This repository demonstrates a kubernetes installation of the unbound DNSSEC compliant name resolver using docker, kubectl and helm. The repo contains a dockerfile, helm chart and makefile to assist with building the image (if you don't want to just pull it from my hub account) and installing the helm chart into your cluster.

• docker
• kubectl
• helm

In addition you'll obviously need a running kubernetes cluster. The yaml and scripts in kunbound were tested with kubectl 1.7.5 and helm 2.5.0 running against a cluster with master and nodes at 1.7.5 running in Google Container Engine. There are no GKE dependencies so this should work anywhere the above tools work.

kunbound/
  etc/unbound/  - contains the default unbound.conf file for image testing
  kunbound/     - the root directory of the helm chart
  sbin/         - contains the startup script for unbound
  yaml/         - raw yaml for use if you can't/don't use helm
  Dockerfile    - build script for the unbound image
  Makefile      - a GNU makefile to make builds easy

A makefile is included to enable easily building and pushing the image (if needed), and installing the helm chart.

$ make
Build the kunbound image and install the helm chart

Usage: make TARGETS VARS

The following TARGETS are supportedL

image: build the docker image locally
test: test the docker image
no-cache: disable docker layer caching
build: runs image + test
rebuild: runs no-cache + image + test
push: push the image to a repo
release: install/upgrade the chart (dry-run)
apply: use before release to apply changes
all: runs build + push + release
help: display this help

The following VARS are supported

IMAGES_REPO: repository name to push image to
IMAGE_NAME: override default image name
IMAGE_TAG: override default image tag
TEST_HOST: override the default DNS test host
HELM_RELEASE: override the default release name
KUBE_CONTEXT: override the current kube context
VALUES: specify a values file to include
CLUSTER_IP4_CIDR: address range to allow

$ make release VALUES=ZONES CLUSTER_IP4_CIDR=CIDR

This command will run helm against the chart templates and output the resulting yaml without updating anything in the cluster. To actually apply the resources in the cluster:

$ make apply release VALUES=ZONES CLUSTER_IP4_CIDR=CIDR

VALUES

• set to the path of the file which contains your forward zones and upstream resolver addresses.

CLUSTER_IP4_CIDR

• set to the cidr range of the pod network in your cluster to allow requests from pods, without this value the unbound container will only listen on localhost

Example zones file:

forwardZones:
- name: "fake.net"
  forwardHosts:
  - "fake1.host.net"
  - "fake2.host.net"
- name: "stillfake.net"
  forwardIps:
  - "10.10.10.10"
  - "10.11.10.10"

$ make build

$ make rebuild

$ make push IMAGES_REPO=yourrepo

$ make apply all IMAGES_REPO=yourrepo VALUES=zones CLUSTER_IP4_CIDER=cidr

To get kube-dns to forward to a specific upstream for a private DNS zone we can edit its configmap in the kube-system namespace:

apiVersion: v1
data:
 stubDomains: |
 {“DNS_ZONE”: [“RESOLVER_IP”]}
kind: ConfigMap
metadata:
 labels:
 addonmanager.kubernetes.io/mode: EnsureExists
 name: kube-dns
 namespace: kube-system

Set the DNS_ZONE to the domain you want forwarded to unbound, and set RESOLVER_IP to the cluster IP address of the kunbound service that was created when the chart was installed. To find this address run kubectl get svc | grep kunbound. In order to update the configmap first run kubectl get configmap kubedns -n kube-system -oyaml and save the output to a file. Make the edits shown above to add the stubDomains section if it isn't there, and then use kubectl apply -f file_path to update the configmap in the cluster.