>aws<span class="w"> </span>iam<span class="w"> </span>attach-user-policy<span class="w"> </span>--user-name<span class="w"> </span><span class="s2">&quot;externaldns&quot;</span><span class="w"> </span>--policy-arn<span class="w"> </span><span class="nv">$POLICY_ARN</span>
</code></pre></div>
<h4 id="create-the-static-credentials">Create the static credentials<a class="headerlink" href="#create-the-static-credentials" title="Permanent link">&para;</a></h4>
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a><span class="nv">SECRET_ACCESS_KEY</span><span class="o">=</span><span class="k">$(</span>aws<span class="w"> </span>iam<span class="w"> </span>create-access-key<span class="w"> </span>--user-name<span class="w"> </span><span class="s2">&quot;externaldns&quot;</span><span class="k">)</span>
<a id="__codelineno-11-2" name="__codelineno-11-2" href="#__codelineno-11-2"></a><span class="nv">ACCESS_KEY_ID</span><span class="o">=</span><span class="k">$(</span><span class="nb">echo</span><span class="w"> </span><span class="nv">$SECRET_ACCESS_KEY</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>jq<span class="w"> </span>-r<span class="w"> </span><span class="s1">&#39;.AccessKey.AccessKeyId&#39;</span><span class="k">)</span>
<a id="__codelineno-11-3" name="__codelineno-11-3" href="#__codelineno-11-3"></a>
<a id="__codelineno-11-4" name="__codelineno-11-4" href="#__codelineno-11-4"></a>cat<span class="w"> </span><span class="s">&lt;&lt;-EOF &gt; credentials</span>
<a id="__codelineno-11-5" name="__codelineno-11-5" href="#__codelineno-11-5"></a>
<a id="__codelineno-11-6" name="__codelineno-11-6" href="#__codelineno-11-6"></a><span class="s">[default]</span>
<a id="__codelineno-11-7" name="__codelineno-11-7" href="#__codelineno-11-7"></a><span class="s">aws_access_key_id = $(echo $ACCESS_KEY_ID)</span>
<a id="__codelineno-11-8" name="__codelineno-11-8" href="#__codelineno-11-8"></a><span class="s">aws_secret_access_key = $(echo $SECRET_ACCESS_KEY | jq -r &#39;.AccessKey.SecretAccessKey&#39;)</span>
<a id="__codelineno-11-9" name="__codelineno-11-9" href="#__codelineno-11-9"></a><span class="s">EOF</span>
</code></pre></div>
<h4 id="create-kubernetes-secret-from-credentials">Create Kubernetes secret from credentials<a class="headerlink" href="#create-kubernetes-secret-from-credentials" title="Permanent link">&para;</a></h4>
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a>kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>external-dns<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-12-2" name="__codelineno-12-2" href="#__codelineno-12-2"></a><span class="w"> </span>--namespace<span class="w"> </span><span class="si">${</span><span class="nv">EXTERNALDNS_NS</span><span class="k">:-</span><span class="s2">&quot;default&quot;</span><span class="si">}</span><span class="w"> </span>--from-file<span class="w"> </span>/local/path/to/credentials
</code></pre></div>
<h4 id="deploy-externaldns-using-static-credentials">Deploy ExternalDNS using static credentials<a class="headerlink" href="#deploy-externaldns-using-static-credentials" title="Permanent link">&para;</a></h4>
<p>Follow the steps under <a href="#deploy-externaldns">Deploy ExternalDNS</a> using either RBAC or non-RBAC. Make sure to uncomment the section that mounts volumes, so that the credentials can be mounted.</p>
<blockquote>
<p>[!TIP]<br />
By default ExternalDNS takes the profile named <code>default</code> from the credentials file. If you want to use a different<br />
profile, you can set the environment variable <code>EXTERNAL_DNS_AWS_PROFILE</code> to the desired profile name or use the<br />
<code>--aws-profile</code> command line argument. It is even possible to use more than one profile at ones, separated by space in<br />
the environment variable <code>EXTERNAL_DNS_AWS_PROFILE</code> or by using <code>--aws-profile</code> multiple times. In this case<br />
ExternalDNS looks for the hosted zones in all profiles and keeps maintaining a mapping table between zone and profile<br />
in order to be able to modify the zones in the correct profile.</p>
</blockquote>
<h3 id="iam-roles-for-service-accounts">IAM Roles for Service Accounts<a class="headerlink" href="#iam-roles-for-service-accounts" title="Permanent link">&para;</a></h3>
<p><a href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">IRSA</a> (<a href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">IAM roles for Service Accounts</a>) allows cluster operators to map AWS IAM Roles to Kubernetes Service Accounts.<br />
This essentially allows only ExternalDNS pods to access Route53 without exposing any static credentials.</p>
<p>This is the preferred method as it implements <a href="https://csrc.nist.gov/glossary/term/principle_of_least_privilege">PoLP</a> (<a href="https://csrc.nist.gov/glossary/term/principle_of_least_privilege">Principle of Least Privilege</a>).</p>
<blockquote>
<p>[!IMPORTANT]<br />
This method requires using KSA (Kubernetes service account) and RBAC.</p>
</blockquote>
<p>This method requires deploying with RBAC. See <a href="#when-using-clusters-with-rbac-enabled">When using clusters with RBAC enabled</a> when ready to deploy ExternalDNS.</p>
<blockquote>
<p>[!NOTE]<br />
Similar methods to IRSA on AWS are <a href="https://github.com/uswitch/kiam">kiam</a>, which is in maintenence mode, and has <a href="https://github.com/uswitch/kiam/blob/HEAD/docs/IAM.md">instructions</a> for creating an IAM role, and also <a href="https://github.com/jtblin/kube2iam">kube2iam</a>.<br />
IRSA is the officially supported method for EKS clusters, and so for non-EKS clusters on AWS, these other tools could be an option.</p>
</blockquote>
<h4 id="verify-oidc-is-supported">Verify OIDC is supported<a class="headerlink" href="#verify-oidc-is-supported" title="Permanent link">&para;</a></h4>
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1" href="#__codelineno-13-1"></a>aws<span class="w"> </span>eks<span class="w"> </span>describe-cluster<span class="w"> </span>--name<span class="w"> </span><span class="nv">$EKS_CLUSTER_NAME</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-13-2" name="__codelineno-13-2" href="#__codelineno-13-2"></a><span class="w"> </span>--query<span class="w"> </span><span class="s2">&quot;cluster.identity.oidc.issuer&quot;</span><span class="w"> </span>--output<span class="w"> </span>text
</code></pre></div>
<h4 id="associate-oidc-to-cluster">Associate OIDC to cluster<a class="headerlink" href="#associate-oidc-to-cluster" title="Permanent link">&para;</a></h4>
<p>Configure the cluster with an OIDC provider and add support for <a href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">IRSA</a> (<a href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">IAM roles for Service Accounts</a>).</p>
<p>If you used <code>eksctl</code> to provision the EKS cluster, you can update it with the following command:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1" href="#__codelineno-14-1"></a>eksctl<span class="w"> </span>utils<span class="w"> </span>associate-iam-oidc-provider<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-14-2" name="__codelineno-14-2" href="#__codelineno-14-2"></a><span class="w"> </span>--cluster<span class="w"> </span><span class="nv">$EKS_CLUSTER_NAME</span><span class="w"> </span>--approve
</code></pre></div>
<p>If the cluster was provisioned with Terraform, you can use the <code>iam_openid_connect_provider</code> resource (<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider">ref</a>) to associate to the OIDC provider.</p>
<h4 id="create-an-iam-role-bound-to-a-service-account">Create an IAM role bound to a service account<a class="headerlink" href="#create-an-iam-role-bound-to-a-service-account" title="Permanent link">&para;</a></h4>
<p>For the next steps in this process, we will need to associate the <code>external-dns</code> service account and a role used to grant access to Route53. This requires the following steps:</p>
<ol>
<li>Create a role with a trust relationship to the cluster&rsquo;s OIDC provider</li>
<li>Attach the <code>AllowExternalDNSUpdates</code> policy to the role</li>
<li>Create the <code>external-dns</code> service account</li>
<li>Add annotation to the service account with the role arn</li>
</ol>
<h5 id="use-eksctl-with-eksctl-created-eks-cluster">Use eksctl with eksctl created EKS cluster<a class="headerlink" href="#use-eksctl-with-eksctl-created-eks-cluster" title="Permanent link">&para;</a></h5>
<p>If <code>eksctl</code> was used to provision the EKS cluster, you can perform all of these steps with the following command:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-15-1" name="__codelineno-15-1" href="#__codelineno-15-1"></a>eksctl<span class="w"> </span>create<span class="w"> </span>iamserviceaccount<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-15-2" name="__codelineno-15-2" href="#__codelineno-15-2"></a><span class="w"> </span>--cluster<span class="w"> </span><span class="nv">$EKS_CLUSTER_NAME</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-15-3" name="__codelineno-15-3" href="#__codelineno-15-3"></a><span class="w"> </span>--name<span class="w"> </span><span class="s2">&quot;external-dns&quot;</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-15-4" name="__codelineno-15-4" href="#__codelineno-15-4"></a><span class="w"> </span>--namespace<span class="w"> </span><span class="si">${</span><span class="nv">EXTERNALDNS_NS</span><span class="k">:-</span><span class="s2">&quot;default&quot;</span><span class="si">}</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-15-5" name="__codelineno-15-5" href="#__codelineno-15-5"></a><span class="w"> </span>--attach-policy-arn<span class="w"> </span><span class="nv">$POLICY_ARN</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-15-6" name="__codelineno-15-6" href="#__codelineno-15-6"></a><span class="w"> </span>--approve
</code></pre></div>
<h5 id="use-aws-cli-with-any-eks-cluster">Use aws cli with any EKS cluster<a class="headerlink" href="#use-aws-cli-with-any-eks-cluster" title="Permanent link">&para;</a></h5>
<p>Otherwise, we can do the following steps using <code>aws</code> commands (also see <a href="https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html">Creating an IAM role and policy for your service account</a>):</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-16-1" name="__codelineno-16-1" href="#__codelineno-16-1"></a><span class="nv">ACCOUNT_ID</span><span class="o">=</span><span class="k">$(</span>aws<span class="w"> </span>sts<span class="w"> </span>get-caller-identity<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-16-2" name="__codelineno-16-2" href="#__codelineno-16-2"></a><span class="w"> </span>--query<span class="w"> </span><span class="s2">&quot;Account&quot;</span><span class="w"> </span>--output<span class="w"> </span>text<span class="k">)</span>
<a id="__codelineno-16-3" name="__codelineno-16-3" href="#__codelineno-16-3"></a><span class="nv">OIDC_PROVIDER</span><span class="o">=</span><span class="k">$(</span>aws<span class="w"> </span>eks<span class="w"> </span>describe-cluster<span class="w"> </span>--name<span class="w"> </span><span class="nv">$EKS_CLUSTER_NAME</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-16-4" name="__codelineno-16-4" href="#__codelineno-16-4"></a><span class="w"> </span>--query<span class="w"> </span><span class="s2">&quot;cluster.identity.oidc.issuer&quot;</span><span class="w"> </span>--output<span class="w"> </span>text<span class="w"> </span><span class="p">|</span><span class="w"> </span>sed<span class="w"> </span>-e<span class="w"> </span><span class="s1">&#39;s|^https://||&#39;</span><span class="k">)</span>
<a id="__codelineno-16-5" name="__codelineno-16-5" href="#__codelineno-16-5"></a>
<a id="__codelineno-16-6" name="__codelineno-16-6" href="#__codelineno-16-6"></a>cat<span class="w"> </span><span class="s">&lt;&lt;-EOF &gt; trust.json</span>
<a id="__codelineno-16-7" name="__codelineno-16-7" href="#__codelineno-16-7"></a><span class="s">{</span>
<a id="__codelineno-16-8" name="__codelineno-16-8" href="#__codelineno-16-8"></a><span class="s"> &quot;Version&quot;: &quot;2012-10-17&quot;,</span>
<a id="__codelineno-16-9" name="__codelineno-16-9" href="#__codelineno-16-9"></a><span class="s"> &quot;Statement&quot;: [</span>
<a id="__codelineno-16-10" name="__codelineno-16-10" href="#__codelineno-16-10"></a><span class="s"> {</span>
<a id="__codelineno-16-11" name="__codelineno-16-11" href="#__codelineno-16-11"></a><span class="s"> &quot;Effect&quot;: &quot;Allow&quot;,</span>
<a id="__codelineno-16-12" name="__codelineno-16-12" href="#__codelineno-16-12"></a><span class="s"> &quot;Principal&quot;: {</span>
<a id="__codelineno-16-13" name="__codelineno-16-13" href="#__codelineno-16-13"></a><span class="s"> &quot;Federated&quot;: &quot;arn:aws:iam::$ACCOUNT_ID:oidc-provider/$OIDC_PROVIDER&quot;</span>
<a id="__codelineno-16-14" name="__codelineno-16-14" href="#__codelineno-16-14"></a><span class="s"> },</span>
<a id="__codelineno-16-15" name="__codelineno-16-15" href="#__codelineno-16-15"></a><span class="s"> &quot;Action&quot;: &quot;sts:AssumeRoleWithWebIdentity&quot;,</span>
<a id="__codelineno-16-16" name="__codelineno-16-16" href="#__codelineno-16-16"></a><span class="s"> &quot;Condition&quot;: {</span>
<a id="__codelineno-16-17" name="__codelineno-16-17" href="#__codelineno-16-17"></a><span class="s"> &quot;StringEquals&quot;: {</span>
<a id="__codelineno-16-18" name="__codelineno-16-18" href="#__codelineno-16-18"></a><span class="s"> &quot;$OIDC_PROVIDER:sub&quot;: &quot;system:serviceaccount:${EXTERNALDNS_NS:-&quot;default&quot;}:external-dns&quot;,</span>
<a id="__codelineno-16-19" name="__codelineno-16-19" href="#__codelineno-16-19"></a><span class="s"> &quot;$OIDC_PROVIDER:aud&quot;: &quot;sts.amazonaws.com&quot;</span>
<a id="__codelineno-16-20" name="__codelineno-16-20" href="#__codelineno-16-20"></a><span class="s"> }</span>
<a id="__codelineno-16-21" name="__codelineno-16-21" href="#__codelineno-16-21"></a><span class="s"> }</span>
<a id="__codelineno-16-22" name="__codelineno-16-22" href="#__codelineno-16-22"></a><span class="s"> }</span>
<a id="__codelineno-16-23" name="__codelineno-16-23" href="#__codelineno-16-23"></a><span class="s"> ]</span>
<a id="__codelineno-16-24" name="__codelineno-16-24" href="#__codelineno-16-24"></a><span class="s">}</span>
<a id="__codelineno-16-25" name="__codelineno-16-25" href="#__codelineno-16-25"></a><span class="s">EOF</span>
<a id="__codelineno-16-26" name="__codelineno-16-26" href="#__codelineno-16-26"></a>
<a id="__codelineno-16-27" name="__codelineno-16-27" href="#__codelineno-16-27"></a><span class="nv">IRSA_ROLE</span><span class="o">=</span><span class="s2">&quot;external-dns-irsa-role&quot;</span>
<a id="__codelineno-16-28" name="__codelineno-16-28" href="#__codelineno-16-28"></a>aws<span class="w"> </span>iam<span class="w"> </span>create-role<span class="w"> </span>--role-name<span class="w"> </span><span class="nv">$IRSA_ROLE</span><span class="w"> </span>--assume-role-policy-document<span class="w"> </span>file://trust.json
<a id="__codelineno-16-29" name="__codelineno-16-29" href="#__codelineno-16-29"></a>aws<span class="w"> </span>iam<span class="w"> </span>attach-role-policy<span class="w"> </span>--role-name<span class="w"> </span><span class="nv">$IRSA_ROLE</span><span class="w"> </span>--policy-arn<span class="w"> </span><span class="nv">$POLICY_ARN</span>
<a id="__codelineno-16-30" name="__codelineno-16-30" href="#__codelineno-16-30"></a>
<a id="__codelineno-16-31" name="__codelineno-16-31" href="#__codelineno-16-31"></a><span class="nv">ROLE_ARN</span><span class="o">=</span><span class="k">$(</span>aws<span class="w"> </span>iam<span class="w"> </span>get-role<span class="w"> </span>--role-name<span class="w"> </span><span class="nv">$IRSA_ROLE</span><span class="w"> </span>--query<span class="w"> </span>Role.Arn<span class="w"> </span>--output<span class="w"> </span>text<span class="k">)</span>
<a id="__codelineno-16-32" name="__codelineno-16-32" href="#__codelineno-16-32"></a>
<a id="__codelineno-16-33" name="__codelineno-16-33" href="#__codelineno-16-33"></a><span class="c1"># Create service account (skip is already created)</span>
<a id="__codelineno-16-34" name="__codelineno-16-34" href="#__codelineno-16-34"></a>kubectl<span class="w"> </span>create<span class="w"> </span>serviceaccount<span class="w"> </span><span class="s2">&quot;external-dns&quot;</span><span class="w"> </span>--namespace<span class="w"> </span><span class="si">${</span><span class="nv">EXTERNALDNS_NS</span><span class="k">:-</span><span class="s2">&quot;default&quot;</span><span class="si">}</span>
<a id="__codelineno-16-35" name="__codelineno-16-35" href="#__codelineno-16-35"></a>
<a id="__codelineno-16-36" name="__codelineno-16-36" href="#__codelineno-16-36"></a><span class="c1"># Add annotation referencing IRSA role</span>
<a id="__codelineno-16-37" name="__codelineno-16-37" href="#__codelineno-16-37"></a>kubectl<span class="w"> </span>patch<span class="w"> </span>serviceaccount<span class="w"> </span><span class="s2">&quot;external-dns&quot;</span><span class="w"> </span>--namespace<span class="w"> </span><span class="si">${</span><span class="nv">EXTERNALDNS_NS</span><span class="k">:-</span><span class="s2">&quot;default&quot;</span><span class="si">}</span><span class="w"> </span>--patch<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-16-38" name="__codelineno-16-38" href="#__codelineno-16-38"></a><span class="w"> </span><span class="s2">&quot;{\&quot;metadata\&quot;: { \&quot;annotations\&quot;: { \&quot;eks.amazonaws.com/role-arn\&quot;: \&quot;</span><span class="nv">$ROLE_ARN</span><span class="s2">\&quot; }}}&quot;</span>
</code></pre></div>
<p>If any part of this step is misconfigured, such as the role with incorrect namespace configured in the trust relationship, annotation pointing the the wrong role, etc., you will see errors like <code>WebIdentityErr: failed to retrieve credentials</code>. Check the configuration and make corrections.</p>
<p>When the service account annotations are updated, then the current running pods will have to be terminated, so that new pod(s) with proper configuration (environment variables) will be created automatically.</p>
<p>When annotation is added to service account, the ExternalDNS pod(s) scheduled will have <code>AWS_ROLE_ARN</code>, <code>AWS_STS_REGIONAL_ENDPOINTS</code>, and <code>AWS_WEB_IDENTITY_TOKEN_FILE</code> environment variables injected automatically.</p>
<h4 id="deploy-externaldns-using-irsa">Deploy ExternalDNS using IRSA<a class="headerlink" href="#deploy-externaldns-using-irsa" title="Permanent link">&para;</a></h4>
<p>Follow the steps under <a href="#when-using-clusters-with-rbac-enabled">When using clusters with RBAC enabled</a>. Make sure to comment out the service account section if this has been created already.</p>
<p>If you deployed ExternalDNS before adding the service account annotation and the corresponding role, you will likely see error with <code>failed to list hosted zones: AccessDenied: User</code>.<br />
You can delete the current running ExternalDNS pod(s) after updating the annotation, so that new pods scheduled will have appropriate configuration to access Route53.</p>
<h2 id="set-up-a-hosted-zone">Set up a hosted zone<a class="headerlink" href="#set-up-a-hosted-zone" title="Permanent link">&para;</a></h2>
<p><em>If you prefer to try-out ExternalDNS in one of the existing hosted-zones you can skip this step</em></p>
<p>Create a DNS zone which will contain the managed DNS records. This tutorial will use the fictional domain of <code>example.com</code>.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-17-1" name="__codelineno-17-1" href="#__codelineno-17-1"></a>aws<span class="w"> </span>route53<span class="w"> </span>create-hosted-zone<span class="w"> </span>--name<span class="w"> </span><span class="s2">&quot;example.com.&quot;</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-17-2" name="__codelineno-17-2" href="#__codelineno-17-2"></a><span class="w"> </span>--caller-reference<span class="w"> </span><span class="s2">&quot;external-dns-test-</span><span class="k">$(</span>date<span class="w"> </span>+%s<span class="k">)</span><span class="s2">&quot;</span>
</code></pre></div>
<p>Make a note of the nameservers that were assigned to your new zone.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-18-1" name="__codelineno-18-1" href="#__codelineno-18-1"></a><span class="nv">ZONE_ID</span><span class="o">=</span><span class="k">$(</span>aws<span class="w"> </span>route53<span class="w"> </span>list-hosted-zones-by-name<span class="w"> </span>--output<span class="w"> </span>json<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-18-2" name="__codelineno-18-2" href="#__codelineno-18-2"></a><span class="w"> </span>--dns-name<span class="w"> </span><span class="s2">&quot;example.com.&quot;</span><span class="w"> </span>--query<span class="w"> </span>HostedZones<span class="o">[</span><span class="m">0</span><span class="o">]</span>.Id<span class="w"> </span>--out<span class="w"> </span>text<span class="k">)</span>
<a id="__codelineno-18-3" name="__codelineno-18-3" href="#__codelineno-18-3"></a>
<a id="__codelineno-18-4" name="__codelineno-18-4" href="#__codelineno-18-4"></a>aws<span class="w"> </span>route53<span class="w"> </span>list-resource-record-sets<span class="w"> </span>--output<span class="w"> </span>text<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-18-5" name="__codelineno-18-5" href="#__codelineno-18-5"></a><span class="w"> </span>--hosted-zone-id<span class="w"> </span><span class="nv">$ZONE_ID</span><span class="w"> </span>--query<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-18-6" name="__codelineno-18-6" href="#__codelineno-18-6"></a><span class="w"> </span><span class="s2">&quot;ResourceRecordSets[?Type == &#39;NS&#39;].ResourceRecords[*].Value | []&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>tr<span class="w"> </span><span class="s1">&#39;\t&#39;</span><span class="w"> </span><span class="s1">&#39;\n&#39;</span>
</code></pre></div>
<p>This should yield something similar this:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-19-1" name="__codelineno-19-1" href="#__codelineno-19-1"></a>ns-695.awsdns-22.net.
<a id="__codelineno-19-2" name="__codelineno-19-2" href="#__codelineno-19-2"></a>ns-1313.awsdns-36.org.
<a id="__codelineno-19-3" name="__codelineno-19-3" href="#__codelineno-19-3"></a>ns-350.awsdns-43.com.
<a id="__codelineno-19-4" name="__codelineno-19-4" href="#__codelineno-19-4"></a>ns-1805.awsdns-33.co.uk.
</code></pre></div>
<p>If using your own domain that was registered with a third-party domain registrar, you should point your domain&rsquo;s name servers to the values in the from the list above. Please consult your registrar&rsquo;s documentation on how to do that.</p>
<h2 id="deploy-externaldns">Deploy ExternalDNS<a class="headerlink" href="#deploy-externaldns" title="Permanent link">&para;</a></h2>
<p>Connect your <code>kubectl</code> client to the cluster you want to test ExternalDNS with.<br />
Then apply one of the following manifests file to deploy ExternalDNS. You can check if your cluster has RBAC by <code>kubectl api-versions | grep rbac.authorization.k8s.io</code>.</p>
<p>For clusters with RBAC enabled, be sure to choose the correct <code>namespace</code>. For this tutorial, the enviornment variable <code>EXTERNALDNS_NS</code> will refer to the namespace. You can set this to a value of your choice:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-20-1" name="__codelineno-20-1" href="#__codelineno-20-1"></a><span class="nb">export</span><span class="w"> </span><span class="nv">EXTERNALDNS_NS</span><span class="o">=</span><span class="s2">&quot;default&quot;</span><span class="w"> </span><span class="c1"># externaldns, kube-addons, etc</span>
<a id="__codelineno-20-2" name="__codelineno-20-2" href="#__codelineno-20-2"></a>
<a id="__codelineno-20-3" name="__codelineno-20-3" href="#__codelineno-20-3"></a><span class="c1"># create namespace if it does not yet exist</span>
<a id="__codelineno-20-4" name="__codelineno-20-4" href="#__codelineno-20-4"></a>kubectl<span class="w"> </span>get<span class="w"> </span>namespaces<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>-q<span class="w"> </span><span class="nv">$EXTERNALDNS_NS</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-20-5" name="__codelineno-20-5" href="#__codelineno-20-5"></a><span class="w"> </span>kubectl<span class="w"> </span>create<span class="w"> </span>namespace<span class="w"> </span><span class="nv">$EXTERNALDNS_NS</span>
</code></pre></div>
<h2 id="using-helm-with-oidc">Using Helm (with OIDC)<a class="headerlink" href="#using-helm-with-oidc" title="Permanent link">&para;</a></h2>
<p>Create a values.yaml file to configure ExternalDNS:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-21-1" name="__codelineno-21-1" href="#__codelineno-21-1"></a>provider:
<a id="__codelineno-21-2" name="__codelineno-21-2" href="#__codelineno-21-2"></a><span class="w"> </span>name:<span class="w"> </span>aws
<a id="__codelineno-21-3" name="__codelineno-21-3" href="#__codelineno-21-3"></a>env:
<a id="__codelineno-21-4" name="__codelineno-21-4" href="#__codelineno-21-4"></a><span class="w"> </span>-<span class="w"> </span>name:<span class="w"> </span>AWS_DEFAULT_REGION
<a id="__codelineno-21-5" name="__codelineno-21-5" href="#__codelineno-21-5"></a><span class="w"> </span>value:<span class="w"> </span>us-east-1<span class="w"> </span><span class="c1"># change to region where EKS is installed</span>
</code></pre></div>
<p>Finally, install the ExternalDNS chart with Helm using the configuration specified in your values.yaml file:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-22-1" name="__codelineno-22-1" href="#__codelineno-22-1"></a>helm<span class="w"> </span>upgrade<span class="w"> </span>--install<span class="w"> </span>external-dns<span class="w"> </span>external-dns/external-dns<span class="w"> </span>--values<span class="w"> </span>values.yaml
</code></pre></div>
<h3 id="when-using-clusters-without-rbac-enabled">When using clusters without RBAC enabled<a class="headerlink" href="#when-using-clusters-without-rbac-enabled" title="Permanent link">&para;</a></h3>
<p>Save the following below as <code>externaldns-no-rbac.yaml</code>.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-23-1" name="__codelineno-23-1" href="#__codelineno-23-1"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apps/v1</span>
<a id="__codelineno-23-2" name="__codelineno-23-2" href="#__codelineno-23-2"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deployment</span>
<a id="__codelineno-23-3" name="__codelineno-23-3" href="#__codelineno-23-3"></a><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-23-4" name="__codelineno-23-4" href="#__codelineno-23-4"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-23-5" name="__codelineno-23-5" href="#__codelineno-23-5"></a><span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
<a id="__codelineno-23-6" name="__codelineno-23-6" href="#__codelineno-23-6"></a><span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-23-7" name="__codelineno-23-7" href="#__codelineno-23-7"></a><span class="nt">spec</span><span class="p">:</span>
<a id="__codelineno-23-8" name="__codelineno-23-8" href="#__codelineno-23-8"></a><span class="w"> </span><span class="nt">strategy</span><span class="p">:</span>
<a id="__codelineno-23-9" name="__codelineno-23-9" href="#__codelineno-23-9"></a><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Recreate</span>
<a id="__codelineno-23-10" name="__codelineno-23-10" href="#__codelineno-23-10"></a><span class="w"> </span><span class="nt">selector</span><span class="p">:</span>
<a id="__codelineno-23-11" name="__codelineno-23-11" href="#__codelineno-23-11"></a><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span>
<a id="__codelineno-23-12" name="__codelineno-23-12" href="#__codelineno-23-12"></a><span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-23-13" name="__codelineno-23-13" href="#__codelineno-23-13"></a><span class="w"> </span><span class="nt">template</span><span class="p">:</span>
<a id="__codelineno-23-14" name="__codelineno-23-14" href="#__codelineno-23-14"></a><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-23-15" name="__codelineno-23-15" href="#__codelineno-23-15"></a><span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
<a id="__codelineno-23-16" name="__codelineno-23-16" href="#__codelineno-23-16"></a><span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-23-17" name="__codelineno-23-17" href="#__codelineno-23-17"></a><span class="w"> </span><span class="nt">spec</span><span class="p">:</span>
<a id="__codelineno-23-18" name="__codelineno-23-18" href="#__codelineno-23-18"></a><span class="w"> </span><span class="nt">containers</span><span class="p">:</span>
<a id="__codelineno-23-19" name="__codelineno-23-19" href="#__codelineno-23-19"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span>
<a id="__codelineno-23-20" name="__codelineno-23-20" href="#__codelineno-23-20"></a><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">registry.k8s.io/external-dns/external-dns:v0.17.0</span>
<a id="__codelineno-23-21" name="__codelineno-23-21" href="#__codelineno-23-21"></a><span class="w"> </span><span class="nt">args</span><span class="p">:</span>
<a id="__codelineno-23-22" name="__codelineno-23-22" href="#__codelineno-23-22"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--source=service</span>
<a id="__codelineno-23-23" name="__codelineno-23-23" href="#__codelineno-23-23"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--source=ingress</span>
<a id="__codelineno-23-24" name="__codelineno-23-24" href="#__codelineno-23-24"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--domain-filter=example.com</span><span class="w"> </span><span class="c1"># will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones</span>
<a id="__codelineno-23-25" name="__codelineno-23-25" href="#__codelineno-23-25"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--provider=aws</span>
<a id="__codelineno-23-26" name="__codelineno-23-26" href="#__codelineno-23-26"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--policy=upsert-only</span><span class="w"> </span><span class="c1"># would prevent ExternalDNS from deleting any records, omit to enable full synchronization</span>
<a id="__codelineno-23-27" name="__codelineno-23-27" href="#__codelineno-23-27"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--aws-zone-type=public</span><span class="w"> </span><span class="c1"># only look at public hosted zones (valid values are public, private or no value for both)</span>
<a id="__codelineno-23-28" name="__codelineno-23-28" href="#__codelineno-23-28"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--registry=txt</span>
<a id="__codelineno-23-29" name="__codelineno-23-29" href="#__codelineno-23-29"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--txt-owner-id=my-hostedzone-identifier</span>
<a id="__codelineno-23-30" name="__codelineno-23-30" href="#__codelineno-23-30"></a><span class="w"> </span><span class="nt">env</span><span class="p">:</span>
<a id="__codelineno-23-31" name="__codelineno-23-31" href="#__codelineno-23-31"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">AWS_DEFAULT_REGION</span>
<a id="__codelineno-23-32" name="__codelineno-23-32" href="#__codelineno-23-32"></a><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">us-east-1</span><span class="w"> </span><span class="c1"># change to region where EKS is installed</span>
<a id="__codelineno-23-33" name="__codelineno-23-33" href="#__codelineno-23-33"></a><span class="w"> </span><span class="c1"># # Uncomment below if using static credentials</span>
<a id="__codelineno-23-34" name="__codelineno-23-34" href="#__codelineno-23-34"></a><span class="w"> </span><span class="c1"># - name: AWS_SHARED_CREDENTIALS_FILE</span>
<a id="__codelineno-23-35" name="__codelineno-23-35" href="#__codelineno-23-35"></a><span class="w"> </span><span class="c1"># value: /.aws/credentials</span>
<a id="__codelineno-23-36" name="__codelineno-23-36" href="#__codelineno-23-36"></a><span class="w"> </span><span class="c1"># volumeMounts:</span>
<a id="__codelineno-23-37" name="__codelineno-23-37" href="#__codelineno-23-37"></a><span class="w"> </span><span class="c1"># - name: aws-credentials</span>
<a id="__codelineno-23-38" name="__codelineno-23-38" href="#__codelineno-23-38"></a><span class="w"> </span><span class="c1"># mountPath: /.aws</span>
<a id="__codelineno-23-39" name="__codelineno-23-39" href="#__codelineno-23-39"></a><span class="w"> </span><span class="c1"># readOnly: true</span>
<a id="__codelineno-23-40" name="__codelineno-23-40" href="#__codelineno-23-40"></a><span class="w"> </span><span class="c1"># volumes:</span>
<a id="__codelineno-23-41" name="__codelineno-23-41" href="#__codelineno-23-41"></a><span class="w"> </span><span class="c1"># - name: aws-credentials</span>
<a id="__codelineno-23-42" name="__codelineno-23-42" href="#__codelineno-23-42"></a><span class="w"> </span><span class="c1"># secret:</span>
<a id="__codelineno-23-43" name="__codelineno-23-43" href="#__codelineno-23-43"></a><span class="w"> </span><span class="c1"># secretName: external-dns</span>
</code></pre></div>
<p>When ready you can deploy:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-24-1" name="__codelineno-24-1" href="#__codelineno-24-1"></a>kubectl<span class="w"> </span>create<span class="w"> </span>--filename<span class="w"> </span>externaldns-no-rbac.yaml<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-24-2" name="__codelineno-24-2" href="#__codelineno-24-2"></a><span class="w"> </span>--namespace<span class="w"> </span><span class="si">${</span><span class="nv">EXTERNALDNS_NS</span><span class="k">:-</span><span class="s2">&quot;default&quot;</span><span class="si">}</span>
</code></pre></div>
<h3 id="when-using-clusters-with-rbac-enabled">When using clusters with RBAC enabled<a class="headerlink" href="#when-using-clusters-with-rbac-enabled" title="Permanent link">&para;</a></h3>
<p>If you&rsquo;re using EKS, you can update the <code>values.yaml</code> file you created earlier to include the annotations to link the Role ARN you created before.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-25-1" name="__codelineno-25-1" href="#__codelineno-25-1"></a><span class="nt">provider</span><span class="p">:</span>
<a id="__codelineno-25-2" name="__codelineno-25-2" href="#__codelineno-25-2"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws</span>
<a id="__codelineno-25-3" name="__codelineno-25-3" href="#__codelineno-25-3"></a><span class="nt">serviceAccount</span><span class="p">:</span>
<a id="__codelineno-25-4" name="__codelineno-25-4" href="#__codelineno-25-4"></a><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span>
<a id="__codelineno-25-5" name="__codelineno-25-5" href="#__codelineno-25-5"></a><span class="w"> </span><span class="nt">eks.amazonaws.com/role-arn</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">arn:aws:iam::${ACCOUNT_ID}:role/${EXTERNALDNS_ROLE_NAME:-&quot;external-dns&quot;}</span>
</code></pre></div>
<p>If you need to provide credentials directly using a secret (ie. You&rsquo;re not using EKS), you can change the <code>values.yaml</code> file to include volume and volume mounts.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-26-1" name="__codelineno-26-1" href="#__codelineno-26-1"></a><span class="nt">provider</span><span class="p">:</span>
<a id="__codelineno-26-2" name="__codelineno-26-2" href="#__codelineno-26-2"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws</span>
<a id="__codelineno-26-3" name="__codelineno-26-3" href="#__codelineno-26-3"></a><span class="nt">env</span><span class="p">:</span>
<a id="__codelineno-26-4" name="__codelineno-26-4" href="#__codelineno-26-4"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">AWS_SHARED_CREDENTIALS_FILE</span>
<a id="__codelineno-26-5" name="__codelineno-26-5" href="#__codelineno-26-5"></a><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/aws/credentials/my_credentials</span>
<a id="__codelineno-26-6" name="__codelineno-26-6" href="#__codelineno-26-6"></a><span class="nt">extraVolumes</span><span class="p">:</span>
<a id="__codelineno-26-7" name="__codelineno-26-7" href="#__codelineno-26-7"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-credentials</span>
<a id="__codelineno-26-8" name="__codelineno-26-8" href="#__codelineno-26-8"></a><span class="w"> </span><span class="nt">secret</span><span class="p">:</span>
<a id="__codelineno-26-9" name="__codelineno-26-9" href="#__codelineno-26-9"></a><span class="w"> </span><span class="nt">secretName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-dns</span><span class="w"> </span><span class="c1"># In this example, the secret will have the data stored in a key named `my_credentials`</span>
<a id="__codelineno-26-10" name="__codelineno-26-10" href="#__codelineno-26-10"></a><span class="nt">extraVolumeMounts</span><span class="p">:</span>
<a id="__codelineno-26-11" name="__codelineno-26-11" href="#__codelineno-26-11"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-credentials</span>
<a id="__codelineno-26-12" name="__codelineno-26-12" href="#__codelineno-26-12"></a><span class="w"> </span><span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/aws/credentials</span>
<a id="__codelineno-26-13" name="__codelineno-26-13" href="#__codelineno-26-13"></a><span class="w"> </span><span class="nt">readOnly</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
</code></pre></div>
<p>When ready, update your Helm installation:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-27-1" name="__codelineno-27-1" href="#__codelineno-27-1"></a>helm<span class="w"> </span>upgrade<span class="w"> </span>--install<span class="w"> </span>external-dns<span class="w"> </span>external-dns/external-dns<span class="w"> </span>--values<span class="w"> </span>values.yaml
</code></pre></div>
<h2 id="arguments">Arguments<a class="headerlink" href="#arguments" title="Permanent link">&para;</a></h2>
<p>This list is not the full list, but a few arguments that where chosen.</p>
<h3 id="aws-zone-type">aws-zone-type<a class="headerlink" href="#aws-zone-type" title="Permanent link">&para;</a></h3>
<p><code>aws-zone-type</code> allows filtering for private and public zones</p>
<h2 id="annotations">Annotations<a class="headerlink" href="#annotations" title="Permanent link">&para;</a></h2>
<p>Annotations which are specific to AWS.</p>
<h3 id="alias">alias<a class="headerlink" href="#alias" title="Permanent link">&para;</a></h3>
<p><code>external-dns.alpha.kubernetes.io/alias</code> if set to <code>true</code> on an ingress, it will create two ALIAS records (one &lsquo;A&rsquo; for IPv4 and one &lsquo;AAAA&rsquo; for IPv6) when the target is an ALIAS as well.<br />
To make the target an alias, the ingress needs to be configured correctly as described in <a href="../gke-nginx/#with-a-separate-tcp-load-balancer">the docs</a>.<br />
In particular, the argument <code>--publish-service=default/nginx-ingress-controller</code> has to be set on the <code>nginx-ingress-controller</code> container.<br />
If one uses the <code>nginx-ingress</code> Helm chart, this flag can be set with the <code>controller.publishService.enabled</code> configuration option.</p>
<h3 id="target-hosted-zone">target-hosted-zone<a class="headerlink" href="#target-hosted-zone" title="Permanent link">&para;</a></h3>
<p><code>external-dns.alpha.kubernetes.io/aws-target-hosted-zone</code> can optionally be set to the ID of a Route53 hosted zone. This will force external-dns to use the specified hosted zone when creating an ALIAS target.</p>
<h3 id="aws-zone-match-parent">aws-zone-match-parent<a class="headerlink" href="#aws-zone-match-parent" title="Permanent link">&para;</a></h3>
<p><code>aws-zone-match-parent</code> allows support subdomains within the same zone by using their parent domain, i.e &ndash;domain-filter=x.example.com would create a DNS entry for x.example.com (and subdomains thereof).</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-28-1" name="__codelineno-28-1" href="#__codelineno-28-1"></a><span class="c1">## hosted zone domain: example.com</span>
<a id="__codelineno-28-2" name="__codelineno-28-2" href="#__codelineno-28-2"></a><span class="l l-Scalar l-Scalar-Plain">--domain-filter=x.example.com,example.com</span>
<a id="__codelineno-28-3" name="__codelineno-28-3" href="#__codelineno-28-3"></a><span class="l l-Scalar l-Scalar-Plain">--aws-zone-match-parent</span>
</code></pre></div>
<h2 id="verify-externaldns-works-service-example">Verify ExternalDNS works (Service example)<a class="headerlink" href="#verify-externaldns-works-service-example" title="Permanent link">&para;</a></h2>
<p>Create the following sample application to test that ExternalDNS works.</p>
<blockquote>
<p>For services ExternalDNS will look for the annotation <code>external-dns.alpha.kubernetes.io/hostname</code> on the service and use the corresponding value.<br />
If you want to give multiple names to service, you can set it to external-dns.alpha.kubernetes.io/hostname with a comma <code>,</code> separator.</p>
</blockquote>
<p>For this verification phase, you can use default or another namespace for the nginx demo, for example:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-29-1" name="__codelineno-29-1" href="#__codelineno-29-1"></a><span class="nv">NGINXDEMO_NS</span><span class="o">=</span><span class="s2">&quot;nginx&quot;</span>
<a id="__codelineno-29-2" name="__codelineno-29-2" href="#__codelineno-29-2"></a>kubectl<span class="w"> </span>get<span class="w"> </span>namespaces<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>-q<span class="w"> </span><span class="nv">$NGINXDEMO_NS</span><span class="w"> </span><span class="o">||</span><span class="w"> </span>kubectl<span class="w"> </span>create<span class="w"> </span>namespace<span class="w"> </span><span class="nv">$NGINXDEMO_NS</span>
</code></pre></div>
<p>Save the following manifest below as <code>nginx.yaml</code>:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-30-1" name="__codelineno-30-1" href="#__codelineno-30-1"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
<a id="__codelineno-30-2" name="__codelineno-30-2" href="#__codelineno-30-2"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Service</span>
<a id="__codelineno-30-3" name="__codelineno-30-3" href="#__codelineno-30-3"></a><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-30-4" name="__codelineno-30-4" href="#__codelineno-30-4"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-30-5" name="__codelineno-30-5" href="#__codelineno-30-5"></a><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span>
<a id="__codelineno-30-6" name="__codelineno-30-6" href="#__codelineno-30-6"></a><span class="w"> </span><span class="nt">external-dns.alpha.kubernetes.io/hostname</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx.example.com</span>
<a id="__codelineno-30-7" name="__codelineno-30-7" href="#__codelineno-30-7"></a><span class="nt">spec</span><span class="p">:</span>
<a id="__codelineno-30-8" name="__codelineno-30-8" href="#__codelineno-30-8"></a><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">LoadBalancer</span>
<a id="__codelineno-30-9" name="__codelineno-30-9" href="#__codelineno-30-9"></a><span class="w"> </span><span class="nt">ports</span><span class="p">:</span>
<a id="__codelineno-30-10" name="__codelineno-30-10" href="#__codelineno-30-10"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
<a id="__codelineno-30-11" name="__codelineno-30-11" href="#__codelineno-30-11"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">http</span>
<a id="__codelineno-30-12" name="__codelineno-30-12" href="#__codelineno-30-12"></a><span class="w"> </span><span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
<a id="__codelineno-30-13" name="__codelineno-30-13" href="#__codelineno-30-13"></a><span class="w"> </span><span class="nt">selector</span><span class="p">:</span>
<a id="__codelineno-30-14" name="__codelineno-30-14" href="#__codelineno-30-14"></a><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-30-15" name="__codelineno-30-15" href="#__codelineno-30-15"></a><span class="nn">---</span>
<a id="__codelineno-30-16" name="__codelineno-30-16" href="#__codelineno-30-16"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apps/v1</span>
<a id="__codelineno-30-17" name="__codelineno-30-17" href="#__codelineno-30-17"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deployment</span>
<a id="__codelineno-30-18" name="__codelineno-30-18" href="#__codelineno-30-18"></a><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-30-19" name="__codelineno-30-19" href="#__codelineno-30-19"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-30-20" name="__codelineno-30-20" href="#__codelineno-30-20"></a><span class="nt">spec</span><span class="p">:</span>
<a id="__codelineno-30-21" name="__codelineno-30-21" href="#__codelineno-30-21"></a><span class="w"> </span><span class="nt">selector</span><span class="p">:</span>
<a id="__codelineno-30-22" name="__codelineno-30-22" href="#__codelineno-30-22"></a><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span>
<a id="__codelineno-30-23" name="__codelineno-30-23" href="#__codelineno-30-23"></a><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-30-24" name="__codelineno-30-24" href="#__codelineno-30-24"></a><span class="w"> </span><span class="nt">template</span><span class="p">:</span>
<a id="__codelineno-30-25" name="__codelineno-30-25" href="#__codelineno-30-25"></a><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-30-26" name="__codelineno-30-26" href="#__codelineno-30-26"></a><span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
<a id="__codelineno-30-27" name="__codelineno-30-27" href="#__codelineno-30-27"></a><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-30-28" name="__codelineno-30-28" href="#__codelineno-30-28"></a><span class="w"> </span><span class="nt">spec</span><span class="p">:</span>
<a id="__codelineno-30-29" name="__codelineno-30-29" href="#__codelineno-30-29"></a><span class="w"> </span><span class="nt">containers</span><span class="p">:</span>
<a id="__codelineno-30-30" name="__codelineno-30-30" href="#__codelineno-30-30"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-30-31" name="__codelineno-30-31" href="#__codelineno-30-31"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-30-32" name="__codelineno-30-32" href="#__codelineno-30-32"></a><span class="w"> </span><span class="nt">ports</span><span class="p">:</span>
<a id="__codelineno-30-33" name="__codelineno-30-33" href="#__codelineno-30-33"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
<a id="__codelineno-30-34" name="__codelineno-30-34" href="#__codelineno-30-34"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">http</span>
</code></pre></div>
<p>Deploy the nginx deployment and service with:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-31-1" name="__codelineno-31-1" href="#__codelineno-31-1"></a>kubectl<span class="w"> </span>create<span class="w"> </span>--filename<span class="w"> </span>nginx.yaml<span class="w"> </span>--namespace<span class="w"> </span><span class="si">${</span><span class="nv">NGINXDEMO_NS</span><span class="k">:-</span><span class="s2">&quot;default&quot;</span><span class="si">}</span>
</code></pre></div>
<p>Verify that the load balancer was allocated with:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-32-1" name="__codelineno-32-1" href="#__codelineno-32-1"></a>kubectl<span class="w"> </span>get<span class="w"> </span>service<span class="w"> </span>nginx<span class="w"> </span>--namespace<span class="w"> </span><span class="si">${</span><span class="nv">NGINXDEMO_NS</span><span class="k">:-</span><span class="s2">&quot;default&quot;</span><span class="si">}</span>
</code></pre></div>
<p>This should show something like:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-33-1" name="__codelineno-33-1" href="#__codelineno-33-1"></a>NAME<span class="w"> </span>TYPE<span class="w"> </span>CLUSTER-IP<span class="w"> </span>EXTERNAL-IP<span class="w"> </span>PORT<span class="o">(</span>S<span class="o">)</span><span class="w"> </span>AGE
<a id="__codelineno-33-2" name="__codelineno-33-2" href="#__codelineno-33-2"></a>nginx<span class="w"> </span>LoadBalancer<span class="w"> </span><span class="m">10</span>.100.47.41<span class="w"> </span>ae11c2360188411e7951602725593fd1-1224345803.eu-central-1.elb.amazonaws.com.<span class="w"> </span><span class="m">80</span>:32749/TCP<span class="w"> </span>12m
</code></pre></div>
<p>After roughly two minutes check that a corresponding DNS record for your service that was created.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-34-1" name="__codelineno-34-1" href="#__codelineno-34-1"></a>aws<span class="w"> </span>route53<span class="w"> </span>list-resource-record-sets<span class="w"> </span>--output<span class="w"> </span>json<span class="w"> </span>--hosted-zone-id<span class="w"> </span><span class="nv">$ZONE_ID</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-34-2" name="__codelineno-34-2" href="#__codelineno-34-2"></a><span class="w"> </span>--query<span class="w"> </span><span class="s2">&quot;ResourceRecordSets[?Name == &#39;nginx.example.com.&#39;]|[?Type == &#39;A&#39;]&quot;</span>
</code></pre></div>
<p>This should show something like:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-35-1" name="__codelineno-35-1" href="#__codelineno-35-1"></a><span class="p">[</span>
<a id="__codelineno-35-2" name="__codelineno-35-2" href="#__codelineno-35-2"></a><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-35-3" name="__codelineno-35-3" href="#__codelineno-35-3"></a><span class="w"> </span><span class="nt">&quot;Name&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;nginx.example.com.&quot;</span><span class="p">,</span>
<a id="__codelineno-35-4" name="__codelineno-35-4" href="#__codelineno-35-4"></a><span class="w"> </span><span class="nt">&quot;Type&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;A&quot;</span><span class="p">,</span>
<a id="__codelineno-35-5" name="__codelineno-35-5" href="#__codelineno-35-5"></a><span class="w"> </span><span class="nt">&quot;AliasTarget&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-35-6" name="__codelineno-35-6" href="#__codelineno-35-6"></a><span class="w"> </span><span class="nt">&quot;HostedZoneId&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;ZEWFWZ4R16P7IB&quot;</span><span class="p">,</span>
<a id="__codelineno-35-7" name="__codelineno-35-7" href="#__codelineno-35-7"></a><span class="w"> </span><span class="nt">&quot;DNSName&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;ae11c2360188411e7951602725593fd1-1224345803.eu-central-1.elb.amazonaws.com.&quot;</span><span class="p">,</span>
<a id="__codelineno-35-8" name="__codelineno-35-8" href="#__codelineno-35-8"></a><span class="w"> </span><span class="nt">&quot;EvaluateTargetHealth&quot;</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span>
<a id="__codelineno-35-9" name="__codelineno-35-9" href="#__codelineno-35-9"></a><span class="w"> </span><span class="p">}</span>
<a id="__codelineno-35-10" name="__codelineno-35-10" href="#__codelineno-35-10"></a><span class="w"> </span><span class="p">}</span>
<a id="__codelineno-35-11" name="__codelineno-35-11" href="#__codelineno-35-11"></a><span class="p">]</span>
</code></pre></div>
<p>Or for IPv6 (AAAA) records:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-36-1" name="__codelineno-36-1" href="#__codelineno-36-1"></a>aws<span class="w"> </span>route53<span class="w"> </span>list-resource-record-sets<span class="w"> </span>--output<span class="w"> </span>json<span class="w"> </span>--hosted-zone-id<span class="w"> </span><span class="nv">$ZONE_ID</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-36-2" name="__codelineno-36-2" href="#__codelineno-36-2"></a><span class="w"> </span>--query<span class="w"> </span><span class="s2">&quot;ResourceRecordSets[?Name == &#39;nginx.example.com.&#39;]|[?Type == &#39;AAAA&#39;]&quot;</span>
</code></pre></div>
<p>This should show something like:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-37-1" name="__codelineno-37-1" href="#__codelineno-37-1"></a><span class="p">[</span>
<a id="__codelineno-37-2" name="__codelineno-37-2" href="#__codelineno-37-2"></a><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-37-3" name="__codelineno-37-3" href="#__codelineno-37-3"></a><span class="w"> </span><span class="nt">&quot;Name&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;nginx.example.com.&quot;</span><span class="p">,</span>
<a id="__codelineno-37-4" name="__codelineno-37-4" href="#__codelineno-37-4"></a><span class="w"> </span><span class="nt">&quot;Type&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;AAAA&quot;</span><span class="p">,</span>
<a id="__codelineno-37-5" name="__codelineno-37-5" href="#__codelineno-37-5"></a><span class="w"> </span><span class="nt">&quot;AliasTarget&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-37-6" name="__codelineno-37-6" href="#__codelineno-37-6"></a><span class="w"> </span><span class="nt">&quot;HostedZoneId&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;ZEWFWZ4R16P7IB&quot;</span><span class="p">,</span>
<a id="__codelineno-37-7" name="__codelineno-37-7" href="#__codelineno-37-7"></a><span class="w"> </span><span class="nt">&quot;DNSName&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;ae11c2360188411e7951602725593fd1-1224345803.eu-central-1.elb.amazonaws.com.&quot;</span><span class="p">,</span>
<a id="__codelineno-37-8" name="__codelineno-37-8" href="#__codelineno-37-8"></a><span class="w"> </span><span class="nt">&quot;EvaluateTargetHealth&quot;</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span>
<a id="__codelineno-37-9" name="__codelineno-37-9" href="#__codelineno-37-9"></a><span class="w"> </span><span class="p">}</span>
<a id="__codelineno-37-10" name="__codelineno-37-10" href="#__codelineno-37-10"></a><span class="w"> </span><span class="p">}</span>
<a id="__codelineno-37-11" name="__codelineno-37-11" href="#__codelineno-37-11"></a><span class="p">]</span>
</code></pre></div>
<p>IPv6 (AAAA) records are created when ALIAS is enabled even for load balancers that do not have dualstack enabled.<br />
However, Route53 returns empty sets when querying such records, meaning they are harmless and IPv4 will work as normal.</p>
<p>You can also fetch the corresponding text records:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-38-1" name="__codelineno-38-1" href="#__codelineno-38-1"></a>aws<span class="w"> </span>route53<span class="w"> </span>list-resource-record-sets<span class="w"> </span>--output<span class="w"> </span>json<span class="w"> </span>--hosted-zone-id<span class="w"> </span><span class="nv">$ZONE_ID</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-38-2" name="__codelineno-38-2" href="#__codelineno-38-2"></a><span class="w"> </span>--query<span class="w"> </span><span class="s2">&quot;ResourceRecordSets[?Name == &#39;nginx.example.com.&#39;]|[?Type == &#39;TXT&#39;]&quot;</span>
</code></pre></div>
<p>This will show something like:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-39-1" name="__codelineno-39-1" href="#__codelineno-39-1"></a><span class="p">[</span>
<a id="__codelineno-39-2" name="__codelineno-39-2" href="#__codelineno-39-2"></a><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-39-3" name="__codelineno-39-3" href="#__codelineno-39-3"></a><span class="w"> </span><span class="nt">&quot;Name&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;nginx.example.com.&quot;</span><span class="p">,</span>
<a id="__codelineno-39-4" name="__codelineno-39-4" href="#__codelineno-39-4"></a><span class="w"> </span><span class="nt">&quot;Type&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;TXT&quot;</span><span class="p">,</span>
<a id="__codelineno-39-5" name="__codelineno-39-5" href="#__codelineno-39-5"></a><span class="w"> </span><span class="nt">&quot;TTL&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">300</span><span class="p">,</span>
<a id="__codelineno-39-6" name="__codelineno-39-6" href="#__codelineno-39-6"></a><span class="w"> </span><span class="nt">&quot;ResourceRecords&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<a id="__codelineno-39-7" name="__codelineno-39-7" href="#__codelineno-39-7"></a><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-39-8" name="__codelineno-39-8" href="#__codelineno-39-8"></a><span class="w"> </span><span class="nt">&quot;Value&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;\&quot;heritage=external-dns,external-dns/owner=external-dns,external-dns/resource=service/default/nginx\&quot;&quot;</span>
<a id="__codelineno-39-9" name="__codelineno-39-9" href="#__codelineno-39-9"></a><span class="w"> </span><span class="p">}</span>
<a id="__codelineno-39-10" name="__codelineno-39-10" href="#__codelineno-39-10"></a><span class="w"> </span><span class="p">]</span>
<a id="__codelineno-39-11" name="__codelineno-39-11" href="#__codelineno-39-11"></a><span class="w"> </span><span class="p">}</span>
<a id="__codelineno-39-12" name="__codelineno-39-12" href="#__codelineno-39-12"></a><span class="p">]</span>
</code></pre></div>
<p>Note created TXT record alongside ALIAS records. TXT record signifies that the corresponding ALIAS records are managed by ExternalDNS. This makes ExternalDNS safe for running in environments where there are other records managed via other means.</p>
<p>For more information about ALIAS records, see <a href="https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html">Choosing between alias and non-alias records</a>.</p>
<p>Let&rsquo;s check that we can resolve this DNS name. We&rsquo;ll ask the nameservers assigned to your zone first.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-40-1" name="__codelineno-40-1" href="#__codelineno-40-1"></a>dig<span class="w"> </span>+short<span class="w"> </span>@ns-5514.awsdns-53.org.<span class="w"> </span>nginx.example.com.
</code></pre></div>
<p>This should return 1+ IP addresses that correspond to the ELB FQDN, i.e. <code>ae11c2360188411e7951602725593fd1-1224345803.eu-central-1.elb.amazonaws.com.</code>.</p>
<p>Next try the public nameservers configured by DNS client on your system:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-41-1" name="__codelineno-41-1" href="#__codelineno-41-1"></a>dig<span class="w"> </span>+short<span class="w"> </span>nginx.example.com.
</code></pre></div>
<p>If you hooked up your DNS zone with its parent zone correctly you can use <code>curl</code> to access your site.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-42-1" name="__codelineno-42-1" href="#__codelineno-42-1"></a>curl<span class="w"> </span>nginx.example.com.
</code></pre></div>
<p>This should show something like:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-43-1" name="__codelineno-43-1" href="#__codelineno-43-1"></a><span class="cp">&lt;!DOCTYPE html&gt;</span>
<a id="__codelineno-43-2" name="__codelineno-43-2" href="#__codelineno-43-2"></a><span class="p">&lt;</span><span class="nt">html</span><span class="p">&gt;</span>
<a id="__codelineno-43-3" name="__codelineno-43-3" href="#__codelineno-43-3"></a><span class="p">&lt;</span><span class="nt">head</span><span class="p">&gt;</span>
<a id="__codelineno-43-4" name="__codelineno-43-4" href="#__codelineno-43-4"></a><span class="p">&lt;</span><span class="nt">title</span><span class="p">&gt;</span>Welcome to nginx!<span class="p">&lt;/</span><span class="nt">title</span><span class="p">&gt;</span>
<a id="__codelineno-43-5" name="__codelineno-43-5" href="#__codelineno-43-5"></a>...
<a id="__codelineno-43-6" name="__codelineno-43-6" href="#__codelineno-43-6"></a><span class="p">&lt;/</span><span class="nt">head</span><span class="p">&gt;</span>
<a id="__codelineno-43-7" name="__codelineno-43-7" href="#__codelineno-43-7"></a><span class="p">&lt;</span><span class="nt">body</span><span class="p">&gt;</span>
<a id="__codelineno-43-8" name="__codelineno-43-8" href="#__codelineno-43-8"></a><span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span>Welcome to nginx!<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span>
<a id="__codelineno-43-9" name="__codelineno-43-9" href="#__codelineno-43-9"></a>...
<a id="__codelineno-43-10" name="__codelineno-43-10" href="#__codelineno-43-10"></a><span class="p">&lt;/</span><span class="nt">body</span><span class="p">&gt;</span>
<a id="__codelineno-43-11" name="__codelineno-43-11" href="#__codelineno-43-11"></a><span class="p">&lt;/</span><span class="nt">html</span><span class="p">&gt;</span>
</code></pre></div>
<h2 id="verify-externaldns-works-ingress-example">Verify ExternalDNS works (Ingress example)<a class="headerlink" href="#verify-externaldns-works-ingress-example" title="Permanent link">&para;</a></h2>
<p>With the previous <code>deployment</code> and <code>service</code> objects deployed, we can add an <code>ingress</code> object and configure a FQDN value for the <code>host</code> key. The ingress controller will match incoming HTTP traffic, and route it to the appropriate backend service based on the <code>host</code> key.</p>
<blockquote>
<p>For ingress objects ExternalDNS will create a DNS record based on the host specified for the ingress object.</p>
</blockquote>
<p>For this tutorial, we have two endpoints, the service with <code>LoadBalancer</code> type and an ingress. For practical purposes, if an ingress is used, the service type can be changed to <code>ClusterIP</code> as two endpoints are unecessary in this scenario.</p>
<blockquote>
<p>[!IMPORTANT]<br />
This requires that an ingress controller has been installed in your Kubernetes cluster.<br />
EKS does not come with an ingress controller by default. A popular ingress controller is <a href="https://github.com/kubernetes/ingress-nginx/">ingress-nginx</a>, which can be installed by a <a href="https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx">helm chart</a> or by <a href="https://kubernetes.github.io/ingress-nginx/deploy/#aws">manifests</a>.</p>
</blockquote>
<p>Create an ingress resource manifest file named <code>ingress.yaml</code> with the contents below:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-44-1" name="__codelineno-44-1" href="#__codelineno-44-1"></a><span class="nn">---</span>
<a id="__codelineno-44-2" name="__codelineno-44-2" href="#__codelineno-44-2"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">networking.k8s.io/v1</span>
<a id="__codelineno-44-3" name="__codelineno-44-3" href="#__codelineno-44-3"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Ingress</span>
<a id="__codelineno-44-4" name="__codelineno-44-4" href="#__codelineno-44-4"></a><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-44-5" name="__codelineno-44-5" href="#__codelineno-44-5"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-44-6" name="__codelineno-44-6" href="#__codelineno-44-6"></a><span class="nt">spec</span><span class="p">:</span>
<a id="__codelineno-44-7" name="__codelineno-44-7" href="#__codelineno-44-7"></a><span class="w"> </span><span class="nt">ingressClassName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-44-8" name="__codelineno-44-8" href="#__codelineno-44-8"></a><span class="w"> </span><span class="nt">rules</span><span class="p">:</span>
<a id="__codelineno-44-9" name="__codelineno-44-9" href="#__codelineno-44-9"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">host</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">server.example.com</span>
<a id="__codelineno-44-10" name="__codelineno-44-10" href="#__codelineno-44-10"></a><span class="w"> </span><span class="nt">http</span><span class="p">:</span>
<a id="__codelineno-44-11" name="__codelineno-44-11" href="#__codelineno-44-11"></a><span class="w"> </span><span class="nt">paths</span><span class="p">:</span>
<a id="__codelineno-44-12" name="__codelineno-44-12" href="#__codelineno-44-12"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">backend</span><span class="p">:</span>
<a id="__codelineno-44-13" name="__codelineno-44-13" href="#__codelineno-44-13"></a><span class="w"> </span><span class="nt">service</span><span class="p">:</span>
<a id="__codelineno-44-14" name="__codelineno-44-14" href="#__codelineno-44-14"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-44-15" name="__codelineno-44-15" href="#__codelineno-44-15"></a><span class="w"> </span><span class="nt">port</span><span class="p">:</span>
<a id="__codelineno-44-16" name="__codelineno-44-16" href="#__codelineno-44-16"></a><span class="w"> </span><span class="nt">number</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
<a id="__codelineno-44-17" name="__codelineno-44-17" href="#__codelineno-44-17"></a><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/</span>
<a id="__codelineno-44-18" name="__codelineno-44-18" href="#__codelineno-44-18"></a><span class="w"> </span><span class="nt">pathType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Prefix</span>
</code></pre></div>
<p>When ready, you can deploy this with:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-45-1" name="__codelineno-45-1" href="#__codelineno-45-1"></a>kubectl<span class="w"> </span>create<span class="w"> </span>--filename<span class="w"> </span>ingress.yaml<span class="w"> </span>--namespace<span class="w"> </span><span class="si">${</span><span class="nv">NGINXDEMO_NS</span><span class="k">:-</span><span class="s2">&quot;default&quot;</span><span class="si">}</span>
</code></pre></div>
<p>Watch the status of the ingress until the ADDRESS field is populated.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-46-1" name="__codelineno-46-1" href="#__codelineno-46-1"></a>kubectl<span class="w"> </span>get<span class="w"> </span>ingress<span class="w"> </span>--watch<span class="w"> </span>--namespace<span class="w"> </span><span class="si">${</span><span class="nv">NGINXDEMO_NS</span><span class="k">:-</span><span class="s2">&quot;default&quot;</span><span class="si">}</span>
</code></pre></div>
<p>You should see something like this:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-47-1" name="__codelineno-47-1" href="#__codelineno-47-1"></a>NAME<span class="w"> </span>CLASS<span class="w"> </span>HOSTS<span class="w"> </span>ADDRESS<span class="w"> </span>PORTS<span class="w"> </span>AGE
<a id="__codelineno-47-2" name="__codelineno-47-2" href="#__codelineno-47-2"></a>nginx<span class="w"> </span>&lt;none&gt;<span class="w"> </span>server.example.com<span class="w"> </span><span class="m">80</span><span class="w"> </span>47s
<a id="__codelineno-47-3" name="__codelineno-47-3" href="#__codelineno-47-3"></a>nginx<span class="w"> </span>&lt;none&gt;<span class="w"> </span>server.example.com<span class="w"> </span>ae11c2360188411e7951602725593fd1-1224345803.eu-central-1.elb.amazonaws.com.<span class="w"> </span><span class="m">80</span><span class="w"> </span>54s
</code></pre></div>
<p>For the ingress test, run through similar checks, but using domain name used for the ingress:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-48-1" name="__codelineno-48-1" href="#__codelineno-48-1"></a><span class="c1"># check records on route53</span>
<a id="__codelineno-48-2" name="__codelineno-48-2" href="#__codelineno-48-2"></a>aws<span class="w"> </span>route53<span class="w"> </span>list-resource-record-sets<span class="w"> </span>--output<span class="w"> </span>json<span class="w"> </span>--hosted-zone-id<span class="w"> </span><span class="nv">$ZONE_ID</span><span class="w"> </span><span class="se">\</span>
<a id="__codelineno-48-3" name="__codelineno-48-3" href="#__codelineno-48-3"></a><span class="w"> </span>--query<span class="w"> </span><span class="s2">&quot;ResourceRecordSets[?Name == &#39;server.example.com.&#39;]&quot;</span>
<a id="__codelineno-48-4" name="__codelineno-48-4" href="#__codelineno-48-4"></a>
<a id="__codelineno-48-5" name="__codelineno-48-5" href="#__codelineno-48-5"></a><span class="c1"># query using a route53 name server</span>
<a id="__codelineno-48-6" name="__codelineno-48-6" href="#__codelineno-48-6"></a>dig<span class="w"> </span>+short<span class="w"> </span>@ns-5514.awsdns-53.org.<span class="w"> </span>server.example.com.
<a id="__codelineno-48-7" name="__codelineno-48-7" href="#__codelineno-48-7"></a><span class="c1"># query using the default name server</span>
<a id="__codelineno-48-8" name="__codelineno-48-8" href="#__codelineno-48-8"></a>dig<span class="w"> </span>+short<span class="w"> </span>server.example.com.
<a id="__codelineno-48-9" name="__codelineno-48-9" href="#__codelineno-48-9"></a>
<a id="__codelineno-48-10" name="__codelineno-48-10" href="#__codelineno-48-10"></a><span class="c1"># connect to the nginx web server through the ingress</span>
<a id="__codelineno-48-11" name="__codelineno-48-11" href="#__codelineno-48-11"></a>curl<span class="w"> </span>server.example.com.
</code></pre></div>
<h2 id="more-service-annotation-options">More service annotation options<a class="headerlink" href="#more-service-annotation-options" title="Permanent link">&para;</a></h2>
<h3 id="custom-ttl">Custom TTL<a class="headerlink" href="#custom-ttl" title="Permanent link">&para;</a></h3>
<p>The default DNS record TTL (Time-To-Live) is 300 seconds. You can customize this value by setting the annotation <code>external-dns.alpha.kubernetes.io/ttl</code>.<br />
e.g., modify the service manifest YAML file above:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-49-1" name="__codelineno-49-1" href="#__codelineno-49-1"></a><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
<a id="__codelineno-49-2" name="__codelineno-49-2" href="#__codelineno-49-2"></a><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Service</span>
<a id="__codelineno-49-3" name="__codelineno-49-3" href="#__codelineno-49-3"></a><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-49-4" name="__codelineno-49-4" href="#__codelineno-49-4"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="__codelineno-49-5" name="__codelineno-49-5" href="#__codelineno-49-5"></a><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span>
<a id="__codelineno-49-6" name="__codelineno-49-6" href="#__codelineno-49-6"></a><span class="w"> </span><span class="nt">external-dns.alpha.kubernetes.io/hostname</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx.example.com</span>
<a id="__codelineno-49-7" name="__codelineno-49-7" href="#__codelineno-49-7"></a><span class="w"> </span><span class="nt">external-dns.alpha.kubernetes.io/ttl</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;60&quot;</span>
<a id="__codelineno-49-8" name="__codelineno-49-8" href="#__codelineno-49-8"></a><span class="nt">spec</span><span class="p">:</span>
<a id="__codelineno-49-9" name="__codelineno-49-9" href="#__codelineno-49-9"></a><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">...</span>
</code></pre></div>
<p>This will set the DNS record&rsquo;s TTL to 60 seconds.</p>
<h3 id="routing-policies">Routing policies<a class="headerlink" href="#routing-policies" title="Permanent link">&para;</a></h3>
<p>Route53 offers <a href="https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html">different routing policies</a>. The routing policy for a record can be controlled with the following annotations:</p>
<ul>
<li><code>external-dns.alpha.kubernetes.io/set-identifier</code>: this <strong>needs</strong> to be set to use any of the following routing policies</li>
</ul>
<p>For any given DNS name, only <strong>one</strong> of the following routing policies can be used:</p>
<ul>
<li>Weighted records: <code>external-dns.alpha.kubernetes.io/aws-weight</code></li>
<li>Latency-based routing: <code>external-dns.alpha.kubernetes.io/aws-region</code></li>
<li>Failover:<code>external-dns.alpha.kubernetes.io/aws-failover</code></li>
<li>Geolocation-based routing:</li>
<li><code>external-dns.alpha.kubernetes.io/aws-geolocation-continent-code</code></li>
<li><code>external-dns.alpha.kubernetes.io/aws-geolocation-country-code</code></li>
<li><code>external-dns.alpha.kubernetes.io/aws-geolocation-subdivision-code</code></li>
<li>Multi-value answer:<code>external-dns.alpha.kubernetes.io/aws-multi-value-answer</code></li>
</ul>
<h3 id="associating-dns-records-with-healthchecks">Associating DNS records with healthchecks<a class="headerlink" href="#associating-dns-records-with-healthchecks" title="Permanent link">&para;</a></h3>
<p>You can configure Route53 to associate DNS records with healthchecks for automated DNS failover using<br />
<code>external-dns.alpha.kubernetes.io/aws-health-check-id: &lt;health-check-id&gt;</code> annotation.</p>
<p>Note: ExternalDNS does not support creating healthchecks, and assumes that <code>&lt;health-check-id&gt;</code> already exists.</p>
<h2 id="canonical-hosted-zones">Canonical Hosted Zones<a class="headerlink" href="#canonical-hosted-zones" title="Permanent link">&para;</a></h2>
<p>When creating ALIAS type records in Route53 it is required that external-dns be aware of the canonical hosted zone in which<br />
the specified hostname is created. External-dns is able to automatically identify the canonical hosted zone for many<br />
hostnames based upon known hostname suffixes which are defined in <a href="https://github.com/kubernetes-sigs/external-dns/blob/master/provider/aws/aws.go#L65">aws.go</a>. If a hostname<br />
does not have a known suffix then the suffix can be added into <code>aws.go</code> or the <a href="#target-hosted-zone">target-hosted-zone annotation</a><br />
can be used to manually define the ID of the canonical hosted zone.</p>
<h2 id="govcloud-caveats">Govcloud caveats<a class="headerlink" href="#govcloud-caveats" title="Permanent link">&para;</a></h2>
<p>Due to the special nature with how Route53 runs in Govcloud, there are a few tweaks in the deployment settings.</p>
<ul>
<li>An Environment variable with name of <code>AWS_REGION</code> set to either <code>us-gov-west-1</code> or <code>us-gov-east-1</code> is required. Otherwise it tries to lookup a region that does not exist in Govcloud and it errors out.</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-50-1" name="__codelineno-50-1" href="#__codelineno-50-1"></a><span class="nt">env</span><span class="p">:</span>
<a id="__codelineno-50-2" name="__codelineno-50-2" href="#__codelineno-50-2"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">AWS_REGION</span>
<a id="__codelineno-50-3" name="__codelineno-50-3" href="#__codelineno-50-3"></a><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">us-gov-west-1</span>
</code></pre></div>
<ul>
<li>Route53 in Govcloud does not allow aliases. Therefore, container args must be set so that it uses CNAMES and a txt-prefix must be set to something. Otherwise, it will try to create a TXT record with the same value than the CNAME itself, which is not allowed.</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-51-1" name="__codelineno-51-1" href="#__codelineno-51-1"></a><span class="nt">args</span><span class="p">:</span>
<a id="__codelineno-51-2" name="__codelineno-51-2" href="#__codelineno-51-2"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--aws-prefer-cname</span>
<a id="__codelineno-51-3" name="__codelineno-51-3" href="#__codelineno-51-3"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--txt-prefix={{ YOUR_PREFIX }}</span>
</code></pre></div>
<ul>
<li>The first two changes are needed if you use Route53 in Govcloud, which only supports private zones. There are also no cross account IAM whatsoever between Govcloud and commercial AWS accounts.</li>
<li>If services and ingresses need to make Route 53 entries to an public zone in a commercial account, you will have set env variables of <code>AWS_ACCESS_KEY_ID</code> and <code>AWS_SECRET_ACCESS_KEY</code> with a key and secret to the commercial account that has the sufficient rights.</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-52-1" name="__codelineno-52-1" href="#__codelineno-52-1"></a><span class="nt">env</span><span class="p">:</span>
<a id="__codelineno-52-2" name="__codelineno-52-2" href="#__codelineno-52-2"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">AWS_ACCESS_KEY_ID</span>
<a id="__codelineno-52-3" name="__codelineno-52-3" href="#__codelineno-52-3"></a><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">XXXXXXXXX</span>
<a id="__codelineno-52-4" name="__codelineno-52-4" href="#__codelineno-52-4"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">AWS_SECRET_ACCESS_KEY</span>
<a id="__codelineno-52-5" name="__codelineno-52-5" href="#__codelineno-52-5"></a><span class="w"> </span><span class="nt">valueFrom</span><span class="p">:</span>
<a id="__codelineno-52-6" name="__codelineno-52-6" href="#__codelineno-52-6"></a><span class="w"> </span><span class="nt">secretKeyRef</span><span class="p">:</span>
<a id="__codelineno-52-7" name="__codelineno-52-7" href="#__codelineno-52-7"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{{</span><span class="w"> </span><span class="nv">YOUR_SECRET_NAME</span><span class="w"> </span><span class="p p-Indicator">}}</span>
<a id="__codelineno-52-8" name="__codelineno-52-8" href="#__codelineno-52-8"></a><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{{</span><span class="w"> </span><span class="nv">YOUR_SECRET_KEY</span><span class="w"> </span><span class="p p-Indicator">}}</span>
</code></pre></div>
<h2 id="dynamodb-registry">DynamoDB Registry<a class="headerlink" href="#dynamodb-registry" title="Permanent link">&para;</a></h2>
<p>The DynamoDB Registry can be used to store dns records metadata. See the <a href="../../registry/dynamodb/">DynamoDB Registry Tutorial</a> for more information.</p>
<h2 id="disable-aaaa-record-creation">Disable AAAA Record Creation<a class="headerlink" href="#disable-aaaa-record-creation" title="Permanent link">&para;</a></h2>
<p>If you would like ExternalDNS to not create AAAA records at all, you can add the following command line parameter: <code>--exclude-record-types=AAAA</code>.<br />
Please be aware, this will disable AAAA record creation even for dualstack enabled load balancers.</p>
<h2 id="clean-up">Clean up<a class="headerlink" href="#clean-up" title="Permanent link">&para;</a></h2>
<p>Make sure to delete all Service objects before terminating the cluster so all load balancers get cleaned up correctly.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-53-1" name="__codelineno-53-1" href="#__codelineno-53-1"></a>kubectl<span class="w"> </span>delete<span class="w"> </span>service<span class="w"> </span>nginx
</code></pre></div>
<p><strong>IMPORTANT</strong> If you attached a policy to the Node IAM Role, then you will want to detach this before deleting the EKS cluster. Otherwise, the role resource will be locked, and the cluster cannot be deleted, especially if it was provisioned by automation like <code>terraform</code> or <code>eksctl</code>.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-54-1" name="__codelineno-54-1" href="#__codelineno-54-1"></a>aws<span class="w"> </span>iam<span class="w"> </span>detach-role-policy<span class="w"> </span>--role-name<span class="w"> </span><span class="nv">$NODE_ROLE_NAME</span><span class="w"> </span>--policy-arn<span class="w"> </span><span class="nv">$POLICY_ARN</span>
</code></pre></div>
<p>If the cluster was provisioned using <code>eksctl</code>, you can delete the cluster with:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-55-1" name="__codelineno-55-1" href="#__codelineno-55-1"></a>eksctl<span class="w"> </span>delete<span class="w"> </span>cluster<span class="w"> </span>--name<span class="w"> </span><span class="nv">$EKS_CLUSTER_NAME</span><span class="w"> </span>--region<span class="w"> </span><span class="nv">$EKS_CLUSTER_REGION</span>
</code></pre></div>
<p>Give ExternalDNS some time to clean up the DNS records for you. Then delete the hosted zone if you created one for the testing purpose.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-56-1" name="__codelineno-56-1" href="#__codelineno-56-1"></a>aws<span class="w"> </span>route53<span class="w"> </span>delete-hosted-zone<span class="w"> </span>--id<span class="w"> </span><span class="nv">$ZONE_ID</span><span class="w"> </span><span class="c1"># e.g /hostedzone/ZEWFWZ4R16P7IB</span>
</code></pre></div>
<p>If IAM user credentials were used, you can remove the user with:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-57-1" name="__codelineno-57-1" href="#__codelineno-57-1"></a>aws<span class="w"> </span>iam<span class="w"> </span>detach-user-policy<span class="w"> </span>--user-name<span class="w"> </span><span class="s2">&quot;externaldns&quot;</span><span class="w"> </span>--policy-arn<span class="w"> </span><span class="nv">$POLICY_ARN</span>
<a id="__codelineno-57-2" name="__codelineno-57-2" href="#__codelineno-57-2"></a>
<a id="__codelineno-57-3" name="__codelineno-57-3" href="#__codelineno-57-3"></a><span class="c1"># If static credentials were used</span>
<a id="__codelineno-57-4" name="__codelineno-57-4" href="#__codelineno-57-4"></a>aws<span class="w"> </span>iam<span class="w"> </span>delete-access-key<span class="w"> </span>--user-name<span class="w"> </span><span class="s2">&quot;externaldns&quot;</span><span class="w"> </span>--access-key-id<span class="w"> </span><span class="nv">$ACCESS_KEY_ID</span>
<a id="__codelineno-57-5" name="__codelineno-57-5" href="#__codelineno-57-5"></a>
<a id="__codelineno-57-6" name="__codelineno-57-6" href="#__codelineno-57-6"></a>aws<span class="w"> </span>iam<span class="w"> </span>delete-user<span class="w"> </span>--user-name<span class="w"> </span><span class="s2">&quot;externaldns&quot;</span>
</code></pre></div>
<p>If IRSA was used, you can remove the IRSA role with:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-58-1" name="__codelineno-58-1" href="#__codelineno-58-1"></a>aws<span class="w"> </span>iam<span class="w"> </span>detach-role-policy<span class="w"> </span>--role-name<span class="w"> </span><span class="nv">$IRSA_ROLE</span><span class="w"> </span>--policy-arn<span class="w"> </span><span class="nv">$POLICY_ARN</span>
<a id="__codelineno-58-2" name="__codelineno-58-2" href="#__codelineno-58-2"></a>aws<span class="w"> </span>iam<span class="w"> </span>delete-role<span class="w"> </span>--role-name<span class="w"> </span><span class="nv">$IRSA_ROLE</span>
</code></pre></div>
<p>Delete any unneeded policies:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-59-1" name="__codelineno-59-1" href="#__codelineno-59-1"></a>aws<span class="w"> </span>iam<span class="w"> </span>delete-policy<span class="w"> </span>--policy-arn<span class="w"> </span><span class="nv">$POLICY_ARN</span>
</code></pre></div>
<h2 id="throttling">Throttling<a class="headerlink" href="#throttling" title="Permanent link">&para;</a></h2>
<p>Route53 has a <a href="https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSLimitations.html#limits-api-requests-route-53">5 API requests per second per account hard quota</a>.<br />
Running several fast polling ExternalDNS instances in a given account can easily hit that limit. Some ways to reduce the request rate include:</p>
<ul>
<li>Reduce the polling loop&rsquo;s synchronization interval at the possible cost of slower change propagation (but see <code>--events</code> below to reduce the impact).</li>
<li><code>--interval=5m</code> (default <code>1m</code>)</li>
<li>Enable a Cache to store the zone records list. It comes with a cost: slower propagation when the zone gets modified from other sources such as the AWS console, terraform, cloudformation or anything similar.</li>
<li><code>--provider-cache-time=15m</code> (default <code>0m</code>)</li>
<li>Trigger the polling loop on changes to K8s objects, rather than only at <code>interval</code> and ensure a minimum of time between events, to have responsive updates with long poll intervals</li>
<li><code>--events</code></li>
<li><code>--min-event-sync-interval=5m</code> (default <code>5s</code>)</li>
<li>Limit the <a href="https://github.com/kubernetes-sigs/external-dns/blob/master/pkg/apis/externaldns/types.go#L364">sources watched</a> when the <code>--events</code> flag is specified to specific types, namespaces, labels, or annotations</li>
<li><code>--source=ingress --source=service</code> - specify multiple times for multiple sources</li>
<li><code>--namespace=my-app</code></li>
<li><code>--label-filter=app in (my-app)</code></li>
<li><code>--ingress-class=nginx-external</code></li>
<li>Limit services watched by type (not applicable to ingress or other types)</li>
<li><code>--service-type-filter=LoadBalancer</code> default <code>all</code></li>
<li>Limit the hosted zones considered</li>
<li><code>--zone-id-filter=ABCDEF12345678</code> - specify multiple times if needed</li>
<li><code>--domain-filter=example.com</code> by domain suffix - specify multiple times if needed</li>
<li><code>--regex-domain-filter=example*</code> by domain suffix but as a regex - overrides domain-filter</li>
<li><code>--exclude-domains=ignore.this.example.com</code> to exclude a domain or subdomain</li>
<li><code>--regex-domain-exclusion=ignore*</code> subtracts it&rsquo;s matches from <code>regex-domain-filter</code>&rsquo;s matches</li>
<li><code>--aws-zone-type=public</code> only sync zones of this type <code>[public|private]</code></li>
<li><code>--aws-zone-tags=owner=k8s</code> only sync zones with this tag</li>
<li>If the list of zones managed by ExternalDNS doesn&rsquo;t change frequently, cache it by setting a TTL.</li>
<li><code>--aws-zones-cache-duration=3h</code> (default <code>0</code> - disabled)</li>
<li>Increase the number of changes applied to Route53 in each batch</li>
<li><code>--aws-batch-change-size=4000</code> (default <code>1000</code>)</li>
<li>Increase the interval between changes</li>
<li><code>--aws-batch-change-interval=10s</code> (default <code>1s</code>)</li>
<li>Introducing some jitter to the pod initialization, so that when multiple instances of ExternalDNS are updated at the same time they do not make their requests on the same second.</li>
</ul>
<p>A simple way to implement randomised startup is with an init container:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-60-1" name="__codelineno-60-1" href="#__codelineno-60-1"></a><span class="nn">...</span>
<a id="__codelineno-60-2" name="__codelineno-60-2" href="#__codelineno-60-2"></a><span class="w"> </span><span class="nt">spec</span><span class="p">:</span>
<a id="__codelineno-60-3" name="__codelineno-60-3" href="#__codelineno-60-3"></a><span class="w"> </span><span class="nt">initContainers</span><span class="p">:</span>
<a id="__codelineno-60-4" name="__codelineno-60-4" href="#__codelineno-60-4"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">init-jitter</span>
<a id="__codelineno-60-5" name="__codelineno-60-5" href="#__codelineno-60-5"></a><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">registry.k8s.io/external-dns/external-dns:v0.17.0</span>
<a id="__codelineno-60-6" name="__codelineno-60-6" href="#__codelineno-60-6"></a><span class="w"> </span><span class="nt">command</span><span class="p">:</span>
<a id="__codelineno-60-7" name="__codelineno-60-7" href="#__codelineno-60-7"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/bin/sh</span>
<a id="__codelineno-60-8" name="__codelineno-60-8" href="#__codelineno-60-8"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">-c</span>
<a id="__codelineno-60-9" name="__codelineno-60-9" href="#__codelineno-60-9"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&#39;FOR=$((RANDOM</span><span class="nv"> </span><span class="s">%</span><span class="nv"> </span><span class="s">10))s;echo</span><span class="nv"> </span><span class="s">&quot;Sleeping</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">$FOR&quot;;sleep</span><span class="nv"> </span><span class="s">$FOR&#39;</span>
<a id="__codelineno-60-10" name="__codelineno-60-10" href="#__codelineno-60-10"></a><span class="w"> </span><span class="nt">containers</span><span class="p">:</span>
<a id="__codelineno-60-11" name="__codelineno-60-11" href="#__codelineno-60-11"></a><span class="nn">...</span>
</code></pre></div>
<h3 id="eks">EKS<a class="headerlink" href="#eks" title="Permanent link">&para;</a></h3>
<p>An effective starting point for EKS with an ingress controller might look like:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-61-1" name="__codelineno-61-1" href="#__codelineno-61-1"></a>--interval<span class="o">=</span>5m
<a id="__codelineno-61-2" name="__codelineno-61-2" href="#__codelineno-61-2"></a>--events
<a id="__codelineno-61-3" name="__codelineno-61-3" href="#__codelineno-61-3"></a>--source<span class="o">=</span>ingress
<a id="__codelineno-61-4" name="__codelineno-61-4" href="#__codelineno-61-4"></a>--domain-filter<span class="o">=</span>example.com
<a id="__codelineno-61-5" name="__codelineno-61-5" href="#__codelineno-61-5"></a>--aws-zones-cache-duration<span class="o">=</span>1h
</code></pre></div>
<h3 id="batch-size-options">Batch size options<a class="headerlink" href="#batch-size-options" title="Permanent link">&para;</a></h3>
<p>After external-dns generates all changes, it will perform a task to group those changes into batches. Each change will be validated against batch-change-size limits.<br />
If at least one of those parameters out of range - the change will be moved to a separate batch.<br />
If the change can&rsquo;t fit into any batch - <em>it will be skipped.</em></p>
<p>There are 3 options to control batch size for AWS provider:</p>
<ul>
<li>Maximum amount of changes added to one batch</li>
<li><code>--aws-batch-change-size</code> (default <code>1000</code>)</li>
<li>Maximum size of changes in bytes added to one batch</li>
<li><code>--aws-batch-change-size-bytes</code> (default <code>32000</code>)</li>
<li>Maximum value count of changes added to one batch</li>
<li><code>aws-batch-change-size-values</code> (default <code>1000</code>)</li>
</ul>
<p><code>aws-batch-change-size</code> can be very useful for throttling purposes and can be set to any value.</p>
<p>Default values for flags <code>aws-batch-change-size-bytes</code> and <code>aws-batch-change-size-values</code> are taken from <a href="https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSLimitations.html#limits-api-requests">AWS documentation</a> for Route53 API.</p>
<blockquote>
<p>[!WARNING]<br />
<strong>You should not change those values until you really have to.</strong><br />
Because those limits are in place, <code>aws-batch-change-size</code> can be set to any value: Even if your batch size is <code>4000</code> records, your change will be split to separate batches due to bytes/values size limits and apply request will be finished without issues.</p>
</blockquote>
<h2 id="using-crd-source-to-manage-dns-records-in-aws">Using CRD source to manage DNS records in AWS<a class="headerlink" href="#using-crd-source-to-manage-dns-records-in-aws" title="Permanent link">&para;</a></h2>
<p>Please refer to the <a href="../../sources/crd/#example">CRD source documentation</a> for more information.</p>
<aside class="md-source-file">
<span class="md-source-file__fact">
<span class="md-icon" title="Last update">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">May 19, 2025</span>
</span>
</aside>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
<button type="button" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12Z"/></svg>
Back to top
</button>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<!--
Copyright (c) 2016-2024 Martin Donath <martin.donath@squidfunk.com>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to
deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
IN THE SOFTWARE.
-->
<!-- Copyright and theme information -->
<div class="md-copyright">
Made with
<a
href="https://squidfunk.github.io/mkdocs-material/"
target="_blank" rel="noopener"
>
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../../..", "features": ["content.code.annotate", "navigation.top", "navigation.tracking", "navigation.indexes", "navigation.instant", "navigation.tabs", "navigation.tabs.sticky"], "search": "../../../assets/javascripts/workers/search.b8dbb3d2.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"provider": "mike"}}</script>
<script src="../../../assets/javascripts/bundle.1e8ae164.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink