Always create required dnsmasq resources

kfr2 · kfr2 · commit d9906dfb8a6a · 2020-09-08T06:58:32.000-04:00
The dnsmasq-node ServiceAccount must exist whether or not CoreDNS-local
has been enabled. Therefore, it is created alongside the DaemonSet rather
than as part of the coredns-local manifest.

Additionally, always create dnsmasq-node-coredns-local.yaml If this file
does not exist (as would be the case if the CoreDNS local feature has
not been enabled), controller nodes will fail to come up with the error:
&gt; error: the path "/srv/kubernetes/manifests/dnsmasq-node-coredns-local.yaml" does not exist
This is caused when `kubectl delete` is called against the file because
of the line `remove "${mfdir}/dnsmasq-node-coredns-local.yaml`.

This manifest must always be generated because the CoreDNS-local
feature cannot be enabled and then later disabled without otherwise
requiring manual operator intervention.
diff --git a/builtin/files/userdata/cloud-config-controller b/builtin/files/userdata/cloud-config-controller
@@ -5479,51 +5479,8 @@ write_files:
                 - --v=2
                 - --logtostderr
 
-{{ if and .KubeDns.NodeLocalResolver .KubeDns.DNSMasq.CoreDNSLocal.Enabled }}
   - path: /srv/kubernetes/manifests/dnsmasq-node-coredns-local.yaml
     content: |
-        apiVersion: v1
-        kind: ServiceAccount
-        metadata:
-          name: dnsmasq
-          namespace: kube-system
-        ---
-        apiVersion: rbac.authorization.k8s.io/v1
-        kind: ClusterRole
-        metadata:
-          name: dnsmasq
-        rules:
-          - apiGroups: [""]
-            resources: ["endpoints", "services", "pods", "namespaces"]
-            verbs: ["list", "watch"]
-        ---
-        apiVersion: rbac.authorization.k8s.io/v1
-        kind: ClusterRoleBinding
-        metadata:
-          name: dnsmasq
-        roleRef:
-          apiGroup: rbac.authorization.k8s.io
-          kind: ClusterRole
-          name: dnsmasq
-        subjects:
-          - kind: ServiceAccount
-            name: dnsmasq
-            namespace: kube-system
-        ---
-        apiVersion: rbac.authorization.k8s.io/v1
-        kind: RoleBinding
-        metadata:
-          name: dnsmasq-privileged-psp
-          namespace: kube-system
-        roleRef:
-          apiGroup: rbac.authorization.k8s.io
-          kind: ClusterRole
-          name: privileged-psp
-        subjects:
-          - kind: ServiceAccount
-            name: dnsmasq
-            namespace: kube-system
-        ---
         apiVersion: v1
         kind: ConfigMap
         metadata:
@@ -5556,11 +5513,52 @@ write_files:
                 cache 30
                 reload
             }
-{{ end }}
 
 {{ if .KubeDns.NodeLocalResolver }}
   - path: /srv/kubernetes/manifests/dnsmasq-node-ds.yaml
     content: |
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: dnsmasq
+        namespace: kube-system
+      ---
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRole
+      metadata:
+        name: dnsmasq
+      rules:
+        - apiGroups: [""]
+          resources: ["endpoints", "services", "pods", "namespaces"]
+          verbs: ["list", "watch"]
+      ---
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRoleBinding
+      metadata:
+        name: dnsmasq
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: ClusterRole
+        name: dnsmasq
+      subjects:
+        - kind: ServiceAccount
+          name: dnsmasq
+          namespace: kube-system
+      ---
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: RoleBinding
+      metadata:
+        name: dnsmasq-privileged-psp
+        namespace: kube-system
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: ClusterRole
+        name: privileged-psp
+      subjects:
+        - kind: ServiceAccount
+          name: dnsmasq
+          namespace: kube-system
+      ---
       apiVersion: apps/v1
       kind: DaemonSet
       metadata:
