README update for external-dns

2026-02-14 17:49:56 +00:00 · 2021-12-05 22:41:56 -05:00
parent a712653f16
commit 1d3ecde5ac
1 changed files with 43 additions and 0 deletions
--- a/external-dns/README.md
+++ b/external-dns/README.md
@@ -17,6 +17,49 @@ kubectl apply -f ../ingress/
 kubectl apply -f service-l4.yaml
 ```

+## Configure kops
+
+Either turn off the Instance metadata service version 2, or enable IRSA (follow steps at https://github.com/kubernetes/kops/blob/master/docs/cluster_spec.md#service-account-issuer-discovery-and-aws-iam-roles-for-service-accounts-irsa).
+
+To disable the Instance Metadata service 2 (easiest option for non-production clusters), run kops edit instancegroup nodes-eu-west-1a --state=... and modify the instanceMetadata (do this for every zone):
+```
+spec:
+  instanceMetadata:
+    httpTokens: optional
+```
+
+If you want to use IRSA, this config can be used during kops edit cluster:
+```
+spec:
+  # enable IRSA
+  serviceAccountIssuerDiscovery:
+    discoveryStore: s3://publicly-readable-store
+    enableAWSOIDCProvider: true
+  # IAM policy for service account with external-dns
+  iam:
+    serviceAccountExternalPermissions: 
+      - name: external-dns 
+        namespace: default 
+        aws: 
+          inlinePolicy: |- 
+            [  
+              {  
+                "Effect": "Allow", 
+                "Action": ["route53:ListHostedZones", "route53:ListResourceRecordSets"], 
+                "Resource": "*" 
+              }, 
+              {  
+                "Effect": "Allow", 
+                "Action": [ 
+                  "route53:ChangeResourceRecordSets" 
+                ], 
+                "Resource": [ 
+                  "arn:aws:route53:::hostedzone/*" 
+                ] 
+              } 
+            ] 
+```
+
 ## Create external DNS and ingress rules
 ```
 kubectl apply -f external-dns.yaml