apiVersion: v1
kind: ConfigMap
metadata:
  name: coredns
  labels:
    k8s-app: coredns
data:
  Corefile: |-
    .:53 {
        errors
        health {
            lameduck 5s
        }
        ready
        kubernetes cluster.local in-addr.arpa ip6.arpa {
            pods insecure
            fallthrough in-addr.arpa ip6.arpa
            ttl 30
        }
        prometheus 0.0.0.0:9153
        forward . /etc/resolv.conf
        cache 30
        loop
        reload
        loadbalance
    }

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: coredns
  labels:
    k8s-app: coredns
rules:
  - apiGroups:
      - ""
    resources:
      - endpoints
      - services
      - pods
      - namespaces
    verbs:
      - list
      - watch
  - apiGroups:
      - discovery.k8s.io
    resources:
      - endpointslices
    verbs:
      - list
      - watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: coredns
  labels:
    k8s-app: coredns
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: coredns
subjects:
  - kind: ServiceAccount
    name: default
    namespace: kube-system

---
apiVersion: v1
kind: Service
metadata:
  name: coredns
  labels:
    k8s-app: coredns
spec:
  selector:
    k8s-app: coredns
  ports:
    - { "name": "udp-53", "port": 53, "protocol": "UDP" }
    - { "name": "tcp-53", "port": 53, "protocol": "TCP" }
  type: ClusterIP
  clusterIP: 10.32.0.10

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: coredns
  labels:
    k8s-app: coredns
spec:
  replicas: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
      maxSurge: 25%
  selector:
    matchLabels:
      k8s-app: coredns
  template:
    metadata:
      labels:
        k8s-app: coredns
      annotations:
        checksum/config: 158d059c22a85c971e58da7eb18cd7fdf4ddd759f217f75f61d7d1a82e1167e6
        scheduler.alpha.kubernetes.io/critical-pod: ""
        scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
    spec:
      terminationGracePeriodSeconds: 30
      serviceAccountName: default
      dnsPolicy: Default
      containers:
        - name: "coredns"
          image: "coredns/coredns:1.10.1"
          imagePullPolicy: IfNotPresent
          args: ["-conf", "/etc/coredns/Corefile"]
          volumeMounts:
            - name: config-volume
              mountPath: /etc/coredns
          resources:
            limits:
              cpu: 100m
              memory: 128Mi
            requests:
              cpu: 100m
              memory: 128Mi
          ports:
            - { "containerPort": 53, "name": "udp-53", "protocol": "UDP" }
            - { "containerPort": 53, "name": "tcp-53", "protocol": "TCP" }
            - { "containerPort": 9153, "name": "tcp-9153", "protocol": "TCP" }

          livenessProbe:
            httpGet:
              path: /health
              port: 8080
              scheme: HTTP
            initialDelaySeconds: 60
            periodSeconds: 10
            timeoutSeconds: 5
            successThreshold: 1
            failureThreshold: 5
          readinessProbe:
            httpGet:
              path: /ready
              port: 8181
              scheme: HTTP
            initialDelaySeconds: 30
            periodSeconds: 10
            timeoutSeconds: 5
            successThreshold: 1
            failureThreshold: 5
          securityContext:
            capabilities:
              add:
                - NET_BIND_SERVICE
      volumes:
        - name: config-volume
          configMap:
            name: coredns
            items:
              - key: Corefile
                path: Corefile