Kubernetes controller that watches services in managed namespaces and syncs DNS records to bindy (bind9 API).
zonewarden bridges Kubernetes Services to DNS by:
- Watching namespaces labeled with
firestone.io/dns-managed=true - Monitoring services within those namespaces
- Syncing service IPs to bind9 zones via the bindy API
This enables automatic DNS registration for services, particularly useful for LoadBalancer services in multi-cluster environments connected via Linkerd.
┌─────────────────────────────────────────────────────────────────┐
│ Workload Cluster │
│ ┌─────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Namespace │ │ zonewarden │ │ Linkerd │ │
│ │ (labeled) │───▶│ Controller │───▶│ (mTLS) │ │
│ │ │ │ │ │ │ │
│ │ Services │ │ - Watch NS │ └────────┬────────┘ │
│ └─────────────┘ │ - Watch Svc │ │ │
│ │ - Sync DNS │ │ │
│ └─────────────────┘ │ │
└────────────────────────────────────────────────────┼───────────┘
│
┌──────────────────────┘
│ Linkerd Multi-cluster
▼
┌─────────────────────────────────────────────────────────────────┐
│ k0rdent Mothership │
│ ┌─────────────────┐ ┌─────────────────┐ │
│ │ bindy │ │ bind9 │ │
│ │ API │───▶│ Instances │ │
│ │ │ │ │ │
│ └─────────────────┘ └─────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
- Kubernetes cluster with Linkerd service mesh
- bindy deployed in the mothership cluster
- Cross-cluster Linkerd connectivity configured
kubectl apply -f deploy/crd-servicednsconfig.yamlkubectl apply -f deploy/deployment.yamlkubectl label namespace my-app cf.rbccm.com/dns-managed=trueapiVersion: dns.cf.rbccm.com/v1alpha1
kind: ServiceDNSConfig
metadata:
name: default
namespace: my-app
spec:
zoneRef:
name: apps.rbccm.com
namespace: bindy-system
serviceTypes:
- LoadBalancer
recordNameTemplate: "{service}.{namespace}"Any LoadBalancer service in the namespace will automatically get a DNS record:
apiVersion: v1
kind: Service
metadata:
name: my-api
namespace: my-app
spec:
type: LoadBalancer
ports:
- port: 443
selector:
app: my-apiThis creates a DNS record: my-api.my-app.apps.rbccm.com
| Variable | Description | Default |
|---|---|---|
BINDY_URL |
URL of the bindy API | http://bindy-api.bindy-system.svc.cluster.local |
DEFAULT_ZONE |
Default DNS zone if no ServiceDNSConfig exists | (none) |
RECORD_TEMPLATE |
Default record name template | {service}.{namespace} |
LOG_LEVEL |
Logging level | info |
JSON_LOGS |
Enable JSON structured logging | false |
| Field | Description | Default |
|---|---|---|
zoneRef.name |
Name of the DNSZone CR | (required) |
zoneRef.namespace |
Namespace of the DNSZone | (same namespace) |
serviceSelector.matchLabels |
Label selector for services | (all services) |
recordNameTemplate |
Template for record names | {service}.{namespace} |
recordType |
DNS record type (A/CNAME) | A |
serviceTypes |
Service types to sync | [LoadBalancer] |
# Build locally
cargo build --release
# Build container
docker build -t zonewarden:latest .# Run tests
cargo test
# Run with local kubeconfig
BINDY_URL=http://localhost:8080 cargo run
# Generate CRD schema
cargo run --bin crdgen > deploy/crd-servicednsconfig.yaml- bindy: Kubernetes-native bind9 management API and controller
- bind9: Authoritative DNS server
Proprietary - RBC Capital Markets