Manually update CoreDNS - Container Service for Kubernetes

If the current CoreDNS version is outdated but the Upgrade button for CoreDNS is not displayed on the Add-ons page of the ACK console, you cannot configure the Container Service for Kubernetes (ACK) cluster to automatically update CoreDNS. In this scenario, you can manually update CoreDNS. This topic describes how to manually update CoreDNS.

Prerequisites

A kubectl client is connected to your cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

Update notes

If the load balancing mode of kube-proxy is set to IP Virtual Server (IPVS), all DNS queries within the cluster may fail or time out after CoreDNS is updated. This situation lasts about 5 minutes. You can use one of the following methods to avoid this issue:
- Modify the timeout period for IPVS UDP sessions in the kube-proxy configuration. For more information, see Change the UDP timeout period in IPVS mode.
- Use NodeLocal DNSCache to optimize DNS resolution. For more information, see Use NodeLocal DNSCache to optimize DNS resolution.
ACK requires about 2 minutes to update CoreDNS. The duration varies based on the number of CoreDNS pods. If the newly provisioned CoreDNS pods cannot be scheduled or launched, submit a ticket. DNS resolution is not interrupted because the existing CoreDNS pods are still running.

Query the CoreDNS version

Use the ACK console

Log on to the Container Service for Kubernetes (ACK) console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage. Then, click the name of the cluster or click Details in the Actions column.
In the left-side navigation pane of the cluster details page, choose Workloads > Deployments.
On the Deployments page, set Namespace to kube-system and check the CoreDNS version in the Image column.

Use kubectl

You can run the following command to query the CoreDNS version:

kubectl get deployment coredns -n kube-system -o jsonpath="{.spec.template.spec.containers[0].image}"

Expected output:

registry-vpc.cn-hangzhou.aliyuncs.com/acs/coredns:1.6.2 # Version 1.6.2 is used in this example.

Confirm the update version

Confirm the CoreDNS version to which you want to update. The following table describes the Kubernetes versions that are compatible with CoreDNS. We recommend that you use the latest CoreDNS version that is compatible with the Kubernetes version.

Kubernetes version	CoreDNS version
[1.11, 1.16]	v1.6.2
Versions later than 1.14.8 and earlier than 1.22	v1.6.7 and v1.7.0
Versions later than 1.20.4	v1.8.4 and v1.9.3 Important v1.8.4 and v1.9.3 have muptiple minor versions, such as `v1.8.4.3-644f4735-aliyun` and `v1.9.3.1-5e7ba42d-aliyun`. For more information, see CoreDNS.

Manually update

Use the console

(Optional) Replace the proxy field with the forward field.
The Proxy plug-in was deprecated in CoreDNS v1.6.2. When you upgrade from a version earlier than v1.6.2, you must perform the following steps to manually modify the CoreDNS configuration.
Modify the CoreDNS configuration
1. Log on to the Container Service for Kubernetes (ACK) console.
2. In the left-side navigation pane of the ACK console, click Clusters.
3. On the Clusters page, find the cluster that you want to manage. Then, click the name of the cluster or click Details in the Actions column.
4. In the left-side navigation pane of the cluster details page, choose Configurations > ConfigMaps.
5. In the upper part of the ConfigMap page, set Namespace to kube-system. Then, find the coredns ConfigMap and click Edit YAML in the Actions column.
6. In the View in YAML panel, replace proxy with forward and click OK.
Change the image version of CoreDNS.
1. Log on to the Container Service for Kubernetes (ACK) console.
2. In the left-side navigation pane of the ACK console, click Clusters.
3. On the Clusters page, find the cluster that you want to manage. Then, click the name of the cluster or click Details in the Actions column.
4. In the left-side navigation pane of the cluster details page, choose Workloads > Deployments.
5. In the upper part of the Deployments page, set Namespace to kube-system. Then, find coredns and choose More > View in YAML in the Actions column.
6. In the Edit YAML dialog box, change the version number in the image field. Then, click Update.

Verify the update.

Run the following command to query the CoreDNS version:

kubectl get deployment coredns -n kube-system -o jsonpath="{.spec.template.spec.containers[0].image}"

Expected output:

registry-cn-shanghai-vpc.ack.aliyuncs.com/acs/coredns:v1.9.3.10-5e7ba42d-aliyun

Run the following command to check whether all CoreDNS pods in the cluster are in the Running state:

kubectl get pods -n kube-system | grep coredns

Expected output:

coredns-78d4b8****-6g62w                           1/1     Running   0          9d
coredns-78d4b8****-n6wjm                           1/1     Running   0          9d

Use kubectl

(Optional) Replace the proxy field with the forward field.
The Proxy plug-in was deprecated in CoreDNS v1.6.2. When you upgrade from a version earlier than v1.6.2 to v1.6.2 or later, you must perform the following steps to manually modify the CoreDNS configuration.
Modify the CoreDNS configuration
1. Run the following command to replace proxy with forward in the CoreDNS configuration file, save the configuration file, and then exit.
```
kubectl edit configmap/coredns -n kube-system
```
2. Run the following command to query the log of a CoreDNS pod to check whether the new configuration is loaded.
```
kubectl logs coredns-78d4b8bd88-n6wjm -n kube-system
```
  If the output includes plugin/reload, it indicates that the CoreDNS configuration is loaded. Expected output:
```
.:53
[INFO] plugin/reload: Running configuration MD5 = 71c5f1ff539d304c630521f315dc2ac2
CoreDNS-1.6.7
linux/amd64, go1.13.6, da7f65b
[INFO] 127.0.0.1:48329 - 42313 "HINFO IN 1108347002237365533.4506541768939609094. udp 57 false 512" NXDOMAIN qr,rd,ra 132 0.008874794s
```
Run the following command to change the version number in the image field in the CoreDNS configuration file, save the configuration file, and then exit.
```
kubectl edit deployment/coredns -n kube-system
```

Verify the update.

Run the following command to query the CoreDNS version:

kubectl get deployment coredns -n kube-system -o jsonpath="{.spec.template.spec.containers[0].image}"

Expected output:

registry-cn-shanghai-vpc.ack.aliyuncs.com/acs/coredns:v1.9.3.10-5e7ba42d-aliyun

Run the following command to check whether all CoreDNS pods in the cluster are in the Running state:

kubectl get pods -n kube-system | grep coredns

Expected output:

coredns-78d4b8****-6g62w                           1/1     Running   0          9d
coredns-78d4b8****-n6wjm                           1/1     Running   0          9d

Change the UDP timeout period in IPVS mode

If kube-proxy runs in IPVS mode, DNS resolution may fail in the first 5 minutes after CoreDNS is updated due to the session persistence policy of IPVS. You can use one of the following methods to reduce the timeout period of UDP sessions in IPVS mode to 10 seconds. This way, less DNS resolution errors occur after CoreDNS is updated. If applications that use UDP are deployed in your cluster, evaluate the impact on these applications before you update CoreDNS. You can also submit a ticket to request technical support.

Note

If kube-proxy does not run in IPVS mode, you do not need to change the timeout period of UDP sessions. For more information about how to check the load balancing mode of kube-proxy, see View basic information.

ACK clusters that run Kubernetes 1.18 or later

Use the ACK console

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the details page, choose Configurations > ConfigMaps.
On the ConfigMap page, select the kube-system namespace, find the kube-proxy-worker ConfigMap, and then click Edit YAML in the Actions column.

In the View in YAML panel, add udpTimeout: 10s to the ipvs field and click OK.

apiVersion: v1
data:
  config.conf: |
    apiVersion: kubeproxy.config.k8s.io/v1alpha1
    kind: KubeProxyConfiguration
    # Irrelevant fields are not shown. 
    mode: ipvs
    # If the ipvs field does not exist, you must add the field. 
    ipvs:
      udpTimeout: 10s

Recreate all of the pods named kube-proxy-worker.
1. In the left-side navigation pane of the details page, choose Workloads > DaemonSets.
2. On the DaemonSets page, find and click kube-proxy-worker.
3. On the Pods tab of the kube-proxy-worker page, select a pod and choose More > Delete in the Actions column. In the message that appears, click Confirm.
  Repeat the preceding steps to delete all of the pods. After you delete the pods, the system automatically recreates the pods.
Check whether the timeout period of UDP sessions is changed.
1. Run the following command to install ipvsadm.
  ipvsadm is a tool that you can use to manage IPVS. For more information, see ipvsadm.
```
yum install -y ipvsadm
```
2. Log on to an Elastic Compute Service (ECS) instance in your cluster and then run the following command to check the third value in the output:
```
ipvsadm -L --timeout
```
  If the third value in the output is 10, the timeout period of UDP sessions is changed.
  Note
  After the timeout period of UDP sessions is changed, wait at least 5 minutes before you proceed.

Use the CLI

Run the following command to modify the kube-proxy-worker ConfigMap:
```
kubectl -n kube-system edit configmap kube-proxy-worker
```

Add udpTimeout: 10s to the ipvs field of the kube-proxy-worker ConfigMap. Then, save the modification and exit.

apiVersion: v1
data:
  config.conf: |
    apiVersion: kubeproxy.config.k8s.io/v1alpha1
    kind: KubeProxyConfiguration
    # Irrelevant fields are not shown. 
    mode: ipvs
    # If the ipvs field does not exist, you must add the field. 
    ipvs:
      udpTimeout: 10s

Run the following command to recreate all of the pods named kube-proxy-worker.
1. Run the following command to query the pods:
```
kubectl -n kube-system get pod -o wide | grep kube-proxy-worker
```
2. Run the following command to delete all of the pods that are returned in the preceding step. Then, the system recreates the pods named kube-proxy-worker.
```
kubectl -n kube-system delete pod <kube-proxy-worker-****>
```
  Note
  Replace <kube-proxy-worker-****> with the name of a pod that is returned in the preceding step.
Check whether the timeout period of UDP sessions is changed.
1. Run the following command to install ipvsadm.
  ipvsadm is a tool that you can use to manage IPVS. For more information, see ipvsadm.
```
yum install -y ipvsadm
```
2. Log on to an Elastic Compute Service (ECS) instance in your cluster and then run the following command to check the third value in the output:
```
ipvsadm -L --timeout
```
  If the third value in the output is 10, the timeout period of UDP sessions is changed.
  Note
  After the timeout period of UDP sessions is changed, wait at least 5 minutes before you proceed.

ACK clusters that run Kubernetes 1.16 or earlier

kube-proxy in an ACK cluster that runs Kubernetes 1.16 or an earlier version does not support the udpTimeout parameter. To change the timeout period of UDP sessions, we recommend that you use OOS to run the following ipvsadm commands on all ECS instances in the cluster at the same time:

sudo yum install -y ipvsadm
sudo ipvsadm -L --timeout > /tmp/ipvsadm_timeout_old
sudo ipvsadm --set 900 120 10
sudo ipvsadm -L --timeout > /tmp/ipvsadm_timeout_new
diff /tmp/ipvsadm_timeout_old /tmp/ipvsadm_timeout_new

For more information about how to use OOS to manage multiple ECS instances at the same time, see Manage multiple instances at a time.

What to do next

After CoreDNS is updated, you can optimize the configurations of CoreDNS based on your business requirements. For more information, see Properly configure CoreDNS.