Use externalTrafficPolicy: Local on the DNS services
Preserves client source IPs so the authoritative/resolver source-IP ACLs actually apply to external clients (Cluster SNATs them to node IPs). - externalTrafficPolicy: Local on bind-authoritative/resolvers/externaldns - bump operator to v0.1.5 (CRD link + image) for the new service field
This commit is contained in:
@@ -18,6 +18,7 @@ spec:
|
|||||||
- "allow-query { auth-acl-main; 10.42.0.0/16; }"
|
- "allow-query { auth-acl-main; 10.42.0.0/16; }"
|
||||||
service:
|
service:
|
||||||
type: LoadBalancer
|
type: LoadBalancer
|
||||||
|
externalTrafficPolicy: Local
|
||||||
annotations:
|
annotations:
|
||||||
purelb.io/service-group: common
|
purelb.io/service-group: common
|
||||||
purelb.io/addresses: 198.18.200.6
|
purelb.io/addresses: 198.18.200.6
|
||||||
|
|||||||
@@ -14,6 +14,7 @@ spec:
|
|||||||
storageSize: 1Gi
|
storageSize: 1Gi
|
||||||
service:
|
service:
|
||||||
type: LoadBalancer
|
type: LoadBalancer
|
||||||
|
externalTrafficPolicy: Local
|
||||||
annotations:
|
annotations:
|
||||||
purelb.io/service-group: common
|
purelb.io/service-group: common
|
||||||
purelb.io/addresses: 198.18.200.8
|
purelb.io/addresses: 198.18.200.8
|
||||||
|
|||||||
@@ -13,6 +13,7 @@ spec:
|
|||||||
storageSize: 1Gi
|
storageSize: 1Gi
|
||||||
service:
|
service:
|
||||||
type: LoadBalancer
|
type: LoadBalancer
|
||||||
|
externalTrafficPolicy: Local
|
||||||
annotations:
|
annotations:
|
||||||
purelb.io/service-group: common
|
purelb.io/service-group: common
|
||||||
purelb.io/addresses: 198.18.200.7
|
purelb.io/addresses: 198.18.200.7
|
||||||
|
|||||||
@@ -21,7 +21,7 @@ spec:
|
|||||||
runAsNonRoot: true
|
runAsNonRoot: true
|
||||||
containers:
|
containers:
|
||||||
- name: operator
|
- name: operator
|
||||||
image: git.unkin.net/unkin/bind-operator:v0.1.4
|
image: git.unkin.net/unkin/bind-operator:v0.1.5
|
||||||
args:
|
args:
|
||||||
- --metrics-bind-address=:8080
|
- --metrics-bind-address=:8080
|
||||||
- --health-probe-bind-address=:8081
|
- --health-probe-bind-address=:8081
|
||||||
|
|||||||
@@ -6,6 +6,6 @@ resources:
|
|||||||
- namespace.yaml
|
- namespace.yaml
|
||||||
# CRDs are pulled from the bind-operator repo at the matching tag rather than
|
# CRDs are pulled from the bind-operator repo at the matching tag rather than
|
||||||
# vendored here, so they never drift from the operator.
|
# vendored here, so they never drift from the operator.
|
||||||
- https://git.unkin.net/unkin/bind-operator/raw/tag/v0.1.3/config/crd/install.yaml
|
- https://git.unkin.net/unkin/bind-operator/raw/tag/v0.1.5/config/crd/install.yaml
|
||||||
- rbac.yaml
|
- rbac.yaml
|
||||||
- deployment.yaml
|
- deployment.yaml
|
||||||
|
|||||||
Reference in New Issue
Block a user